Name of Your Organization:
Silicomp-AQL
Web Site:
http://www.aql.fr/
Compatible Capability:
Vigil@nce
Capability home page:
http://vigilance.aql.fr/
General Capability Questions
1) Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
Vigil@nce describes vulnerabilities and their solutions.
Registered customers can access this information through:
- web server
- emails
- cdroms
- XML dumps
Public users can access synthetic information through:
Mapping Questions
4) Map Currency Indication <CR_5.1>
Describe how and where your capability indicates
the most recent CVE version used to create or update its mappings (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Current version in use by Vigil@nce is 20040901.
5) Map Currency Update Approach <CR_5.2>
Indicate how often you plan on updating the mappings
to reflect new CVE versions and describe your approach to keeping reasonably
current with CVE versions when mapping them to your repository (recommended):
We plan to update at most 3 working days after publication.
In order to achieve this :
- we are subscribed to cve announce mailing-list
- a script converts CANdidates which are in our database to newly
elected CVE entries
- a script displays CVE entries which are not in our database and
needs to be added
- version field is updated on webserver
6) Map Currency Update Time <CR_5.3>
Describe how and where you explain to your customers
the timeframe they should expect an update of your capability's mappings
to reflect a newly released CVE version (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
CVE Editorial Board meets periodically and analyzes each candidate.
Most candidates are indeed vulnerabilities, and their identifier
change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted
keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier
will not change, but status will change from "Candidate" to "Entry".
Then, the new list of identifiers is published under a version number.
At most three working days after publication, Vigil@nce updates identifiers
in its database.
Documentation Questions
7) CVE and Compatibility Documentation<CR_4.1>
Provide a copy, or directions to its location,
of where your documentation describes CVE and CVE compatibility for
your customers (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
MITRE Corporation (http://cve.mitre.org/)
allocates an unique identifier for each vulnerability. This identifier,
CVE-YYYY-NNNN or CAN-YYYY-NNNN, permits to correlate information
provided by several products or services. Vigil@nce service is CVE
Compatible, which ensures search, output, accuracy and documentation
abilities (CVE-Searchable, CVE-Output, Mapping Accuracy, CVE-Documentation).
8) Documentation of Finding Elements Using CVE Names <CR_4.2>
Provide a copy, or directions to its location, of
where your documentation describes the specific details of how your
customers can use CVE names to find the individual security elements
within your capability's repository (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Search forms of Vigil@nce provide a CVE identifier criteria. User
can search with CAN prefix, CVE prefix or without prefix.
9) Documentation of Finding CVE Names Using Elements
<CR_4.3>
Provide a copy, or directions to its location, of
where your documentation describes the process a user would follow to
find the CVE names associated with individual security elements within
your capability's repository (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
CVE identifiers are displayed in HTML, text or XML sheets, under
the title "Identifiers". Identifiers are also displayed
in search results, depending on user preferences.
Candidate Support Questions
11) Candidates Versus Entries Indication <CR_6.1>
If CVE candidates are supported or used, explain
how you indicate that candidates are not accepted CVE entries (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Every day, researchers discover problems (these problems are not
always vulnerabilities) and ask MITRE Corporation to provide them
an identifier. MITRE corporation then emits a new candidate of the
form CAN-YYYY-NNNN. On October 19th 2005, candidates will be named "CVE-YYYY-NNNN
with candidate status" instead of "CAN-YYYY-NNNN".
CVE Editorial Board meets periodically and analyzes each candidate.
Most candidates are indeed vulnerabilities, and their identifier
change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted
keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier
will not change, but status will change from "Candidate" to "Entry".
12) Candidates Versus Entries Explanation <CR_6.2>
If CVE candidates are supported or used, explain
where and how the difference between candidates and entries is explained
to your customers (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
Most candidates are indeed vulnerabilities, and their identifier
change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted
keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier
will not change, but status will change from "Candidate" to "Entry".
13) Candidate to Entry Promotion <CR_6.3>
If CVE candidates are supported or used, explain
your policy for changing candidates into entries within your capability
and describe where and how this is communicated to your customers (recommended):
In order to achieve this :
- we are subscribed to cve announce mailing-list
- a script converts CANdidates which are in our database to newly
elected CVE entries
We do not inform our customers when a CAN becomes a CVE. They will
notice it automatically, because the reference changes.
14) Candidate and Entry Search Support <CR_6.4>
If CVE candidates are supported or used, explain
where and how a customer can find the explanation of your search function's
ability to look for candidates and entries by using just the YYYY-NNNN
portion of the CVE names (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
Every day, Vigil@nce adds new candidates in its database.
