Update NIST CPE Dictionary #3
Description
CPE (Common Platform Enumeration) is a standard syntax for describing software (e.g. vendor, software type, software name, version).
The NIST CPE Dictionary is a central database of registered CPEs. Vendors can register their CPEs with NIST to be added to the database.
Currently, LoopBack only has 1 CPE entry, cpe:2.3:a:ibm:loopback:8.0.0:*:*:*:*:*:*:*.
Here is a 3-part proposal:
- IBM is no longer the vendor for LoopBack
To solve this, we can revoke the current CPE and replace it with the following:
cpe:2.3:a:loopback:\@loopback\/rest:8.0.0:*:*:*:*:*:*:*
Note that the CPE above is not registered and may change once we contact NIST. The backslash is used to "quote" printable, non-alphanmuric characters in accordance with the CPE 2.3 specification. - Other vulnerable LoopBack packages with a published CVE do not have an associated CPE.
LB2/3 is quite different from LB4. Hence one proposal is to utilise the DefinitelyTyped syntax by:
a. Replacing the above CPE with double underscore
b. Use hyphen as per-normal for LB2/3 packages (e.g.loopback-boot)
This allows us to exploit the existing distinctive property separating LB2/3 and LB4, that LB2/3 packages are unscoped while LB4 packages are scoped. - For "non-LoopBack" packages such as
strong-soap, keep theloopbackvendor and use the package name as per-normal, similar to 2.a.