Common Platform Enumeration

Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.^[1]

The CPE Product Dictionary provides an agreed upon list of official CPE names. The dictionary is provided in XML format and is available to the general public. The CPE Dictionary is hosted and maintained at NIST, may be used by nongovernmental organizations on a voluntary basis, and is not subject to copyright in the United States.^[1]

CPE identifiers are commonly used to search for Common Vulnerabilities and Exposures (CVEs) that affect the identified product.

Scheme format

CPE 2.3 follows this format, maintained by NIST:^[2]

cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

`cpe_version`

The version of the CPE definition. The latest CPE definition version is 2.3.

`part`

May have 1 of 3 values:

a for Applications
h for Hardware
o for Operating Systems

It is sometimes referred to as type.

`vendor`

Values for this attribute SHOULD describe or identify the person or organization that manufactured or created the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute. ^[1]

`product`

The name of the system/package/component. product and vendor are sometimes identical. It can not contain spaces, slashes, or most special characters. An underscore should be used in place of whitespace characters.

`version`

The version of the system/package/component.

`update`

This is used for update or service pack information. Sometimes referred to as "point releases" or minor versions. The technical difference between version and update will be different for certain vendors and products. Common examples include beta, update4, SP1, and ga (for General Availability), but it is most often left blank.

`edition`

A further granularity describing the build of the system/package/component, beyond version.

`language`

A valid language tag as defined by IETF RFC 5646 entitled "Tags for Identifying Languages". Examples include: en-us for US English, and zh-tw for Taiwanese Mandarin.

`sw_edition`

The specific edition of the software. Examples include community for a community edition, and special for a special edition.

`target_sw`

The software computing environment that the product is intended to operate within. Examples include windows_2003 or ipod_touch.

`target_hw`

Specifications about the hardware that the product is intended to run on. This is usually the instruction set architecture of the device (such as x86) but may also be other hardware attributes, such as 80gb for software designed to run on the iPod Touch 80GB.

Examples

Here, * is used as a wildcard character:

cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:-:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*

References

^ ^a ^b ^c "NVD - CPE Dictionary". nvd.nist.gov. Retrieved 2017-02-15. This article incorporates text from this source, which is in the public ___domain.
^ "Archived copy" (PDF). Archived from the original (PDF) on 2021-04-21. Retrieved 2021-04-22.{{cite web}}: CS1 maint: archived copy as title (link)

External links

[NIST-1] "NVD - CPE Dictionary". nvd.nist.gov. Retrieved 2017-02-15. This article incorporates text from this source, which is in the public ___domain.

[2] "Archived copy" (PDF). Archived from the original (PDF) on 2021-04-21. Retrieved 2021-04-22.{{cite web}}: CS1 maint: archived copy as title (link)

[1]

[2]