[Openvas-plugins] CPE INVENTORY
Henri Doreau
henri.doreau at greenbone.net
Mon Jun 20 12:45:40 CEST 2011
Le 20 juin 2011 11:55, Sébastien AUCOUTURIER <s.aucouturier at itrust.fr> a écrit :
>
> I dig to get more information and
> got some useful on : http://www.openssh.com/portable.html.
> that can help to distinguish some ssh portage (but not all :-( and
> mismatch some cve :-( what a dilemma :-( )
>
>
> The 'portable OpenSSH' follows development of the official version, but
> releases are not synchronized.
> Portable releases are marked with a 'p' (e.g. 5.8p1).
> The official OpenBSD source will never use the 'p' suffix, but will instead
> increment the version number when they hit 'stable spots' in their
> development.
>
> my view :
> OpenSSH_5.8p1-hpn13v10 => cpe:/a:openssh:openssh:5.8p1
> OpenSSH_5.8 => cpe:/a:openbsd:openssh:5.8
>
This might be a good rule to stick to but it really seems that these
entries using openssh as the vendor are two exceptions. Both have
"synonym" entries in the official dictionary:
- cpe:/a:openssh:openssh => cpe:/a:openbsd:openssh
- cpe:/a:openssh:openssh:4.6 => cpe:/a:openbsd:openssh:4.6
Always using openbsd as vendor is probably a good way to ensure that
our results are consistent with the dictionary. Do we have reasons not
to do so? Does anyone know more about this situation? Shall we suggest
these two entries for deprecation in favor of their openbsd
equivalents?
Regards.
--
Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
More information about the Openvas-plugins
mailing list