does anybody know if there is an overview xml file or any other documentation about the different CVRF PIDs used in the CVRF xmls?
My idea is to use the new openVuln API do download the different CVRF xmls and filter the output based on the CVRF PID.
Thanks for your help
The CVRF PID is an arbitrary number assigned to one or more affected products, the PID is documented at:
The Product Tree can be kept simple (flat) or made more detailed (branched out). It also supports concatenating products to describe relationships, such as components contained in a product or products installed on other products.
In the simplest case, a flat Product Treewould contain one or more Full Product Name elements at the root level, one for each product that needs to be described.
In a more detailed Product Tree, the root element would contain one or more Branchelements at the root level, one for each class/type/category of product, each of which again contains one or more Branch elements until all desired categories and subcategories are described to the satisfaction of the document issuer. Then each open Branch element is terminated with the actual product item in the form of a Full Product Name element.
No matter whether a flat or branched structure is chosen, you may need to be able to describe the combination of twoFull Product Name elements, such as when a product is only vulnerable when installed together with another, or to describe operating system components. To do that, a Relationship element is inserted at the root of the Product Tree, with attributes establishing a link between two existingFull Product Name elements, allowing the document producer to define a combination of two products that form a new Full Product Name entry.
Once Full Product Name elements are defined, they may be freely added to logical groups, which may then be used to refer to a group of products. Given that it is possible for a product to be a member of more than one logical group, some areas of the CVRF document may not allow references to product groups to avoid ambiguity.
I think the quoted text above may incorrectly show the explanation of the Product Tree instead of the Product ID. The link above the quote points to the right element however the page after it loads scrolls back to the top, you can press enter again on the address bar to scroll to the right anchor.
The Product ID element defines a member of a group by referring to the unique Product ID attribute of a Full Product Name element.
If the two products “Microsoft Windows Vista Service Pack 1” and “Microsoft Windows Vista Service Pack 2” have been defined in the product tree as follows:
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
They can both be made a member of the same group with Group ID “GRP-0001”:
Later in the document, both products can be referenced together using the Group ID:
Security Update for Windows Vista
The ability to reference both products individually will also be maintained (and in some cases required):
Security Update for Windows Vista
for example in the OpenSSL Security Advisory from December 2015 there is the CVRFPID for the different MXP-Series Telepresence Endpoints.
<FullProductName ProductID="CVRFPID-198320">Cisco Telepresence MXP Series Endpoints F9.3 Base</FullProductName>
I assume Cisco is using for all there products unique CVRFPIDs, so an overoview docuement would be very helpful, that would really help to automize the handling of CVRFs
To describe a little bit more what I'm searching:
In the best case an XML file centrally provided from Cisco which lists all the different CVRFPIDs for the different products. For example, if I have a Cisco VCS X8.6 I could check in that central list which CVRFPID is used for that product.
Based on that list I could optimize my CVRF-XML parser to list only the advisories which affecting products and software versions used in our environment.
thanks, I now understand the request, at the moment I don't have such list, it does not seem we publish one, but I'm looking into it. I guess it would also make sense to expose this as an API.
Reading the ICASI specification and also here:
The Missing Manual: CVRF 1.1 Part 2 of 2
it would seem that there is no requirement for the ProductID to be unique outside the scope of the single document, however I've checked and we do use an ID consistently across documents so a list should be possible to retrieve.
Wishing you a great new year,
thanks for your answer. I never excpected that such a list is already available. The Christmas Season was just the perfect time to express such a wish .
The complete API is a great step forward to automate the evaluation of Security Advisories, so thanks for all the work Cisco spend into the API.
just a quick one to let you know that we did not forget about your suggestion. We are currently evaluating to expose the product IDs with names through an API. I'll keep you informed.
I never expected that you forget me I know how it is to work in large enterprises Thanks for the update
Also interested in a mapping of CRVF ProductIDs to Cisco part codes or descriptions, just wondering if I could ask if there has been any progress on this? Many thanks
We are currently working on having this available within the next couple of months. In the mean time, bkorabik and pghimire have created a python based tool that can query the openVuln API and parse CVRF files to CVRF process fields like full product list, Cisco bug IDs, vulnerability summary, document titles, publication URLs, etc.
Thank you for your interest and patience on this!
Is this available yet? I'm just wondering where I should register my interest in order to get notified?
Many thanks for any additional information you can provide.
I would like to regsiter also to get some notificaiton regarding the product list in CVRF xmls
i have seen a list of productID in the security search page
do you know if it will matche the same product database ?
Please sign in to leave a comment.