----- Original Message -----
From: "Leland J Sr CTR DISA DD Steinke (US)"
<leland.j.steinke.ctr(a)mail.mil>
To: "SCAP Security Guide" <scap-security-guide(a)lists.fedorahosted.org>
Sent: Thursday, October 20, 2016 2:50:54 PM
Subject: RE: VMs, containers vs. bare-metal machines in SSG
Have you considered the CPE Applicability Language (NISTIR 7698)? It
facilitates this without overloading CPE IDs.
Yeah, we'd use CPE applicability - a CPE name and its CPE OVAL definition.
That will get us the best compatibility with various SCAP scanners out there.
What I meant by "fake" is that docker or vm-storage are not architectures,
they are not even OSes, they don't fit well in the CPE ID schemes.
--
Martin Preisler
Identity Management and Platform Security | Red Hat, Inc.