20 Oct
2016
20 Oct
'16
3:07 p.m.
-----Original Message----- Yeah, we'd use CPE applicability - a CPE name and its CPE OVAL definition. That will get us the best compatibility with various SCAP scanners out there.
What I meant by "fake" is that docker or vm-storage are not architectures, they are not even OSes, they don't fit well in the CPE ID schemes.
With the CPE 2.3 Applicability check-fact-ref element, you don't have to create "fake" CPE IDs, just use OVAL to determine whether a particular check is applicable, after using CPE ID to get close. Just a thought...
Thanks, Leland