Type-Specific Capability Questions
Online Capability Questions
26) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>
Give detailed examples and explanations of how a
"find" or "search" function is available to the
user to locate tasks in the online capability by looking for their associated
CVE name or through an online mapping that links each element of the
capability with its associated CVE name(s) (required):
Vigil@nce proposes several search
forms. For example, the vulnerability
search form contains :
Vulnerabilities with identifier [?] _________ [Search]
User can enter a query pattern such as "2005-2222", "CVE-2005-2222" or
"CAN-2005-2222", then press on Search button.
By pressing [?] button, an help window is displayed and explains
how to use this search form.
Other search feature also have a similar form where user can query
an identifier.
27) Online Capability Interface Template Usage <CR_A.4.1.1>
Provide a detailed description of how someone can
use your "URL template" to interface to your capability's
search function (recommended):
Examples:
http://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
http://www.example.com/cve/CVE-YYYY-NNNN.html
Start url with :
https://vigilance.aql.fr/recherche.php?refsect=1&reference_bouton1=1&reference_valeur1=
End url with queried value :
CAN-2005-2700
For example :
https://vigilance.aql.fr/recherche.php?refsect=1&reference_bouton1=1&reference_valeur1=CAN-2005-2700
Please note this direct url access is not the easier way to use CVE
search features. However it is provided for users needing to do automatic
tasks.
28) Online Capability CGI Get Method Support <CR_A.4.1.2>
If the URL template is for a CGI program, does it
support the HTTP "GET" method? (recommended):
Yes
29) Finding CVE Names Using Online Capability Elements
<CR_A.4.2>
Give detailed examples and explanations of how,
for reports that identify individual security elements, the online capability
allows the user to determine the associated CVE names for the individual
security elements in the report (required):
a) WEB SERVER, EMAILS, CDROM
The HTML vulnerability description sheet contains the list of
associated identifiers:
Identifiers: CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01,
etc.
Moreover, in this case "CAN-2005-2495" is a link to :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2495
The text vulnerability description sheet contains the list of
associated identifiers:
Identifiers: CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01,
etc.
The XML vulnerability description sheet contains a reference
node:
<references>
<reference>CAN-2005-2495</reference>
<reference>MDKSA-2005:164</reference>
<reference>RHSA-2005:329-01</reference>
etc.
</references>
XML schema and DTD are available on webserver or on cdrom.
b) WEB SERVER
After a search, result is displayed as:
XFree86: integer overflows of pixmap
images
A malicious pixmap image leads to several overflows in XFree86.
CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, etc.
Third line indicates
identifiers. User can set his preferences to hide or show this line.
c) XML DUMPS
XML dump of Vigil@nce database contains
identifiers for each vulnerability.
XML schema and DTD are available on request.
30) Online Capability Element to CVE Name Mapping
<CR_A.4.3>
If details for individual security elements are
not provided, give examples and explanations of how a user can obtain
a mapping that links each element with its associated CVE name(s), otherwise
enter N/A (required):
Vulnerabilities descriptions
always contain identifier information.
Search result may contain identifier
information, depending on user preferences. This can be changed:
Administration > Current
user > Modify > Common
preferences > Result: display identifiers : Yes/No
Media Questions
31) Electronic Document Format Info <CR_B.3.1>
Provide details about the different electronic document
formats that you provide and describe how they can be searched for specific
CVE-related text (required):
Vigil@nce provides 3 formats
for documents (see answer 27a for examples) :
In all cases, user can use the search feature of his
viewer to search "CVE-" or "CAN-" pattern.
32) Electronic Document Listing of CVE Names <CR_B.3.2>
If one of the capability's standard electronic documents
only lists security elements by their short names or titles provide
example documents that demonstrate how the associated CVE names are
listed for each individual security element (required):
There is no short output in Vigil@nce.
33) Electronic Document Element to CVE Name Mapping
<CR_B.3.3>
Provide example documents that demonstrate the mapping
from the capability's individual elements to the respective CVE name(s)
(recommended):
For example, recent vulnerability
VIGILANCE-VUL-5192 contains :
| Title: |
XFree86: integer overflows of pixmap images |
| Identifiers: |
CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, RHSA-2005:396-01 |
Questions for Signature
37) Statement of Compatibility <CR_2.7>
Have an authorized individual sign and date the
following Compatibility Statement (required):
"As an authorized representative of my organization I agree
that we will abide by all of the mandatory CVE Compatibility Requirements
as well as all of the additional mandatory CVE Compatibility Requirements
that are appropriate for our specific type of capability."
Name: Christian
DAMOUR
Title: IT Security
business unit manager
38) Statement of Accuracy <CR_3.4>
Have an authorized individual sign and date the
following accuracy Statement (recommended):
"As an authorized representative of my organization and to
the best of my knowledge, there are no errors in the mapping between
our capability's Repository and the CVE entries our capability identifies."
Name: Laurent CONSTANTIN
Title: Vigil@nce
technical manager
|
