During a recent debate on how we're going to fit the CVE into our database structure, one of the DBAs commented on how a specific vulnerability might not just have one CVE index, but several. Up to now, this group has discussed the potential of one CVE mapping to zero or more records of a VDB, but the opposite has not been discussed before; namely, a many-to-many relationship.
For example, "Windows NT 4.0 prior to Service Pack 4" involves many potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How would a vendor handle these, considering that it is probably out of the scope of the CVE to reconcile these entries?
I envision this question raising several points:
- Can a vendor go about assigning multiple CVEs to a vulnerability or check outside of the framework of the CVE?
- Who verifies that the vendor is doing correct assignments?
- Do CVE indices get subsumed in later patches (for example NT SP3 is subsumed in SP4)? (My opinion on this one is 'no, they do not,' but YMMV.
- Can almost everything in a VDB get a CVE? I know there are rules on what a 'vulnerability' is, but the draft CVE is a lot less stringent about the definition than, say, the Common Criteria (CC).
I would appreciate your thoughts on this matter.
X-Force Security Research
/color>Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
Adaptive Network Security for the Enterprise