recog 2.3.22 → 2.3.23

data/update_cpes.py

@@ -7,56 +7,117 @@ import sys
 import yaml
 from lxml import etree
 
+BASE_LOG_FORMAT = '%(levelname)s: %(message)s'
+
+# CPE w/o 2.3 component: cpe:/a:nginx:nginx:0.1.0"
+REGEX_CPE = re.compile('^cpe:/([aho]):([^:]+):([^:]+)')
+# CPE w/  2.3 component: cpe:2.3:a:f5:nginx:0.1.0:*:*:*:*:*:*:*
+REGEX_CPE_23 = re.compile('^cpe:2.3:([aho]):([^:]+):([^:]+)')
+
+XML_PATH_DEPRECATED_BY = "./{http://scap.nist.gov/schema/cpe-extension/2.3}cpe23-item/{http://scap.nist.gov/schema/cpe-extension/2.3}deprecation/{http://scap.nist.gov/schema/cpe-extension/2.3}deprecated-by"
+
+
 def parse_r7_remapping(file):
     with open(file) as remap_file:
         return yaml.safe_load(remap_file)["mappings"]
 
+
+def update_vp_map(target_map, cpe_type, vendor, product):
+    """Add an entry to the dict tracking valid combinations
+    """
+
+    if cpe_type not in target_map:
+        target_map[cpe_type] = {}
+
+    if vendor not in target_map[cpe_type]:
+        target_map[cpe_type][vendor] = set()
+
+    product = product.replace('%2f', '/')
+    target_map[cpe_type][vendor].add(product)
+
+
+def update_deprecated_map(target_map, dep_string, entry):
+    """Add an entry to the dict tracking deprecations
+
+    target_map example:
+
+    {
+      "a:100plus:101eip":
+        {
+          "deprecated_date": "2021-06-10T15:28:05.490Z",
+          "deprecated_by": "a:hundredplus:101eip"
+        }
+    }
+
+    Args:
+        target_map (dict): dict containing deprecations
+        dep_string (str): key to add in the format of 'type:vendor:product'
+        entry (lxml.etree._Element): XML element to pull additional data from
+
+    Returns:
+        None, target_map modified in place
+    """
+
+    deprecated_date = entry.get("deprecation_date", "")
+
+    # Find the CPE that deprecated this entry
+    raw_dep_by = entry.find(XML_PATH_DEPRECATED_BY).get('name')
+
+    # Extract the type, vendor, product
+    dep_by_match = REGEX_CPE_23.match(raw_dep_by)
+    if not dep_by_match:
+        logging.error("CPE %s is deprecated but we can't build the deprecation mapping entry for some reason.", dep_string)
+        return
+
+    dep_type, dep_vendor, dep_product = dep_by_match.group(1, 2, 3)
+    deprecated_by = "{}:{}:{}".format(dep_type, dep_vendor, dep_product)
+
+    if dep_string not in target_map:
+        target_map[dep_string] = {}
+
+    if not target_map[dep_string].get('deprecated_date'):
+        target_map[dep_string]['deprecated_date'] = deprecated_date
+
+    if not target_map[dep_string].get('deprecated_by'):
+        target_map[dep_string]['deprecated_by'] = deprecated_by
+
+
 def parse_cpe_vp_map(file):
+    deprecated_map = {}
     vp_map = {} # cpe_type -> vendor -> products
+
     parser = etree.XMLParser(remove_comments=False)
     doc = etree.parse(file, parser)
-    namespaces = {'ns': 'http://cpe.mitre.org/dictionary/2.0', 'meta': 'http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2'}
+    namespaces = {
+        'ns':     'http://cpe.mitre.org/dictionary/2.0',
+        'meta':   'http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2'
+    }
     for entry in doc.xpath("//ns:cpe-list/ns:cpe-item", namespaces=namespaces):
         cpe_name = entry.get("name")
         if not cpe_name:
             continue
 
-        # If the entry is deprecated then don't add it to our list of valid CPEs.
-        if entry.get("deprecated"):
-            continue
-
-        cpe_match = re.match('^cpe:/([aho]):([^:]+):([^:]+)', cpe_name)
-
+        cpe_match = REGEX_CPE.match(cpe_name)
         if cpe_match:
             cpe_type, vendor, product = cpe_match.group(1, 2, 3)
-            if cpe_type not in vp_map:
-                vp_map[cpe_type] = {}
-            if vendor not in vp_map[cpe_type]:
-                vp_map[cpe_type][vendor] = set()
-            product = product.replace('%2f', '/')
-            vp_map[cpe_type][vendor].add(product)
-        else:
-            logging.error("Unexpected CPE %s", cpe_name)
+            # If the entry is deprecated then don't add it to our list of valid
+            # CPEs, but instead add it to a list for reference later.
+            if entry.get("deprecated"):
+                # This will be the key under which we store the deprecation data
+                deprecated_string = "{}:{}:{}".format(cpe_type, vendor, product)
 
