CVE List▾ CVE List Search Search Tips CVE Request Web Form Web Form Help PGP Key CVE List Documents & Guidance Terms of Use        CNAs▾ CVE Numbering Authorities (CNAs) Participating CNAs CNA Documents, Policies & Guidance CNA Rules, Version 3.0 New CNA Onboarding Slides & Videos How to Become a CNA         WGs▾ CVE Working Groups Automation (AWG) CNA Coordination (CNACWG) Outreach and Communications (OCWG) CVE Quality (QWG) Strategic Planning (SPWG) Tactical (TWG)         Board▾ CVE Board Members Email Archives Meeting Archives Board Charter         About▾ About CVE Professional Code of Conduct CVE & NVD Relationship History Sponsor Documentation & Guidance FAQs Terminology       News & Blog▾ Latest CVE News Blog Podcast Calendar Archive Follow CVE Free CVE Newsletter CVEnew Twitter Feed CVEannounce Twitter Feed CVE on Medium CVE on LinkedIn CVEProject on GitHub CVE on YouTube
Search CVE List         Downloads         Data Feeds         Update a CVE Record         Request CVE IDs
TOTAL CVE Records: 228713 NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway. NOTICE: Legacy CVE download formats deprecation is now underway and will end on June 30, 2024. New CVE List download format is available now.



Name of Your Organization:

Computer Associates International, Inc.

Web Site:

www.ca.com

Compatible Capability:

eTrust Vulnerability Manager

Capability home page:

http://www3.ca.com/Solutions/Product.asp?ID=4707

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

All of our vulnerability data contains CVE references   that are updated constantly and are based on the most recent updates made by Mitre.  Customers can access this information through the eTrust Vulnerability Manager product, and the general public can find this information at our CA Security Advisor ( http://www3.ca.com/securityadvisor/vulninfo/ ) website.

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

Our data is linked directly to the CVE data in the MITRE database, so we do not reference CVE versions.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

Our CVE data is updated constantly, and includes the most recent CANs.  We utilize the Purdue CVE Changes page ( https://cassandra.cerias.purdue.edu/CVE_changes/ ), and the Mitre CVE web site and database,   to maintain CVE currency.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

We do not provide an explanation, but the expectation is that we provide constant updates.

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The eTrust Vulnerability Manager online Help (included within the product and published on the CA customer support technical website, SupportConnect) provides information regarding CVE compatibility.   Please see the following excerpt from the Help documentation:

CVE

The Common Vulnerabilities and Exposures (CVE) identifier uniquely names the vulnerability and includes a list of vulnerabilities and exposures, providing common names for publicly known problems.

CVE is a formal initiative whose goal is to standardize the names for all publicly known vulnerabilities and security exposures. CVE is run by an editorial board and chaired by a representative of the MITRE Corporation, a not-for-profit information technology and engineering organization chartered to work in the public interest. The board includes representatives from more than 20 security-related organizations, including CA and other notable security groups.

A CVE identifier makes it easy to share data across separate vulnerability databases and security tools. Knowing the vulnerability's CVE identifier lets you quickly and accurately access information about the problem across multiple information sources that are CVE-compatible.

You can enter a CVE identifier in the Keyword field of any eTrust Vulnerability Manager Content or Task List Search or Filter panel that includes the keyword field. For more information, see Keyword Search Logic.

If you own a security scanning tool that has reports containing references to CVE identifiers, you can access information about fixes in a separate CVE-compatible database, like eTrust Vulnerability Manager.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Please see eTrust Vulnerability Manager Help documentation excerpt in Item 7. above.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Please see eTrust Vulnerability Manager Help documentation excerpt in Item 7. above.

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

 

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

While CA does do not provide a direct explanation to the difference between CAN and CVE bulletins, vulnerabilities include hyperlinks to the candidate in the MITRE database which do display the message that the candidate is under review.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

Please see response in Item 11 above.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

We make changes as soon as changes are made by Mitre.  We do not communicate this fact explicitly to customers because it is a regular part of the overall content development and maintenance process.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

These directions are provided in the eTrust Vulnerability Manager online Help. An excerpt of this documentation is provided in Item 7 above.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

Links in CA vulnerability content to the CVE entry are updated regularly, which will explicitly promote the vulnerability relationship from CAN to accepted/approved CVE.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

We update our CVE data constantly, providing a 'Date Modified' field on vulnerability data.  If the MITRE CAN link as updated in a vulnerability, the 'Date Modified' field would reflect that change.

Type-Specific Capability Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

By using the Search functionality (Content > Vulnerabilities), users can access task details by filtering searches based on "Reference Number" Identifier Keyword. To go one step further, users can directly identify assets affected by the vulnerabilities through an Affected Assets report, a feature of the Vulnerability Content Search.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

By using the Search functionality (Content > Vulnerabilities), users can access task details for vulnerabilities. If there are numerous elements that support the vulnerability, they are all listed within the task details. Vulnerability CAID 28495 is an excellent example.

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

Using the Search functionality (Content > Vulnerabilities), users can obtain a list of all vulnerabilities that are based on CVE reference. Users can then view each vulnerability to  retrieve CVE data that is contained at the end of each vulnerability item.

20) Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

The eTrust Vulnerability Manager does not accept file imports for reference, but by using the Search functionality (Content > Vulnerabilities) as described in Item 20 above, users can access task details by filtering searches based on "Reference Number" Identifier Keyword.

21) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

By using the Search functionality (Content > Vulnerabilities), users can access task details by filtering searches based on specific CAN or CVE name in the Keyword field.

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

We utilize a browser-based interface that displays HTML documents.  By accessing the Search functionality (Content > Vulnerabilities > Search), users can filter based on "Reference Number" Identifier Keywords such as "CVE-1999-0964". Users can also browse and search the Help documentation to locate information about CVE compatibility.  See Item 10 above for Help interface screen shot.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

By clicking on any security element (vulnerability) title link located at the bottom of each page, users can view details, including full CVE references.  Please see following screen shot examples: >

Vulnerabilities that contain CVE References per the Keyword search:

Clicking into a Vulnerability name displays the vulnerability detail. The detail includes a hyperlink to the referenced CVE entry (bottom of vulnerability detail):

Customers can click into the hyperlink to view the entire CVE detail, including long name.

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

Vulnerability detail provides a link to the CVE database. See examples following.

Clicking on the Reference URL opens the CVE database page:

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

We utilize a browser-based interface that displays HTML documents.  By accessing the Search functionality (Content > Vulnerabilities > Search), users can filter based on "Reference Number" Identifier Keywords such as "CVE-1999-0964".  See accompanying word document.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

CVE references are mapped to the CA vulnerability that they represent, and presented through the CA ID (an internal CA content numbering scheme). Users who wish to view a CVE vulnerability can search using either CA ID or CVE name or ID in the Content > Vulnerability interface.   The resulting list displays CA Vulnerabilities that result from the search; the CVE reference is part of the resulting vulnerability content detail.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

We utilize a browser-based interface that displays HTML documents.     These documents can be printed.

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Eric Herrera

Title: Product Manager, eTrust Vulnerability Manager

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Leo Walsh

Title: Director, Development

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Eric Herrera

Title: eTrust Product Manager