----- Original Message ----- > From: "Leland J Sr CTR DISA DD Steinke (US)" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Thursday, October 20, 2016 2:50:54 PM > Subject: RE: VMs, containers vs. bare-metal machines in SSG > > Have you considered the CPE Applicability Language (NISTIR 7698)? It > facilitates this without overloading CPE IDs.
Yeah, we'd use CPE applicability - a CPE name and its CPE OVAL definition. That will get us the best compatibility with various SCAP scanners out there. What I meant by "fake" is that docker or vm-storage are not architectures, they are not even OSes, they don't fit well in the CPE ID schemes. -- Martin Preisler Identity Management and Platform Security | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