-    return vp_map
+                update_deprecated_map(deprecated_map, deprecated_string, entry)
+                continue
 
-def main():
-    if len(sys.argv) != 4:
-        logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
-        sys.exit(1)
+            update_vp_map(vp_map, cpe_type, vendor, product)
 
-    cpe_vp_map = parse_cpe_vp_map(sys.argv[2])
-    if not cpe_vp_map:
-        logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
-        sys.exit(1)
+        else:
+            logging.error("Unexpected CPE %s", cpe_name)
 
-    r7_vp_map = parse_r7_remapping(sys.argv[3])
-    if not r7_vp_map:
-        logging.warning("No Rapid7 vendor/product => CPE mapping read from %s", sys.argv[3])
+    return vp_map, deprecated_map
 
-    update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map)
 
-def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
+def lookup_cpe(vendor, product, cpe_type, cpe_table, remap, deprecated_map):
     """Identify the correct vendor and product values for a CPE
 
     This function attempts to determine the correct CPE using vendor and product
@@ -82,6 +143,8 @@ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
         cpe_type (str): CPE type - o, a, h, etc.
         cpe_table (dict): dict containing the official NIST CPE data
         remap (dict): dict containing the remapping values
+        deprecated_cves (set): set of all deprecated CPEs in the format
+            'type:vendor:product'
     Returns:
         success, vendor, product
     """
@@ -130,13 +193,20 @@ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
                     # Found remap vendor, remap product
                     return True, new_vendor, possible_product
 
+    deprecated_string = "{}:{}:{}".format(cpe_type, vendor, product)
+    if deprecated_map.get(deprecated_string, False):
+        dep_by = deprecated_map[deprecated_string].get("deprecated_by", "")
+        dep_date = deprecated_map[deprecated_string].get("deprecated_date", "")
+        logging.error("Product %s from vendor %s invalid for CPE %s and no mapping.  This combination is DEPRECATED by %s at %s",
+                    product, vendor, cpe_type, dep_by, dep_date)
+    else:
+        logging.error("Product %s from vendor %s invalid for CPE %s and no mapping.",
+                    product, vendor, cpe_type)
 
-    logging.error("Product %s from vendor %s invalid for CPE %s and no mapping",
-                  product, vendor, cpe_type)
     return False, None, None
 
 
-def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
+def update_cpes(xml_file, cpe_vp_map, r7_vp_map, deprecated_cves):
     parser = etree.XMLParser(remove_comments=False, remove_blank_text=True)
     doc = etree.parse(xml_file, parser)
 
@@ -160,7 +230,6 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                     raise ValueError('Duplicated fingerprint named {} in fingerprint {} in file {}'.format(name, fingerprint.attrib['pattern'], xml_file))
                 params[fp_type][name] = param
 
-
         # for each of the applicable os/service param groups, build a CPE
         for fp_type in params:
             if fp_type == 'os':
@@ -210,7 +279,7 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                 if (vendor.startswith('{') and vendor.endswith('}')) or (product.startswith('{') and product.endswith('}')):
                     continue
 
-                success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map)
+                success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map, deprecated_cves)
                 if not success:
                     continue
 
@@ -245,6 +314,30 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
     with open(xml_file, 'wb') as xml_out:
         xml_out.write(etree.tostring(root, pretty_print=True, xml_declaration=True, encoding=doc.docinfo.encoding))
 
+
+def main():
+    if len(sys.argv) != 4:
+        logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
+        sys.exit(1)
+
+    cpe_vp_map, deprecated_map = parse_cpe_vp_map(sys.argv[2])
+    if not cpe_vp_map:
+        logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
+        sys.exit(1)
+
+    r7_vp_map = parse_r7_remapping(sys.argv[3])
+    if not r7_vp_map:
+        logging.warning("No Rapid7 vendor/product => CPE mapping read from %s", sys.argv[3])
+
+    # update format string for the logging handler to include the recog XML filename
+    logging.basicConfig(force=True, format=f"{sys.argv[1]}: {BASE_LOG_FORMAT}")
+
+    update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map, deprecated_map)
+
+
 if __name__ == '__main__':
-    try: sys.exit(main())
-    except KeyboardInterrupt: pass
+    logging.basicConfig(format=BASE_LOG_FORMAT)
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        pass

data/xml/apache_os.xml

@@ -8,6 +8,7 @@
 
   <fingerprint pattern="\(iSeries\)">
     <description>IBM i5/OS iSeries (OS/400)</description>
+    <example>Apache/2.0.52 (iSeries)</example>
     <param pos="0" name="os.vendor" value="IBM"/>
     <param pos="0" name="os.family" value="OS/400"/>
     <param pos="0" name="os.product" value="OS/400"/>
@@ -16,6 +17,7 @@
 
