Platform identification is a foundational part of cybersecurity intelligence. However, accurate, reliable and unbias access to this information is not always available to those who may benefit. The community has the ability to empower themselves through collaboration to bring this information together and solidify a more robust baseline of useful and openly available cybersecurity intelligence.
The CPE Applicability Generator tool tackles complex challenges in vulnerability analysis, CPE applicability, and platform data quality. Each problem domain has dedicated components within the codebase that work together to provide comprehensive solutions.
A common point of friction for organizations attempting to use CPE is that they cannot reliably determine the CPE Base String for their target platform. This is due to inconsistent representation of platforms over their lifecycle, lacking publicly available information regarding a platform, inconsistency of representation within the CPE Dictionary and lacking coverage of CPE Names within the CPE Dictionary.
The tool processes provided, relevant platform metadata and identifies the most likely CPE Base String based on data transformations, heuristics and subject matter expert assertions via confirmed mappings.
src/analysis_tool/core/gatherData.pysrc/analysis_tool/core/processData.pysrc/analysis_tool/mappings/*src/analysis_tool/core/processData.pysrc/analysis_tool/core/badge_modal_system.pysrc/analysis_tool/static/js/badge_modal_system.jsPlatform related information is contributed to CVE Records in a relatively structured format. However, there is still a great deal of flexibility in the various ways organizations are able to detail metadata about a platform and the various complicated methods of indicating which versions of that platform are considered vulnerable and which are not. Additionally, there are nuances between the expectations of CVE record data and normative CPE representation (Ex: Update attributes).
The tool translates the information provided within a CVE record and (once a CPE Base String determination is made) converts all available information into the appropriate CPE Applicability Statement (CPE-AS) format.
src/analysis_tool/core/processData.pysrc/analysis_tool/core/generateHTML.pysrc/analysis_tool/static/js/badge_modal_system.jsMany conditions exist in CVE records that require additional, unnessary parsing by downstream data consumers to enable automation. Even more concerning are the multitude of data contributions that render the information non-actionable. While a large volume of these conditions should be resolved within the operation of the CVE Program and/or CVE Services, many could be rectified by the data contributors (the source) themselves.
The tool tracks and identifies a collection of cases that prevent or impede platform related automation efforts, displaying them in a visually digestible dashboard for data contributor and CVE Program review.
dashboards/sourceDataConcernDashboard.htmlsrc/analysis_tool/logging/badge_contents_collector.pysrc/analysis_tool/core/badge_modal_system.pysrc/analysis_tool/static/js/badge_modal_system.jssrc/analysis_tool/core/generateHTML.pyCreating a complete dataset that represents the entire CVE List within the current toolset can take an incredible amount of time.
The tool takes a series of approaches to assist with these issues.
src/analysis_tool/storage/cpe_cache.pysrc/cache/*src/analysis_tool/core/processData.pysrc/analysis_tool/core/generateHTML.pysrc/analysis_tool/static/js/badge_modal_system.jssrc/analysis_tool/static/css/*