CPE entries with only first 3 components

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CPE entries with only first 3 components

Stav Raviv

Hi all,


Can someone please help me in understanding why some of the products have both CPE entries with version and general ones (with no version etc. just the first 3 components), and some have only CPE entries with versions? Is this intentional?




  • cpe:/a:3com:3c16115-us

and also

  • cpe:/a:3com:3c16115-us:2.01

are both  in the dictionary,





  • cpe:/a:apache:nutch

is not in the dictionary, while the following are:

  • cpe:/a:apache:nutch:0.8.1
  • cpe:/a:apache:nutch:0.9


Can I use a left part of a CPE entry as a CPE?

Would it be considered as being CPE compliant if I use such an item as a product on my list?

(It seems so according to the spec http://cpe.mitre.org/specification/archive/version2.2/cpe-specification_2.2.pdf )

E.g. using " cpe:/a:apache:nutch"


If it is acceptable, then what would I use as a title in this case? Is the title not part of the CPE dictionary?

I would like, of course, to use the title that the similar CPEs have without the version (i.e. "Apache Nutch"), but I'm not sure if this would work smoothly in automation in the cases where the title is not exactly the same as the URI components.

My intention is to maintain a products list without versions, editions etc. as a first stage.


Any suggestions from those of the vendors out there that are already CPE-compliant?


Thank you very much,

Stav Kaufman,

Skybox Security