   <fingerprint pattern="\(Mandrake Linux/\d+\.\d+\.92mdk\)">
     <description>Mandriva (formerly Mandrake) Linux 9.2</description>
+    <example>Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6.3.92mdk) mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2</example>
     <param pos="0" name="os.certainty" value="0.9"/>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
@@ -26,6 +28,7 @@
 
   <fingerprint pattern="\(Mandrake Linux/\d+\.\d+\.100mdk\)">
     <description>Mandriva (formerly Mandrake) Linux 10.0</description>
+    <example>Apache-AdvancedExtranetServer/2.0.48 (Mandrake Linux/6.11.100mdk)</example>
     <param pos="0" name="os.certainty" value="0.9"/>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
@@ -36,6 +39,7 @@
 
   <fingerprint pattern="\((?:Mandrake|Mandriva) Linux/">
     <description>Mandriva (formerly Mandrake) Linux unknown version</description>
+    <example>Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1 mod_jk2/2.0.0</example>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -44,6 +48,7 @@
 
   <fingerprint pattern="\(Mandrakelinux/">
     <description>Mandriva (formerly Mandrake) Linux unknown version - variant 2</description>
+    <example>Apache-AdvancedExtranetServer/2.0.53 (Mandrakelinux/PREFORK-9mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.6</example>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -52,6 +57,7 @@
 
   <fingerprint pattern="\(PalmOS\)">
     <description>PalmOS</description>
+    <example>Apache/1.2.42 (PalmOS)</example>
     <param pos="0" name="os.vendor" value="Palm"/>
     <param pos="0" name="os.family" value="PalmOS"/>
     <param pos="0" name="os.product" value="PalmOS"/>
@@ -59,6 +65,7 @@
 
   <fingerprint pattern="\(Win32\)">
     <description>Microsoft Windows</description>
+    <example>Apache/2.2.25 (Win32)</example>
     <param pos="0" name="os.certainty" value="0.75"/>
     <param pos="0" name="os.vendor" value="Microsoft"/>
     <param pos="0" name="os.family" value="Windows"/>
@@ -68,6 +75,7 @@
 
   <fingerprint pattern="\(Darwin\)">
     <description>Apple Mac OS X</description>
+    <example>Apache/1.3.33 (Darwin)</example>
     <param pos="0" name="os.vendor" value="Apple"/>
     <param pos="0" name="os.family" value="Mac OS X"/>
     <param pos="0" name="os.product" value="Mac OS X"/>
@@ -76,6 +84,7 @@
 
   <fingerprint pattern="\(Ubuntu\)">
     <description>Ubuntu</description>
+    <example>Apache (Ubuntu)</example>
     <param pos="0" name="os.vendor" value="Ubuntu"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -84,6 +93,7 @@
 
   <fingerprint pattern=".{0,512}(?:Sun )?Cobalt \(Unix\)?">
     <description>Sun Cobalt RaQ (Red Hat based Linux)</description>
+    <example>Apache/1.3.3 Cobalt (Unix) (Red Hat/Linux)</example>
     <param pos="0" name="os.vendor" value="Sun"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Cobalt RaQ"/>
@@ -91,6 +101,7 @@
 
   <fingerprint pattern="\(BlueQuartz\)">
     <description>Blue Quartz is created by a Cobalt RaQ UG</description>
+    <example>Apache/2.0.52 (BlueQuartz)</example>
     <param pos="0" name="os.vendor" value="Sun"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Cobalt RaQ"/>
@@ -98,59 +109,66 @@
 
   <fingerprint pattern="^Apache\/2\.2\.11.*\(Fedora\)">
     <description>Red Hat Fedora 11</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.11 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="11"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:11"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:11"/>
   </fingerprint>
 
   <fingerprint pattern="^Apache\/2\.2\.15.*\(Fedora\)">
     <description>Red Hat Fedora 13</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.15 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="13"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:13"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:13"/>
   </fingerprint>
 
   <fingerprint pattern="^Apache\/2\.2\.16.*\(Fedora\)">
     <description>Red Hat Fedora 14</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.16 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="14"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:14"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:14"/>
   </fingerprint>
 
