OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] Discussion on Generic Software Identification Parameter/Attribute

Sorry that I was not able to join the call today.

Just for awareness.

The STIX2.x standard uses CPE as one of the primary options when defining intelligence related to software applications, tools...etc.

If you want the specific section in the STIX spec look at the cyber observable document.


Cyber observables are objects that can be contained within observed data objects within STIX. Typically this would be used by someone reporting on a particular software application tied to an intel data event.


ïOn 10/31/18, 3:02 PM, "csaf@lists.oasis-open.org on behalf of Mr. Omar Santos" <csaf@lists.oasis-open.org on behalf of osantos@cisco.com> wrote:

    Hi folks,
    Thank you all for your participation during today's meeting. As a follow up, the following are a few references about CPE, SWID, CO-SWID, and SPDX.
    Official Common Platform Enumeration (CPE) Dictionary
    Software ID (SWID) Tags ISO Standard:
    ISO/IEC 19770-2:2015
    Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
    Concise Software Identifiers (IETF draft-ietf-sacm-coswid-07)
    Software Package Data Exchange (SPDX)
    NTIA Software Component Transparency Website: 
    The following is an excerpt of CSAF/CVRF 1.2 Section 5.1.2 Product Tree  Full Product Name
    5.1.2 Product Tree  Full Product Name
    Element prod:FullProductName
    Â The prod:FullProductName element MUST be a child of cardinality [1, â] for all possible locations inside the product tree representation. Â [CSAF-5.1.2-1]
    This elements instances have multiple possible parent elements: prod:ProductTree, prod:Releationship, and prod:Branch.
    The prod:FullProductName elements define the endpoints of the Product Tree and occur either directly at the root level, at the branch level, or as the result of a relationship between two products.
    The value of a Full Product Name element should be the productÂs full canonical name, including version number and other attributes, as it would be used in a human-friendly document.
    Attribute ProductID
    The ProductID attribute is a token required to identify a Full Product Name so that it can be referred to from other parts in the document.
    There is no predefined or required format for the ProductID as long as it uniquely identifies a product in the context of the current document.
    Attribute CPE
    The (Common Platform Enumeration) CPE attribute refers to a method for naming platforms external to CSAF CVRF.
    Â The CPE attribute if present MUST have a value, that is a valid cpe-lang:namePattern as defined in the external specification [CPE23_N] and related schemas. Â [CSAF-5.1.2-2]
    I would like to continue the discussion on next steps to support a generic parameter/attribute in CSAF 2.0.
    Best regards,
    Omar Santos

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]