Vulnerability detection in SBOM via CPE
CPE’s provided within an SBOM
When importing an SBOM, the SBOM imported by a user may contain a CPE (Common Platform Enumeration) to identify vulnerabilities associated with a package used as part of the codebase. Although CPE’s are a standardized format, they provide flexibility in the level of granularity a user can provide for items such as os, ecosystem, or version range which can be replaced by a wildcard (*) character.
FOSSA attempts to find the relevant vulnerabilities matching the package(s) based on the CPE provided by a user when generating dependencies for the project. Given that the CPE is user provided and may have a varying level of accuracy we attempt to match known vulnerabilities on the package but inform the user that the vulnerabilities identified are unverified.
Learn more about CPE’s at this link from NIST
https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe
What can I do about CPE’s in my SBOM?
As a more accurate alternative to using CPE’s within your SBOM, we recommend providing a valid PURL (Package URL) for each package within the SBOM. To automate SBOM generation, integrate your codebase with FOSSA and use our CLI tool to generate an accurate SBOM.
Updated 4 months ago