   <fingerprint pattern="^Apache\/2\.2\.23.*\(Fedora\)">
     <description>Red Hat Fedora 17</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.23 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="17"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:17"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:17"/>
   </fingerprint>
 
   <fingerprint pattern="^Apache\/2\.4\.3.*\(Fedora\)">
     <description>Red Hat Fedora 18</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.4.3 (Fedora) PHP/5.4.12</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="18"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:18"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:18"/>
   </fingerprint>
 
   <fingerprint pattern="\(Fedora\)">
     <description>Red Hat Fedora</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:-"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:-"/>
   </fingerprint>
 
   <fingerprint pattern="\(RHEL\)">
     <description>Red Hat Enterprise Linux</description>
+    <example>Apache/2.0.53 (RHEL)</example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Enterprise Linux"/>
@@ -159,6 +177,8 @@
 
   <fingerprint pattern="\(Red[ -]Hat(?:[/ ]Linux)?\)">
     <description>Red Hat Linux</description>
+    <example>Apache (Red Hat Linux)</example>
+    <example>Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.3.11</example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -176,6 +196,8 @@
 
   <fingerprint pattern="Debian(?:[/ ]GNU)?(?:/Linux)?">
     <description>Debian Linux</description>
+    <example>Debian GNU/Linux</example>
+    <example>Apache/1.3.26 (Unix) Debian GNU/Linux</example>
     <param pos="0" name="os.vendor" value="Debian"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -184,6 +206,8 @@
 
   <fingerprint pattern="\((?:Linux/)?S[uU]SE(?:/Linux)?\)">
     <description>Novell SuSE Linux</description>
+    <example>Apache (SuSE/Linux)</example>
+    <example>Apache/2.2.12 (Linux/SUSE)</example>
     <param pos="0" name="os.vendor" value="SuSE"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -192,6 +216,7 @@
 
   <fingerprint pattern="\(NETWARE\)">
     <description>Novell NetWare</description>
+    <example>Apache/2.0.64 (NETWARE)</example>
     <param pos="0" name="os.vendor" value="Novell"/>
     <param pos="0" name="os.family" value="NetWare"/>
     <param pos="0" name="os.product" value="NetWare"/>
@@ -200,6 +225,7 @@
 
   <fingerprint pattern="HP-UX_Apache-based_Web_Server">
     <description>HP HP-UX</description>
+    <example>Apache/2.0.58 HP-UX_Apache-based_Web_Server</example>
     <param pos="0" name="os.vendor" value="HP"/>
     <param pos="0" name="os.family" value="HP-UX"/>
     <param pos="0" name="os.product" value="HP-UX"/>
@@ -208,6 +234,7 @@
 
   <fingerprint pattern="\(CentOS\)">
     <description>CentOS Linux</description>
+    <example>Apache/2.2.15 (CentOS)</example>
     <param pos="0" name="os.vendor" value="CentOS"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -216,6 +243,7 @@
 
   <fingerprint pattern="\(Turbolinux\)">
     <description>Turbolinux</description>
+    <example>Apache/2.2.6 (Turbolinux)</example>
     <param pos="0" name="os.vendor" value="Turbolinux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -223,6 +251,7 @@
 
   <fingerprint pattern="\(FreeBSD\)">
     <description>FreeBSD</description>
+    <example>Apache/2.4.51 (FreeBSD) OpenSSL/1.1.1h-freebsd</example>
     <param pos="0" name="os.vendor" value="FreeBSD"/>
     <param pos="0" name="os.family" value="FreeBSD"/>
     <param pos="0" name="os.product" value="FreeBSD"/>
@@ -231,6 +260,7 @@
 
   <fingerprint pattern="\(Asianux\)">
     <description>Asianux Linux</description>
+    <example>Apache/2.2.15 (Asianux)</example>
     <param pos="0" name="os.vendor" value="Asianux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -238,6 +268,7 @@
 
   <fingerprint pattern="\(Gentoo(?:/Linux)?\)">
     <description>Gentoo Linux</description>
+    <example>Apache/2.2.6 (Gentoo) DAV/2 mod_python/3.3.1</example>
     <param pos="0" name="os.vendor" value="Gentoo"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -246,6 +277,7 @@
 
   <fingerprint pattern="\(Conectiva(?:/Linux)?\)">
     <description>Conectiva Linux</description>
+    <example>Apache/1.3.33 (Unix) (Conectiva/Linux)</example>
     <param pos="0" name="os.vendor" value="Conectiva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -254,6 +286,7 @@
 
