CPE

CPE stands for Common Platform Enumeration. It is a structured naming scheme for information technology systems, software, and packages. The structure and dictionary is maintained by NIST and free to use.

Support

Every entry contains a CPE list by providing full CPE 2.2 and 2.3 support. It is possible to use CPE strings in search queries on the web site and in the API alike. CPE data points are provided as virtual fields.

Please refer to our documentation about version handling in regards of data quality and confidence.

Extended Dictionary

Unfortunately, the official CPE dictionary is very slowly updated and misses the flexibility that we require. This is the reason why we use an extended CPE dictionary with additional products and versions.

It is not the intention to derive from the dictionary that other sources are using. Entries are adopted to match the official dictionary whenever possible. Please let us know if you identify a mismatch.

The CPE values are virtual fields, which are generated on-the-fly. Our changes to the CPE values are not reflected with a commit nor an update of the affected entries (e.g. you won't see these changes as updates via API. You would have to refetch entries manually to get the updated version with new values.

Our CPE Processing

We use a multi-step approach to handle CPEs:

  1. Initial CPE Data: Whenever we create an entry, we create a CPE with the information available as well.
  2. Extended Dictionary: We try to be compliant with the official NIST CPE dictionary. If a product is not yet in the dictionary, we use our extended CPE dictionary which tries to anticipate future entries. If an anticipated entry is going to be wrong, it will be aligned afterwards.
  3. Historical Version Details: If we only know boundaries of versions (e.g. which one is not affected anymore), we use historical data to create a list of potentially affected versions.
  4. Merge NVD Assignments: As soon as NVD has CPE data, we merge it into our existing list of CPE strings. However, this might re-introduce some additional uncertainty.

Recommendations

We recommend using our extended CPE dictionary. As well as adding some kind of fuzziness to your searches and matching. Otherwise the slightest changes become obstacles. For example, in the official CPE dictionary the naming conventions for Internet Explorer changed between versions:

  • cpe:/a:microsoft:ie
  • cpe:/a:microsoft:internet_explorer
This was tried to be fixed years later by correlation. Other peculiarities make adopting CPE a challenge.

If you need any assistance, we do provide engineering and implementation support for customers.

Do you need the next level of professionalism?

Upgrade your account now!

PreviousOverviewNext