Software Vulnerability Analysis Using CPE and CVE

Sanguino, Luis Alberto Benthin; Uetz, Rafael

doi:10.48550/arxiv.1705.05347

Cited by 5 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This sub-element is used to connect a Patch Tag or a Supplemental Tag to a Primary Tag. Additionally, it may be used to associate any source tag to other arbitrary information elements @href, @rel <Meta> This sub-element may be optionally used to provide additional metadata attributes @activationStatus, @colloquialVersion, @edition, @product, @revision <Payload> This optional sub-element aims to provide details regarding additional elements, for instance, files, folders, license keys that may be installed on a device during the installation of a software product <Directory>, <File>, <Process> <Resource> This field incorporates the essential information related to the BoM including the corresponding software component along with its supplier, manufacturer, and license information and the tool used to create the BOM Components Components provide the complete inventory list of the first and third party components and can be represented as coordinates (group, name, version), Package URL [63], Common Platform Enumeration (CPE) [68], SWID [52], or cryptographic hash functions Services…”

Section: Discussionmentioning

confidence: 99%

SoK: A Framework for and Analysis of Software Bill of Materials Tools

Arora,

Wright,

Garman

2022

View full text Add to dashboard Cite

Modern software development has gradually become more complex, leveraging available open-source software and thirdparty components. This practice has raised questions about the provenance, licensing, versioning and compliance of reused code and its dependencies. Furthermore, it is particularly important to review such code fragments and thirdparty components for known-vulnerabilities before they are included in a software product. A Software Bill of Materials (SBoM) is a mechanism to achieve such an analysis, providing transparency and visibility into a software product to both the software developer and its respective consumer. An SBoM lists information and details about all the elements constituting a piece of software and can, therefore, be used to evaluate associated security risk. While the concept of SBoMs is growing in popularity, it is still fairly new to many organizations, causing them to potentially struggle with producing and processing SBoMs and limiting their widespread adoption.In this work, we delve into the area of SBoMs and present the state-of-the-art SBoM tools, creating a framework for analysis and categorizing them based on a diverse set of features and functionalities. We are the first to provide a detailed analysis of 83 open-source SBoM tools along with a perspective on how a potential SBoM user can select a tool based on their specific requirements. Our work aims to help promote understanding of this domain, thereby encouraging and furthering its overall adoption. We additionally seek to pave a path for future work in this area by providing recommendations to tool developers and users, researchers, and standardizing organizations.

show abstract

Section: Discussionmentioning

confidence: 99%

SoK: A Framework for and Analysis of Software Bill of Materials Tools

Arora,

Wright,

Garman

2022

View full text Add to dashboard Cite

show abstract

“…However, their approach was unable to account for the significance of each vulnerability, and it might not have been compatible with other security knowledge repositories like CWE. Sanguino and Uetz [9] analyzed the use of CPE (Common Platform Enumeration) and CVE to check for vulnerabilities in Software Products. The outcome demonstrated that the two datasets' inability to synchronise cause the VMS (Vulnerability Management System) to produce inaccurate findings.…”

Section: Related Workmentioning

confidence: 99%

CVE Records of Known Exploited Vulnerabilities

Lim,

Lau,

Ming Chan

et al. 2023

2023 8th International Conference on Computer and Communication Systems (ICCCS)

View full text Add to dashboard Cite

Understanding vulnerability trends is critical to the risk management process. The goal of this paper is to raise the awareness and inform the users about the Common Vulnerabilities and Exposures (CVE) associated with Known Exploited Vulnerabilities that might affect users of the products by gathering data from the National Vulnerability Database (NVD) and CVE details from 2017 to Present. We built a system using Python and CVE Analyzer, which allow users to search for specific CVE records based on CVE ID, vendors, products, published date and the last updated date and export rows of data based on the filtered keyword. We also analyze the overall frequency of CVE records each year regarding Common Vulnerability Scoring System (CVSS) base metric trends, the vendors, and products with the most ransomware vulnerabilities. Our findings show that the frequency of all ransomware vulnerabilities increased from 2019 to 2021. Also, the number of high CVSS score of CVE records associated with ransomware is higher than those with low CVSS scores. Apple and Microsoft are the top vendors with the most exploited ransomware vulnerabilities, and IOS and Windows 10 are the products with the highest vulnerable versions by Apple and Microsoft. Our system can help users to prevent and mitigate the impact of ransomware attacks using datasets and data analysis.

show abstract

“…The Common Platform Enumeration (CPE) can be practiced to address software and hardware [25]. However, within the framework of the CPE, one can declare a range of ambiguities impeding the revelation [26]. The obstacles of the unambiguous revelation are not within the scope of this paper.…”

Section: Related Workmentioning

confidence: 99%

Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique

et al. 2022

View full text Add to dashboard Cite

Asset inventory is one of the essential steps in cyber security analysis and management. It is required for security risk identification. Current information systems are large-scale, heterogeneous, and dynamic. This complicates manual inventory of the assets as it requires a lot of time and human resources. At the same time, an asset inventory should be continuously repeated because continuous modifications of system objects and topology lead to changes in the cyber security situation. Thus, a technique for automated identification of system assets and connections between them is required. The paper proposes a technique for automated inventory of assets and connections between them in different organizations. The developed technique is constructed based on event correlation methods, namely linking the system events to each other. The essence of the technique consists of the investigation of event characteristics and identifying the characteristics that arise solely together. This allows determining system assets via assigning event characteristics to specific asset types. The security risks depend on the criticality of the assets; thus, a discussion of automated calculation of the outlined assets’ criticality is provided. Outlined system objects and topology can be further used for restoring possible attack paths and security assessment. The applicability of the developed technique to reveal object properties and types is demonstrated in the experiments.

show abstract

Software Vulnerability Analysis Using CPE and CVE

Cited by 5 publications

References 0 publications

SoK: A Framework for and Analysis of Software Bill of Materials Tools

SoK: A Framework for and Analysis of Software Bill of Materials Tools

CVE Records of Known Exploited Vulnerabilities

Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique

Contact Info

Product

Resources

About