-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Devices should have CPEs associable #624
Open
12 of 15 tasks
Labels
Milestone
Comments
ajnelson-nist
added a commit
that referenced
this issue
Aug 2, 2024
No effects were observed on Make-managed files. References: * #624 Signed-off-by: Alex Nelson <[email protected]>
13 tasks
13 tasks
Open
17 tasks
On last week's call, there was a request to encode a warning on finding a CPE version newer than 2.3. |
ajnelson-nist
added a commit
to casework/CASE-Archive
that referenced
this issue
Oct 21, 2024
No effects were observed on Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
added a commit
to casework/CASE-Archive
that referenced
this issue
Oct 21, 2024
No effects were observed on Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
Apologies: the CPE version point was meant for #626 . I've moved the checklist item over to that Issue. |
ajnelson-nist
added a commit
to casework/casework.github.io
that referenced
this issue
Oct 21, 2024
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
added a commit
to casework/casework.github.io
that referenced
this issue
Oct 21, 2024
References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
added a commit
to casework/CASE-Corpora
that referenced
this issue
Oct 21, 2024
No effects were observed on Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
added a commit
to casework/CASE-Examples
that referenced
this issue
Oct 21, 2024
No effects were observed on Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
This CP makes sense to me. |
ajnelson-nist
added a commit
to ucoProject/ucoproject.github.io
that referenced
this issue
Nov 22, 2024
References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
added a commit
to casework/CASE
that referenced
this issue
Nov 22, 2024
No effects were observed on Make-managed files. References: * ucoProject/UCO#624 Signed-off-by: Alex Nelson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(Edited after announcement: NIST IR 7695 is the CPE naming specification, but was initially called the CPE specification in this post.)
Background
The
observable:cpeid
property is currently associated withobservable:Software
. The CPE naming specification, NIST IR 7695, also defines CPEs that are associable with hardware, through use of a "part" attribute value ofh
. E.g., this is a CPE Well-Formed-Name for a device manufactured by a company named "ExampleCo", and named "ExampleTablet" with, with the device version described as non-applicable:cpe:2.3:h:exampleco:exampletablet:-:*:*:*:*:*:*:*
The CPE Dictionary from the National Vulnerability Database lists other examples of CPEs for hardware. After downloading and unzipping the dictionary, this command ...
grep 'cpe:2.3:h:' official-cpe-dictionary_v2.3.xml
... returns over 60,000 CPE names today.
Requirements
Requirement 1
Because UCO provides the ability to record a
Software
object's CPE, UCO should also support the ability to record aDevice
object's CPE, in line with the CPE naming specification.Risk / Benefit analysis
Benefits
Device
specialized subclasses more specific than would be encoded in UCO, such as particular models of phones.Risks
Because devices would always fall under the Part attribute-value
h
, denoting classes of hardware devices, it also seems appropriate to constrain the CPE pattern to read like this ...observable:DeviceFacet sh:property [ sh:path observable:cpeid ; sh:pattern "^cpe:2.3:h:.+" ; ] ; .
... except,
observable:cpeid
does not state what version of CPE the field is meant to conform to. Since CPE 2.3 has been around since 2011, this pattern would encode the assumption that CPE 2.3 is intended. While this is likely, given current known usage of CPE (the CPE Dictionary XML from NVD contains no instances of the stringcpe:2.2
, and over one million instances of the stringcpe:2.3
), it would technically be a backwards-incompatible change because UCO currently has no restrictions encoded anywhere onobservable:cpeid
.Competencies demonstrated
Competency 1
An organization doing asset inventory logs a particular ExampleTablet. They use
ex:hadInventoryNumber
to log property numbers.When inventorying a particular tablet, this is added to their knowledge base:
Competency Question 1.1
What are the CPEs for inventoried devices?
Result 1.1
cpe:2.3:h:exampleco:exampletablet:-:*:*:*:*:*:*:*
Solution suggestion
Copy the
cpeid
property shape currently inSoftwareFacet
toDeviceFacet
, adding this toobservable.ttl
:observable:DeviceFacet sh:property [ sh:datatype xsd:string ; sh:maxCount "1"^^xsd:integer ; sh:nodeKind sh:Literal ; sh:path observable:cpeid ; ] ; .
I am fine with my examples being transcribed and credited.
Coordination
develop
for the next releasedevelop
state with backwards-compatible implementation merged intodevelop-2.0.0
develop-2.0.0
(N/A)develop
branch updated to track UCO's updateddevelop
branchdevelop-2.0.0
branch updated to track UCO's updateddevelop-2.0.0
branchThe text was updated successfully, but these errors were encountered: