> -----Original Message----- > Yeah, we'd use CPE applicability - a CPE name and its CPE OVAL definition. > That will get us the best compatibility with various SCAP scanners out there. > > What I meant by "fake" is that docker or vm-storage are not architectures, > they are not even OSes, they don't fit well in the CPE ID schemes.
With the CPE 2.3 Applicability check-fact-ref element, you don't have to create "fake" CPE IDs, just use OVAL to determine whether a particular check is applicable, after using CPE ID to get close. Just a thought... Thanks, Leland
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
