I'd really this topic to be injected into the WSTG.
Points to consider:

• We need to define properly where to inject its definition - could be in an appendix, in a chapter in 4.2, etc. - to properly allow the reader to go through it and use it.
• The document gets updated incrementally to entertain this topic and properly use CPE across its chapters.
• Be ready by the v5 release to properly contain CPE.

Why I enjoy this topic?
Readers will be able to:

• automate tasks by injecting CPEs into scanners.
• write more professional reports.
• search for exact application under databases using CPEs.
• Broaden their knowledge by learning this standard.

Looking forward for more opinions and actionable points on this 😄

I have no further context for this tweet right now just wanted to keep track of it somehow: https://mobile.twitter.com/manicode/status/1238835388757823493

@stevespringett @jmanico would you be able to provide us with input on the above topic?

In general, a section on naming would be good. CPE is one method of naming. There are others including Package URL and SWID.

CPE is inherently flawed. It's centralized. The vendor/product/versions often do not reflect reality. And most importantly, CPEs are typically not created until a CVE is created. So it's not an authoritative source of software, rather vulnerable software.

Naming is hard. Vendors get merged, acquired, products are renamed, etc. Currently, a global alias list does not exist. These are all known problems. A global namespace has only been created once - DNS. The software equivalent of this does not currently exist.

IMO, a section on naming would be good which references to the various methods in which software is named, including CPE, Package URL, and SWID.

Further details on CPE/SWID concerns: https://groups.google.com/a/owasp.org/g/leaders/c/eQPCC7-nQj4/m/WMYVLMmSAgAJ

@jespunya are you going to be able to tackle this?

@kingthorin I still think that it would be interesting, but I don't have a clear idea about how to address it.
What would be your idea? Maybe a subsection of the section 5 (Reporting) exposing what's Naming, it's usages and limitations and a introduction to the CPE, Package URL & SWID proposed by @stevespringett? Any other idea?

I would scrap CPE as it's going to be deprecated and move forward with it. @stevespringett what would you advise for this call?

CPE will be around for a few more years. The NVD will be supporting it while they migrate to SWID and commercial sources of vulnerability intelligence (VulnDB, Secunia, etc) continue to support it. So for the foreseeable future, I would include CPE, SWID, and PURL.

https://cyclonedx.org/use-cases/#known-vulnerabilities has some recommendations on which of these three to use based on the type of software being represented.

Thanks @stevespringett I will try to make a first version during the following days so we could have something more specific to talk about it.

@jespunya if you require any help or support, ping away :) Thanks for tackling this!

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.