Common Platform Enumeration (CPE) is a structured naming scheme maintained by NIST for identifying IT products -- hardware, operating systems, and applications. It is the primary mechanism by which the National Vulnerability Database (NVD) associates CVEs with affected products. And it is responsible for a staggering amount of wasted time in vulnerability management programs.
The problem is not that CPE exists. Having a standardized way to name products is obviously useful. The problem is that CPE was designed for a world of commercial software vendors shipping boxed products, and it maps poorly to the modern reality of open-source libraries, package managers, and component-based software development.
How CPE Works
A CPE string follows a structured format:
cpe:2.3:a:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
For example:
cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*identifies Apache Log4j version 2.14.1cpe:2.3:a:microsoft:windows_10:1903:*:*:*:*:*:*:*identifies Microsoft Windows 10 version 1903
NVD CVE entries include CPE match criteria that specify which products and version ranges are affected. Vulnerability scanners compare the CPE strings of your installed software against these match criteria to identify affected systems.
Where CPE Breaks Down
The Vendor Problem
CPE requires a vendor name, but open-source software often does not have a clear vendor. Who is the "vendor" of lodash? Is it lodash, lodash_project, lodash.js? What about a library that changed maintainers? NVD analysts make judgment calls about vendor assignment, and those judgments are not always consistent or predictable.
This means a vulnerability scanner that constructs CPE strings from package metadata may generate a different vendor value than what NVD used, resulting in missed matches (false negatives) or incorrect matches (false positives).
The Product Name Problem
Product names in CPE are normalized but not standardized. The same product might appear as jackson-databind, jackson_databind, or fasterxml_jackson-databind depending on who assigned the CPE. Hyphens, underscores, and organizational prefixes create ambiguity.
For packages that are part of a larger project (like the Jackson ecosystem in Java), the CPE might reference the umbrella project or the specific module. If your scanner is looking for one and NVD used the other, you get false results.
The Version Matching Problem
CPE version matching uses string comparison with wildcards. This works for simple version schemes (1.2.3) but breaks for:
- Pre-release versions: Is
2.0.0-rc1affected by a vulnerability in2.0.0? - Build metadata: Is
1.5.0+build.123the same as1.5.0? - Non-standard versioning: Some projects use date-based versions, commit hashes, or custom schemes
- Version ranges: NVD specifies affected versions with "versionStartIncluding" and "versionEndExcluding" fields, but the version comparison logic does not always handle semantic versioning correctly
The Granularity Problem
CPE identifies products, not components. In the open-source world, a single product (like Spring Framework) comprises dozens of modules (spring-core, spring-web, spring-security). A vulnerability might affect only spring-web, but the CPE might reference the Spring Framework broadly. Scanners that match at the product level will flag every Spring module as vulnerable.
The Coverage Problem
Not every open-source library has a CPE assignment in NVD. Smaller projects may never receive CPE identifiers, even when CVEs are published for them. This creates a coverage gap where vulnerabilities exist in databases like OSV or GitHub Advisory Database but are not discoverable through CPE-based matching.
The False Positive Epidemic
The cumulative effect of these problems is a massive false positive rate. Studies have found that CPE-based vulnerability matching can produce false positive rates of 30-50% or higher, depending on the software ecosystem and the scanner's CPE construction logic.
For security teams, this means that up to half of the vulnerabilities flagged by their scanner do not actually affect their software. The cost is enormous:
- Analyst time wasted on triage: Every false positive requires investigation to confirm it is not real
- Trust erosion: When developers see that half of security findings are bogus, they stop taking any of them seriously
- Remediation misdirection: Teams patch components that are not actually vulnerable while real vulnerabilities go unaddressed
Package URL: A Better Identifier
Package URL (purl) was created to address the limitations of CPE for software package identification. A purl is a structured URL that identifies a package within a specific ecosystem:
pkg:npm/lodash@4.17.21
pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
pkg:pypi/django@3.2.12
Purls are superior to CPEs for dependency matching because:
- Ecosystem-aware: The package type (npm, maven, pypi) provides context that eliminates vendor ambiguity
- Namespace support: The namespace field handles organizational scoping (
@scope/packagein npm,groupIdin Maven) - Precise identification: Purls map directly to package registry identifiers, not to human-assigned product names
- Qualifier support: Purls can include qualifiers for architecture, OS, and repository URL
The OSV database, GitHub Advisory Database, and many newer vulnerability sources use purls or ecosystem-specific identifiers rather than CPEs. This produces significantly more accurate matching.
Practical Recommendations
Use Multiple Matching Strategies
Do not rely solely on CPE-based matching. Correlate your SBOMs against:
- NVD via CPE: For broad coverage, especially for commercial software
- OSV via purl/ecosystem: For accurate open-source matching
- GitHub Advisory Database: For npm, pip, Maven, and other GitHub-hosted ecosystems
- Vendor advisories: For commercial components with dedicated security teams
Enrich Your SBOMs with Both Identifiers
Your SBOMs should include both CPE and purl identifiers where possible. CPE provides NVD compatibility; purl provides accurate ecosystem matching. Having both gives you the broadest and most accurate vulnerability coverage.
Invest in Triage Automation
Given the false positive rate of CPE matching, automated triage is essential. Build rules that automatically close false positives based on known CPE matching errors, version range analysis, and component-specific context.
Track NVD Data Quality
NVD is improving its data quality, and the NVD CPE dictionary is updated regularly. But improvements are slow, and the backlog of incorrectly assigned CPEs is large. Track the CPEs relevant to your stack and report errors to NVD when you find them.
Consider Reachability Analysis
Even when a vulnerability match is accurate (the right component, the right version), the vulnerable code path might not be reachable from your application. Reachability analysis adds a layer beyond identifier matching that can dramatically reduce false positives.
How Safeguard.sh Helps
Safeguard.sh uses a multi-strategy matching approach that combines CPE-based NVD matching with purl-based matching against OSV, GitHub Advisory Database, and other sources. This produces significantly more accurate results than CPE-only matching.
When false positives are identified, Safeguard.sh records them as VEX statements that persist across scans, so the same false positive is not re-triaged every time. The platform also flags potential CPE matching issues -- cases where the CPE association looks questionable based on the component's purl and ecosystem metadata -- helping your analysts focus their triage effort on the findings most likely to be real.