|
The CPE™ Specification includes a naming syntax and conventions for
constructing CPE Names from product information, an algorithm
for matching, a language for describing complex platforms, and an XML schema for binding descriptive and
diagnostic information to a name. This latter feature is used
to create a community dictionary of common CPE Names.
CPE Names
Version 2.1 of the specification was released on January 31st, 2008.
A CPE Name is represented by a URI. Each name consists of
the prefix "cpe:" and is followed by up to seven different components.
These components are used to help build consistent and unique names.
The components relate to platform part, vendor, product name, version, update level,
edition, and language. Please refer to
the CPE Specification for a complete discussion of the CPE naming
scheme and real-world examples.
CPE Language
An individual CPE Name addresses a single part of an actual system. To identify more complex platform types, there needs to be a way to combine different CPE Names using logical operators. For example, there may be a need to identify a platform with a particular operating system AND a certain application. The CPE Language exists to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for the application.
cpe-language_2.1.zip
Matching
CPE allows the means to specify concrete
diagnostic tests. For example, a CPE Name can include a link
to a check written in the Open Vulnerability and Assessment
Language (OVAL™) that can be executed to determine whether
an IT system is an instance of the named platform. When a CPE
Name does not have an OVAL Definition associated with it, the
name can be matched against an actual system based on other
known CPE Names (ones that have been matched via an OVAL Definition)
or CPE Language expressions. Refer to the CPE Specification for a complete discussion and
examples.
To help understand the matching algorithm that is presented in the
specification, two example Java files are provided below. Use this code at your
own risk. It is intended only as an example and is not meant to be fully functional code.
Feedback Requested
Use of the CPE naming specification will
enable community members to generate common, standardized
names for new IT platforms, and will provide the means to
create a public dictionary of common CPE Names.
To participate, please review the specification then send
feedback, or any
other comments and concerns, to cpe@mitre.org.
overview | abbreviations | tracker | versioning | spec archive
|
|