Common Platform Enumeration — CPE™
A Structured Naming Scheme for IT Systems, Platforms, and Packages
CPE is a standardized method
Challenge
of describing and identifying
Secure information systems depend on reli-
classes of applications, operating
able, cost-effective Software Asset Manage-
systems, and hardware devices
ment practices that support security assess-
present among an enterprise’s
ment. IT managers need highly reliable and
computing assets.
automatable software inventory processes
CPE in the Enterprise
■■
A language for constructing “applicability statements” that combine CPE
names with simple logical operators.
■■
A standard notion of a CPE Dictionary.
that provide accurate, up-to-the-minute
An authoritative CPE Dictionary is cur-
CPE can be used as a source of
details about the operating systems, software
rently maintained by the National Institute
information for enforcing and
applications and hardware devices that are
of Standards and Technology (NIST) as part
verifying IT management policies
installed and available for use. Once armed
of its U.S. National Vulnerability Database
relating to these assets, such
with this data, IT managers can identify risks
(NVD). NIST also hosts the current official
as vulnerability, configuration,
and vulnerabilities, and make timely deci-
version of the CPE Specification documents,
and remediation policies. IT
sions about what to install, patch or disable.
Version 2.3.
management tools can collect
Specification languages exist such as Com-
In addition, CPE is one of the existing
information about installed
mon Vulnerabilities and Exposures (CVE®)
open standards used by NIST in its Secu-
products, identify products using
for describing vulnerabilities, Open Vulner-
rity Content Automation Protocol (SCAP)
their CPE names, and use this
ability and Assessment Language (OVAL®)
program, which combines “a suite of tools to
standardized information to help
for testing system state, and Extensible
help automate vulnerability management and
make fully or partially automated
Configuration Checklist Description Format
evaluate compliance with federal information
decisions regarding the assets.
(XCCDF) for expressing security checklists.
technology security requirements.” Numer-
What these languages all have in common,
ous products have been validated by NIST as
however, is a need to refer to IT products and
conforming to the CPE component of SCAP.
platforms in a standardized way that is suitable for machine interpretation and process-
CPE Dictionary
ing. CPE satisfies that need.
Hosted by NIST, the “Official CPE Dictionary” currently includes 43,000+ unique CPE
Solution
Developed specifically to work with specification languages, CPE provides:
■■ A standard machine-readable format
for encoding names of IT products and
platforms.
■■
cpe.mitre.org
A set of procedures for comparing
names.
The MITRE Corporation maintains CPE’s public Web site
presence and provides impartial technical guidance to the
CPE Community throughout the process to ensure CPE
serves the public interest.
Names. Its main purposes are to:
■■ Provide a canonical source for all
known CPE Names.
■■
Bind descriptive metadata (such as a
title and notes) to a CPE Name.
■■
Bind diagnostic tests (such as an automated check to determine if a given
platform matches the name) to a CPE
Name.
202 Burlington Road, Bedford, MA 01730-1420
www.mitre.org
MITRE
CPE 2.3 is a formatted string binding that has
Dictionary versions of software and hardware products,
a somewhat different syntax than the URI
The CPE 2.3 Dictionary Specification
vendor participation is critical to ensuring
binding and supports additional product
defines a standardized method for creating
that product names are accurately repre-
attributes. With the formatted string bind-
and managing public and/or private CPE
sented in the CPE Dictionary. Join the many
ing, the WFN above can be represented by:
dictionaries (e.g., the public Official CPE
vendors that are already using CPE to help
“cpe:2.3:a:microsoft:internet_explorer:8.0.
Dictionary). A “dictionary” is a repository
validate the names of their products by con-
6001:beta:*:*:*:*:*:*” The WFN concept and
of CPE names and metadata associated with
tacting us at [email protected].
the bindings defined by the CPE Naming
the names. Each CPE name in the diction-
Specification are the fundamental building
ary identifies a single class of IT product in
blocks at the core of all CPE functionality.
the world, with the word “class” signifying
Since CPE Names contain the names and
CPE Specification
CPE Version 2.3 includes four separate
specifications organized in a stack, with each
building on those that precede it. Hosted by
NIST, the CPE 2.3 Specifications focus on
the following:
Matching The CPE 2.3 Name Matching Specification
defines a method for conducting a one-toone comparison of a source CPE name to
a target CPE name. By logically comparing
Naming CPE names as sets of values, CPE Name
that the object identified is not a physical
instantiation of a product on a system, but
rather the abstract model of that product. Although organizations may use a CPE name to
represent either a single product class or a set
of multiple product classes, a CPE dictionary
stores only bound forms of well-formed CPE
The CPE 2.3 Naming Specification defines
Matching methods can determine if com-
standardized methods for assigning names to
mon set relations hold. For example, CPE
IT product classes using an abstract logical
Name Matching can determine if the source
construction known as a well-formed CPE
and target names are equal, if one of the
Applicability Language name (WFN). The CPE Naming Specifica-
names is a subset of the other, or if the names
The CPE 2.3 Applicability Language
tion defines procedures for binding WFNs
are disjoint. This is a powerful and flexible
names that identify a single product class, not
a set of product classes.
Specification defines a standardized way to
describe IT platforms by forming complex
Example WFN for Microsoft Internet Explorer 8.0.6001 Beta:
wfn: [part=”a”,vendor=”microsoft”,product=”internet_explorer”, version=”8\.0\.6001”,
update=”beta”]
logical expressions out of individual CPE
names and references to checks. The CPE
Applicability Language Data Model builds
on top of the other CPE specifications to
provide the functionality required to allow
to machine-readable encodings, as well as
way of performing product comparisons
CPE users to construct complex groupings of
unbinding those encodings back to WFNs.
in a standardized, automated manner. CPE
CPE names to describe IT platforms. These
Backward compatibility is also maintained
Name Matching is also used by other CPE
groupings are referred to as applicability
with CPE 2.2’s Uniform Resource Identi-
specifications to conduct more complex
statements because they are used to designate
fier (URI) binding method (e.g., the URI
tasks, such as searching for product names in
to which platforms particular guidance, poli-
binding representation of the WFN ex-
CPE dictionaries and performing complex
cies, etc., apply.
ample above is: “cpe:/a:microsoft:internet_
comparisons of sets of product versions—for
explorer:8.0.6001:beta”).
example, determining if a system is running a
Join the Community
particular operating system version, running
Members of the information technology
authoritative enumeration of CPE names in
two particular applications, and not running a
and information security communities are
URI binding. The WFN binding defined in
third particular application.
invited to join the CPE Email Discussion List
The Official CPE Dictionary contains an
at http://cpe.mitre.org/community/discussion_list.html.
Member of
http://measurablesecurity.mitre.org
Learn More - http://cpe.mitre.org