Software Vulnerability Analysis Using CPE and CVE
This addresses a specific issue for users of vulnerability management systems by improving accuracy in software vulnerability analysis, but it is incremental as it builds on existing datasets and methods.
The paper tackled the problem of synchronization issues between CPE and CVE datasets in vulnerability management systems, which can cause incorrect results, and developed a method that recommends prioritized CPE identifiers to users, showing that fully automated assignment is prone to errors.
In this paper, we analyze the Common Platform Enumeration (CPE) dictionary and the Common Vulnerabilities and Exposures (CVE) feeds. These repositories are widely used in Vulnerability Management Systems (VMSs) to check for known vulnerabilities in software products. The analysis shows, among other issues, a lack of synchronization between both datasets that can lead to incorrect results output by VMSs relying on those datasets. To deal with these problems, we developed a method that recommends to a user a prioritized list of CPE identifiers for a given software product. The user can then assign (and, if necessary, adapt) the most suitable CPE identifier to the software so that regular (e.g., daily) checks can find known vulnerabilities for this software in the CVE feeds. Our evaluation of this method shows that this interaction is indeed necessary because a fully automated CPE assignment is prone to errors due to the CPE and CVE shortcomings. We implemented an open-source VMS that employs the proposed method and published it on GitHub.