Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

NISTIR 8085 (DRAFT)

Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags

Date Published: December 2015
Comments Due: January 8, 2016 (public comment period is CLOSED)
Email Questions to: nistir8060-comments@nist.gov

Author(s)

David Waltermire (NIST), Brant Cheikes (MITRE)

Announcement

This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.

The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.

[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]

Abstract

Keywords

common platform enumeration; software; software asset management; software identification; SWID; CPE; software identification tag
Control Families

Audit and Accountability; Configuration Management; Maintenance; Media Protection; Planning; System and Communications Protection; System and Information Integrity; System and Services Acquisition;

Documentation

Publication:
Draft NISTIR 8085

Supplemental Material:
None available

Related NIST Publications:
NISTIR 8060
ITL Bulletin