|
|
Name of Your Organization:
Silicomp-AQL
Web Site:
http://www.aql.fr/
Compatible Capability:
Vigil@nce
Capability home page:
http://vigilance.aql.fr/
1) Product Accessibility <CR_2.4>
Provide a short description of how and where your capability is made available to your customers and the public (required):
Vigil@nce describes vulnerabilities and their solutions.
Registered customers can access this information through:
- web server
- emails
- cdroms
- XML dumps
Public users can access synthetic information through:
- web server
4) Map Currency Indication <CR_5.1>
Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Current version in use by Vigil@nce is 20040901.
5) Map Currency Update Approach <CR_5.2>
Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):
We plan to update at most 3 working days after publication.
In order to achieve this :
- we are subscribed to cve announce mailing-list
- a script converts CANdidates which are in our database to newly elected CVE entries
- a script displays CVE entries which are not in our database and needs to be added
- version field is updated on webserver
6) Map Currency Update Time <CR_5.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
CVE Editorial Board meets periodically and analyzes each candidate. Most candidates are indeed vulnerabilities, and their identifier change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier will not change, but status will change from "Candidate" to "Entry". Then, the new list of identifiers is published under a version number. At most three working days after publication, Vigil@nce updates identifiers in its database.
7) CVE and Compatibility Documentation<CR_4.1>
Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
MITRE Corporation (https://cve.mitre.org/) allocates an unique identifier for each vulnerability. This identifier, CVE-YYYY-NNNN or CAN-YYYY-NNNN, permits to correlate information provided by several products or services. Vigil@nce service is CVE Compatible, which ensures search, output, accuracy and documentation abilities (CVE-Searchable, CVE-Output, Mapping Accuracy, CVE-Documentation).
8) Documentation of Finding Elements Using CVE Names <CR_4.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Search forms of Vigil@nce provide a CVE identifier criteria. User can search with CAN prefix, CVE prefix or without prefix.
9) Documentation of Finding CVE Names Using Elements <CR_4.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
CVE identifiers are displayed in HTML, text or XML sheets, under the title "Identifiers". Identifiers are also displayed in search results, depending on user preferences.
11) Candidates Versus Entries Indication <CR_6.1>
If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):
Extract of webpage https://vigilance.aql.fr/aide.php :
Every day, researchers discover problems (these problems are not always vulnerabilities) and ask MITRE Corporation to provide them an identifier. MITRE corporation then emits a new candidate of the form CAN-YYYY-NNNN. On October 19th 2005, candidates will be named "CVE-YYYY-NNNN with candidate status" instead of "CAN-YYYY-NNNN".
CVE Editorial Board meets periodically and analyzes each candidate. Most candidates are indeed vulnerabilities, and their identifier change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier will not change, but status will change from "Candidate" to "Entry".
12) Candidates Versus Entries Explanation <CR_6.2>
If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
Most candidates are indeed vulnerabilities, and their identifier change from CAN-YYYY-NNNN to CVE-YYYY-NNNN (problems not accepted keep their CAN-YYYY-NNNN identifier). After October 19th 2005, identifier will not change, but status will change from "Candidate" to "Entry".
13) Candidate to Entry Promotion <CR_6.3>
If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):
In order to achieve this :
- we are subscribed to cve announce mailing-list
- a script converts CANdidates which are in our database to newly elected CVE entries
We do not inform our customers when a CAN becomes a CVE. They will notice it automatically, because the reference changes.
14) Candidate and Entry Search Support <CR_6.4>
If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):
Extract of webpage https://vigilance.aql.fr/aide.php :
Every day, Vigil@nce adds new candidates in its database.
Type-Specific Capability Questions
26) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):
Vigil@nce proposes several search forms. For example, the vulnerability search form contains :
Vulnerabilities with identifier [?] _________ [Search]User can enter a query pattern such as "2005-2222", "CVE-2005-2222" or "CAN-2005-2222", then press on Search button.
By pressing [?] button, an help window is displayed and explains how to use this search form.
Other search feature also have a similar form where user can query an identifier.
27) Online Capability Interface Template Usage <CR_A.4.1.1>
Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):
Examples:
Start url with :http://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
http://www.example.com/cve/CVE-YYYY-NNNN.html
https://vigilance.aql.fr/recherche.php?refsect=1&reference_bouton1=1&reference_valeur1= End url with queried value :
CAN-2005-2700
For example :
https://vigilance.aql.fr/recherche.php?refsect=1&reference_bouton1=1&reference_valeur1=CAN-2005-2700Please note this direct url access is not the easier way to use CVE search features. However it is provided for users needing to do automatic tasks.
28) Online Capability CGI Get Method Support <CR_A.4.1.2>
If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):
Yes
29) Finding CVE Names Using Online Capability Elements <CR_A.4.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report (required):
a) WEB SERVER, EMAILS, CDROM
The HTML vulnerability description sheet contains the list of associated identifiers:
Identifiers: CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, etc.
Moreover, in this case "CAN-2005-2495" is a link to :
The text vulnerability description sheet contains the list of associated identifiers:
Identifiers: CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, etc.
The XML vulnerability description sheet contains a reference node:
<references> <reference>CAN-2005-2495</reference> <reference>MDKSA-2005:164</reference> <reference>RHSA-2005:329-01</reference> etc. </references>XML schema and DTD are available on webserver or on cdrom.
b) WEB SERVER
After a search, result is displayed as:
XFree86: integer overflows of pixmap images
A malicious pixmap image leads to several overflows in XFree86.
CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, etc.Third line indicates identifiers. User can set his preferences to hide or show this line.
c) XML DUMPS
XML dump of Vigil@nce database contains identifiers for each vulnerability.
XML schema and DTD are available on request.
30) Online Capability Element to CVE Name Mapping <CR_A.4.3>
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):
Vulnerabilities descriptions always contain identifier information.
Search result may contain identifier information, depending on user preferences. This can be changed:
Administration > Current user > Modify > Common
preferences > Result: display identifiers : Yes/No
31) Electronic Document Format Info <CR_B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):
Vigil@nce provides 3 formats for documents (see answer 27a for examples) :
- HTML
- text
- XML
In all cases, user can use the search feature of his viewer to search "CVE-" or "CAN-" pattern.
32) Electronic Document Listing of CVE Names <CR_B.3.2>
If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):
There is no short output in Vigil@nce.
33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):
For example, recent vulnerability VIGILANCE-VUL-5192 contains :
Title: XFree86: integer overflows of pixmap images Identifiers: CAN-2005-2495, MDKSA-2005:164, RHSA-2005:329-01, RHSA-2005:396-01
37) Statement of Compatibility <CR_2.7>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Christian DAMOUR
Title: IT Security business unit manager
38) Statement of Accuracy <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."
Name: Laurent CONSTANTIN
Title: Vigil@nce technical manager