Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CPEs and PURLs #3998

Open
ammar92 opened this issue Dec 31, 2024 · 4 comments
Open

CPEs and PURLs #3998

ammar92 opened this issue Dec 31, 2024 · 4 comments

Comments

@ammar92
Copy link
Contributor

ammar92 commented Dec 31, 2024

CPE (Common Platform Enumeration) and PURL (Package URL) are two primary software identifiers. Currently we use optional CPEs attached to Software OOIs. Some questions and points for discussion:

  • Should we adopt PURLs alongside CPEs?
  • Should both CPEs and PURLs coexist in our models?
  • CPEs and PURLs have some degree of interoperability, should we utilize this relationship?
  • The current Software.cpe field should be refactored into its own model
    • This would allow a tree-like structure where other Software or SoftwareInstance models can reference this model
    • A tree-like structure would also enable parent-child relationships (e.g. jQuery 3.7.1 links to jQuery)
      • This allows targeting specific versions of software packages or referring to a software package in general (e.g. having a CVE refer to a specific jQuery version X, or have a policy that completely disallows the usage of jQuery)
      • This approach also enables linking plugins and extensions to their associated software
@ammar92 ammar92 added this to KAT Dec 31, 2024
@github-project-automation github-project-automation bot moved this to Incoming features / Need assessment in KAT Dec 31, 2024
@ammar92 ammar92 moved this from Incoming features / Need assessment to To be discussed in KAT Dec 31, 2024
@underdarknl
Copy link
Contributor

related #278

@noamblitz
Copy link
Contributor

  • The current Software.cpe field should be refactored into its own model

Dont agree with this point. Would IMO unnecessarily add more OOIs to the graph. Interesting point for a short discussion though! Let's discuss this soon (in small a group).

@ammar92
Copy link
Contributor Author

ammar92 commented Jan 7, 2025

  • The current Software.cpe field should be refactored into its own model

Dont agree with this point. Would IMO unnecessarily add more OOIs to the graph. Interesting point for a short discussion though! Let's discuss this soon (in small a group).

I understand the concern about potentially adding more OOI types, but I believe refactoring the Software.cpe field into its own model brings significant benefits as outlined in the original point. From a database/modeling perspective, this field should ideally have been normalized into a separate model from the start (duplication is one reason, but there're a few more).

A separate model provides flexibility in managing software identifiers, enables the creation of parent-child relationships (essential for linking and comparing, versions, plugins, and extensions), and simplifies referencing across multiple instances or models.

I’d be happy to discuss this further as proposed.

(migration is another discussion/ challenge 😅)

@underdarknl
Copy link
Contributor

Related to this. I'd also love to store the possible SRI (subresource integrity hash) somewhere. (could be a separate object, or a property on the softwareOOI). SRI's can be collected from html sources where they are optionally listed for script and link resources, or we could collect them by hashing the downloaded resource ourselves.
In turn we could lookup software and software versions from these sri's from an api to hydrate extra info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: To be discussed
Development

No branches or pull requests

3 participants