[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Public availability of CMEX




Everyone,

While CMEX looks like it could be a "real" vulnerability database, I
don't think it will ever be a competitor to any "good" vulnerability
database.

The purpose of CMEX is twofold:
   - to support maintenance of the CVE
   - to support looking up a specific vulnerability

It is *not* to provide a sysadmin or researcher or other "end user"
with a wealth of information.  It is only useful to CVE mappers and
maintainers.

CMEX will never have fields for things like risk, impact, software
version numbers or affected operating systems (except when used in the
description field to discriminate between vulnerabilities),
classification (beyond the extremely broad categories that guide
content decisions), exploits, fix information, or even a complete set
of references - i.e., the "meat" of most vulnerability databases.
While the keywords certainly help searchability, they are based
exclusively on the descriptive text and are primarily useful for
looking up the name of a specific vulnerability.  A user couldn't
retrieve, say, "all NT vulnerabilities" or "all vulnerabilities that
give root access" or "all buffer overflow" problems.  The categories
are extremely broad and would not help an "end user" in any real way,
except to help narrow the search.

IMHO, the only CMEX data that I see as having any "questionable"
overlap with a real vulnerability database are the categories and
references.  The references are inherently incomplete, and the
categories are too high level for most classification purposes
(consider how "software flaw" covers Krsul and Aslam's theses in one
fell swoop).  Thus I don't think there's enough real data in CMEX to
enable it to "compete" with other databases.

- Steve

Page Last Updated or Reviewed: May 22, 2007