Re: Proposed spec for external packages
On Tue, Aug 4, 2015 at 10:20 AM, Sai Uday Shankar Korlimarla <skorlimarla@...> wrote:
Proposal was to permit use of either. It was not mandating that one or another needs be used.
Also, see appendix A in NIST-8060 where CPE can be derived from SWID.
NIST-8060 is an emerging NIST standard, so are not present today, but if the standard is approved, they will be in the future.
SWID's are the proposed standard to eventually replace CPEs in the infrastructure.
Adding the ability to reference to them as an external identifier in SPDX is a future proofing measure.
For your purposes, use the CPEs. see earlier comments about future proofing.
Completely agree CPE is what should be linked to today.
From the NIST 8060 (which is open):
1532 At some point in the future, as SWID tags become widely used and available, SWID tags will be
1533 able to supplant CPE names as the primary means of identifying software products and
1534 correlating vulnerability reports with those products. Until that occurs, SWID tags need to
1535 provide certain data values from which CPE names could be mechanically generated. These
1536 generated CPE names can be used to populate the CPE dictionary and to allow for searching
1537 repositories like the NVD.
Its a standard that is in "public review" right now, from NIST.
See Appendix A for the mapping.
Hopefully the above clarifies.