OVAL, SCAP, CVE, CPE, ...

oval-scap-cve-cpe

Sven Vermeulen Sat 05 June 2010

For a personal POC I wanted to see if it is possible to generate, based on the collection of CVE entries publicly available, a report informing a system administrator about possible vulnerabilities. Nothing fancy, just based upon versions.

A simple example: tool detects Perl, acquires installed Perl version, then matches the collection of CVE entries against this Perl version. If at least one CVE is found, report it. The idea is then to make this as generic as possible (not specific for an operating system or Linux distribution), so not use a package version but really the tool version (or library version).

Of course, whenever I am planning such minor POCs, I search the Internet for possible existing tools (just like kev009 describes - "But First, Write No Code"). And I found out that there are already quite some "foundation components" available...

  • CPE is a structured way of naming software (vendor, title, version ...)
  • OVAL is a method for performing structured tests (like regular expression matches in text) for reporting purposes

Many more of these efforts are linked through the Mitre sites. The above two are the most important ones though - it seems that it might be possible to use OVAL to describe the tests I wanted for the POC.

To be continued...