-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Greetings, I wasn't sure of the correct home for this message. As part of an effort to match up associated CPE information with ported software on FreeBSD we came across conflicting information in the NIST dictionary for PCRE. PCRE was documented having three distinct products, the correct 'pcre' and two incorrect products: 'perl-compatible_regular_expression_library' 'perl_compatible_regular_expression_library'
I contacted the NIST for clarification based on the steps on Mitre's CPE page (https://cpe.mitre.org/dictionary/). Their response clarifying the correct information follows and I'm forwarding it here as a courtesy. Additionally, have any PCRE developers asked to have PCRE2 registered in the CPE dictionary? We've matched up the FreeBSD port of PCRE with the correct CPE information but PCRE2 isn't listed upstream yet. The process is listed in the link above. Thanks! Jason Unovitch FreeBSD Ports Security Team - ----- Forwarded message from "Izadjoo, Meisam (Assoc)" <meisam.izad...@nist.gov> ----- Date: Tue, 5 Jul 2016 14:06:41 +0000 From: "Izadjoo, Meisam (Assoc)" <meisam.izad...@nist.gov> To: Jason Unovitch <junovi...@freebsd.org> CC: cpe_dictionary <cpe_diction...@nist.gov> Subject: RE: CPE Inquiry: PCRE - Conflicting Product Information Good morning and thank you for bringing this matter to our attention. The correct CPE for this product should be: cpe:2.3:a:pcre:pcre As time permits, we will update the dictionary and correct any conflicts. Regards, Mase Izadjoo National Vulnerability Database National Institute of Standards and Technology nvd.nist.gov - -----Original Message----- From: Jason Unovitch [mailto:junovi...@freebsd.org] Sent: Sunday, July 03, 2016 4:52 PM To: cpe_dictionary <cpe_diction...@nist.gov> Subject: CPE Inquiry: PCRE - Conflicting Product Information Hello, This is in regards to the PCRE (http://pcre.org/) The preponderance of PCRE entries contain a vendor and product entry of pcre. However there are duplicate entries using the following two product strings: perl-compatible_regular_expression_library perl_compatible_regular_expression_library Note that the former hyphenated version references various 7.x CVEs while the latter version with an underscore is has been adding new entries. For example, for PCRE 8.38 there are recent entries for both pcre and perl_compatible_regular_expression_library. https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe:/a:pcre:pcre:8.38 https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe:/a:pcre:perl_compatible_regular_expression_library:8.38 What is the canonical Vendor/Product for PCRE? Thank you, Respectively, Jason Unovitch FreeBSD Port Security Team - ----- End forwarded message ----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJXfGMzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NURGNTQ1OTkzQkJFMzc3OTNDQUNERUU2 RkQ0OUMzMDE2MUNBQTZFAAoJEG/UnDAWHKpuMrwH/0X6A1LpCDffYYQE7AEVQGYw DNturwVZG6TrgiZOvgAlw/V9EDyivKTCRKUbM3438An6EvV3DMkjzzL3jfH1Jd00 fVgXG3ecp2mLG03k3/rRf5LZkSm6/tT7u8LThd0jEgEth7vYpbLcHBlf6vXb6bGZ DMm5bMO3TDn70YCVacJHC5BGXbxeSqU4meGYS1+vclyE5vGUZ1ujWdFK18JJMemd eBaTjD1T035m4/eMPaB5LnrWiUhDR482W93W8HJUHfYGZOUhgU+TTjSSwMsP+Mgj dVWwzi6NCuv/hKB2j0pKtiEERjRoHFLJc/bf2sU3crAdJwYxCdiylwnqyk6+3WA= =KmSI -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
