CPE Matching Implementation Summary
Overview
We've successfully implemented an automated CPE (Common Platform Enumeration) matching system for Software Instance CIs in the CMDB. The system uses the NVD (National Vulnerability Database) API to find standardized identifiers for software products.
Implementation Details
Components Created:
- softwareInstanceCPEProcessor.js - Main processor with intelligent matching logic
- Bulk processing script - For processing multiple Software Instances
- Test and debug utilities - For testing and improving matches
Key Features:
- Intelligent software name parsing (vendor, product, version extraction)
- Fuzzy matching with scoring algorithm (70% threshold)
- Rate limiting for NVD API (7 seconds between requests without API key)
- Extensive vendor name mapping
- Special handling for Microsoft Visual C++ products
- Audit logging via CIAudit model
Results
Successful Matches:
- RVTools 4.3.1 → Exact match found
- Google Chrome → Matched (though to old version 0.1.42.2)
- Microsoft Visual C++ products → All matched to 2005 SP1
Failed Matches:
- Microsoft Analysis Services OLE DB Provider
- Microsoft Visual Studio Tools for Applications
- ManageEngine products
- Microsoft Help Viewer
Key Findings:
-
NVD Database Limitations:
- Visual C++ CPEs only exist for versions 2005, 2008, and 2010
- No CPEs for newer versions (2013, 2019, 2022)
- Many enterprise software products have no CPE entries
-
Match Rate: Approximately 40% success rate in initial testing
Recommendations
1. Accept NVD Limitations
For products like Visual C++ 2022 that have no exact CPE match:
- Use the closest available CPE (e.g., 2010 for newer versions)
- Store actual version in a separate custom field
- Use for vulnerability scanning with the understanding that manual verification is needed
2. Manual CPE Assignment
For critical software without matches:
- Create a manual CPE assignment interface
- Allow admins to override automatic matches
- Build a local mapping table for common unmatched software
3. Alternative Approaches
Consider supplementing CPE with:
- Software publisher catalogs
- SWID tags (Software Identification Tags)
- Custom software taxonomy for internal use
4. Process Remaining Software
To process the remaining 561 Software Instances:
cd /Volumes/ProjectsCS/killit_v3/backend
node scripts/bulk-process-software-cpe.js --batch-size 10
Note: This will take approximately 10-12 hours due to rate limiting.
5. API Key Registration
For better performance:
- Register for an NVD API key at https://nvd.nist.gov/developers/request-an-api-key
- Set environment variable:
NVD_API_KEY=your-key-here - This increases rate limit from 10 to 100 requests per minute
Next Steps
-
Create Software Hierarchy:
- Software Instance → Software → Software Family
- Use CPE data to populate Software catalog
- Link instances to software products
-
Vulnerability Integration:
- Use CPE matches to query CVE database
- Create vulnerability reports for Software Instances
- Implement automated vulnerability alerts
-
Improve Matching:
- Add more vendor mappings as needed
- Create custom rules for specific software patterns
- Build feedback mechanism to improve matches over time
Usage
Process a Single Software Instance:
const result = await softwareInstanceCPEProcessor.processSoftwareInstance(ciObject);
Bulk Process:
const results = await softwareInstanceCPEProcessor.processBatch(10);
Manual Search:
const cpeMatch = await softwareInstanceCPEProcessor.searchCPE({
fullName: 'Microsoft Office 2019',
parsedVendor: 'microsoft',
parsedProduct: 'office',
parsedVersion: '2019'
});