CPE
📌 Article pinned by VulDB Support Team
CPE stands for Common Platform Enumeration. It is a structured naming scheme for information technology systems, software, and packages. The structure and dictionary is maintained by NIST and free to use.
Support
Every entry contains a CPE list by providing full CPE 2.2 and 2.3 support. It is possible to use CPE strings in search queries on the web site and in the API alike. CPE data points are provided as virtual fields.
Please refer to our documentation about version handling in regards of data quality and confidence.
Extended Dictionary
Unfortunately, the official CPE dictionary is very slowly updated and misses the flexibility that we require. This is the reason why we use an extended CPE dictionary with additional products and versions.
It is not the intention to derive from the dictionary that other sources are using. Entries are adopted to match the official dictionary whenever possible. Please let us know if you identify a mismatch.
The CPE values are virtual fields, which are generated on-the-fly. Our changes to the CPE values are not reflected with a commit nor an update of the affected entries (e.g. you won't see these changes as updates via API. You would have to refetch entries manually to get the updated version with new values.
Our CPE Processing
We use a multi-step approach to handle CPEs:
- Initial CPE Data: Whenever we create an entry, we create a CPE with the information available as well.
- Extended Dictionary: We try to be compliant with the official NIST CPE dictionary. If a product is not yet in the dictionary, we use our extended CPE dictionary which tries to anticipate future entries. If an anticipated entry is going to be wrong, it will be aligned afterwards.
- Historical Version Details: If we only know boundaries of versions (e.g. which one is not affected anymore), we use historical data to create a list of potentially affected versions.
- Merge NVD Assignments: As soon as NVD has CPE data, we merge it into our existing list of CPE strings. However, this might re-introduce some additional uncertainty.
Correcting CPE Definitions
If you think that a CPE definition in one of our entries is not aligned with the official NIST CPE dictionary, please contact our support team and explain the issue. If the suggested change can be validated, we will update the entry with the correct data and re-publish it (e.g. via API and RSS).
If a suggestion to change cannot be verified or contradicts with other data (e.g. vendor advisory, CVE description), the existing CPE string will remain until the situation is clear. This guarantees a certain level of stability for our customers.
Recommendations
We recommend using our extended CPE dictionary. As well as adding some kind of fuzziness to your searches and matching. Otherwise the slightest changes become obstacles. For example, in the official CPE dictionary the naming conventions for Internet Explorer changed between versions:
cpe:/a:microsoft:ie
cpe:/a:microsoft:internet_explorer
If you need any assistance, we do provide engineering and implementation support for customers.
Mise à jour: 06/08/2024 par VulDB Documentation Team