   <fingerprint pattern="\(Trustix Secure Linux(?:/Linux)?\)">
     <description>Trustix Linux</description>
+    <example>Apache/2.0.55 (Trustix Secure Linux/Linux)</example>
     <param pos="0" name="os.vendor" value="Trustix"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Secure Linux"/>
@@ -262,6 +295,7 @@
 
   <fingerprint pattern="\(White Box\)">
     <description>White Box Enterprise Linux</description>
+    <example>Apache/2.0.46 (White Box)</example>
     <param pos="0" name="os.vendor" value="White Box"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Enterprise Linux"/>
@@ -269,6 +303,7 @@
 
   <fingerprint pattern="\(UnitedLinux\)">
     <description>UnitedLinux</description>
+    <example>Apache/1.3.26 (UnitedLinux) mod_ssl/2.8.10</example>
     <param pos="0" name="os.vendor" value="UnitedLinux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -276,6 +311,7 @@
 
   <fingerprint pattern="\(PLD/Linux\)">
     <description>PLD Linux</description>
+    <example>Apache/1.3.42 (PLD/Linux)</example>
     <param pos="0" name="os.vendor" value="PLD"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -283,6 +319,7 @@
 
   <fingerprint pattern="\(Vine/Linux\)">
     <description>Vine Linux</description>
+    <example>Apache/1.3.27 (Unix) (Vine/Linux)</example>
     <param pos="0" name="os.vendor" value="Vine"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -290,13 +327,17 @@
 
   <fingerprint pattern="\(rPath\)">
     <description>rPath Linux</description>
+    <example>Apache/2.2.9 (rPath)</example>
     <param pos="0" name="os.vendor" value="rPath"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern="\(StartCom Linux\)">
+  <fingerprint pattern="\(StartCom(?: Linux)?\)">
     <description>StartCom Linux</description>
+    <example>Apache/2.2.3 (StartCom)</example>
+    <example>Apache/2.2.3 (StartCom) (Release 31.SEL5_4)</example>
+    <example>Apache/2.2.0 (StartCom Linux)</example>
     <param pos="0" name="os.vendor" value="StartCom"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
@@ -304,6 +345,7 @@
 
   <fingerprint pattern="Linux">
     <description>Generic Linux fallback</description>
+    <example>Apache/Linux</example>
     <param pos="0" name="os.certainty" value="0.75"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>

data/xml/architecture.xml

@@ -16,28 +16,42 @@
     <param pos="0" name="os.arch" value="x86"/>
   </fingerprint>
 
-  <fingerprint pattern="PowerPC|PPC|POWER|ppc">
+  <fingerprint pattern="PowerPC|PPC|POWER" flags="REG_ICASE">
     <description>PowerPC</description>
+    <example>PowerPC</example>
+    <example>PPC</example>
+    <example>POWER</example>
+    <example>ppc</example>
     <param pos="0" name="os.arch" value="PowerPC"/>
   </fingerprint>
 
   <fingerprint pattern="SPARC" flags="REG_ICASE">
     <description>SPARC</description>
+    <example>SPARC</example>
+    <example>sparc</example>
     <param pos="0" name="os.arch" value="Sparc"/>
   </fingerprint>
 
   <fingerprint pattern="mips" flags="REG_ICASE">
     <description>MIPS</description>
+    <example>MIPS</example>
+    <example>mips</example>
     <param pos="0" name="os.arch" value="MIPS"/>
   </fingerprint>
 
   <fingerprint pattern="arm64|aarch64" flags="REG_ICASE">
     <description>ARM64 (aarch64)</description>
+    <example>arm64</example>
+    <example>ARM64</example>
+    <example>aarch64</example>
+    <example>AARCH64</example>
     <param pos="0" name="os.arch" value="ARM64"/>
   </fingerprint>
 
   <fingerprint pattern="arm" flags="REG_ICASE">
     <description>ARM</description>
+    <example>arm</example>
+    <example>ARM</example>
     <param pos="0" name="os.arch" value="ARM"/>
   </fingerprint>
 

data/xml/dhcp_vendor_class.xml

@@ -48,7 +48,7 @@
     <example hw.family="OfficeJet">Hewlett-Packard OfficeJet</example>
     <example hw.family="LaserJet">HP LaserJet</example>
     <example hw.family="Printer">HP Printer</example>
-    <example>Hewlett-Packard JetDirect</example>
+    <example hw.family="JetDirect">Hewlett-Packard JetDirect</example>
     <param pos="0" name="hw.device" value="Printer"/>
     <param pos="0" name="hw.vendor" value="HP"/>
     <param pos="1" name="hw.family"/>