adulau/foo.be
1
0
Fork 0
mirror of https://github.com/adulau/foo.be.git synced 2024-11-21 17:27:05 +00:00
Code Issues Projects Releases Packages Wiki Activity

References added

Browse source
This commit is contained in:
Alexandre Dulaunoy 2016-05-05 15:31:32 +02:00
parent 6724f64b6d
commit ca4bbeeb28
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
_posts/2016-05-04-The_Myth_of_Vulnerability_Management.markdown
View file

@ -61,4 +61,13 @@ Linux distributions (like Debian or Ubuntu) should introduce the possibility to
CPE references in vulnerable_configuration (in CVEs) tend to include the vulnerable operating system but not the vulnerable software itself. cpe:/a: is not always defined and only the vulnerable operating systems are mentioned. There are many potential improvements but the CPE management could be slightly improved with a collaborative approach to add or updates CPE entries.
Maybe software vendors (including free software authors and proprietary vendors) should include a list of CPE describing the software included in their distributions, appliance, IoT, mobile phone... to support the work of people and organization who try to do vulnerability management.
## References
- [cve-search project](https://github.com/cve-search/)
- [Debian Popularity Contest](http://popcon.debian.org/)
- [Add Common Platform Enumerator information to package meta information](https://wiki.debian.org/CPEtagPackagesDep) - time to restart this proposal...
[^1]: CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. [https://nvd.nist.gov/cpe.cfm](https://nvd.nist.gov/cpe.cfm)