[Secure-testing-commits] r15974 - in data: . CPE

[Petter Reinholdtsen]

[Michael Gilbert]
> OK, seems logical.  Just curious, how did you generate this initial
> cross-reference?  Was it automated, and are you sure that its 100%
> accurate?

It was created manually, and I am 100% sure it is not completely
accurate. :)

I've found some bugs in the list by running the script to compare the
NVD and the Debian CVE lists, and expect to find more.  Btw, the NVD
list seem to be slightly inconsistent.

> Also, is there any value in including packages that don't have a CPE
> yet?

The list currently include all packages listed in data/CVE/list, and
thus is a work list for all packages needing a CPE.  The entries
without a CPE value are ignored.

The output from the script currently look like this:

warning: CVE-2011-0408 in NVD is not refering to cpe:/a:libpng:libpng found in Debian.
warning: CVE-2011-0471 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0473 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0474 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0478 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0480 in Debian refer to cpe:/a:ffmpeg:ffmpeg, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0482 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0483 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).
warning: CVE-2011-0484 in Debian refer to cpe:/a:webkit:webkit, while NVD do not (found cpe:/a:google:chrome, cpe:/o:google:chrome_os).

Happy hacking,
-- 
Petter Reinholdtsen