CPE Home
    
About CPE Specification Dictionary Community
A structured naming scheme for IT systems, platforms, and packages.
     
 
Specification

The CPE™ Specification includes a naming syntax and conventions for constructing CPE Names from product information, an algorithm for matching, a language for describing complex platforms, and an XML schema for binding descriptive and diagnostic information to a name. This latter feature is used to create a community dictionary of common CPE Names.

CPE Names

Version 2.1 of the specification was released on January 31st, 2008.

A CPE Name is represented by a URI. Each name consists of the prefix "cpe:" and is followed by up to seven different components. These components are used to help build consistent and unique names. The components relate to platform part, vendor, product name, version, update level, edition, and language. Please refer to the CPE Specification for a complete discussion of the CPE naming scheme and real-world examples.

CPE Language

An individual CPE Name addresses a single part of an actual system. To identify more complex platform types, there needs to be a way to combine different CPE Names using logical operators. For example, there may be a need to identify a platform with a particular operating system AND a certain application. The CPE Language exists to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for the application.

cpe-language_2.1.zip

Matching

CPE allows the means to specify concrete diagnostic tests. For example, a CPE Name can include a link to a check written in the Open Vulnerability and Assessment Language (OVAL™) that can be executed to determine whether an IT system is an instance of the named platform. When a CPE Name does not have an OVAL Definition associated with it, the name can be matched against an actual system based on other known CPE Names (ones that have been matched via an OVAL Definition) or CPE Language expressions. Refer to the CPE Specification for a complete discussion and examples.

To help understand the matching algorithm that is presented in the specification, two example Java files are provided below. Use this code at your own risk. It is intended only as an example and is not meant to be fully functional code.

Feedback Requested

Use of the CPE naming specification will enable community members to generate common, standardized names for new IT platforms, and will provide the means to create a public dictionary of common CPE Names.

To participate, please review the specification then send feedback, or any
other comments and concerns, to cpe@mitre.org.

overview | abbreviations | tracker | versioning | spec archive



Page Last Updated: January 14, 2009



  


 
 
  This Web site is hosted by The MITRE Corporation.
Copyright © 2009, The MITRE Corporation.
CPE and the CPE logo are trademarks of The MITRE Corporation. All rights reserved.

Contact Us | Privacy policy | Terms of use