stevespringett
commented
5 years ago Dependency-Track already breaks apart CPE 2.2 and CPE 2.3 strings into the individual fields that make up the specs when it downloads the CPE dictionary and when it parses CPEs from the CVE feeds.
- part ((a)application, (o)perating system, (h)ardware device)
- vendor
- product
- version
- update
- edition
- language
- swedition
- targetsw
- targethw
- other
DT also does the same thing for PURL which will be a future use-case.
It would be rather elementary to create an API that would allow you to query on each of the individual fields that make up a CPE, thus allowing you to construct one. The UI elements however, would be blocked until after the front-end project is complete. I'm not making any substantial UI changes until that work is done.
Current Status: If I create a component or import a list of components I will have the issue that from time to time my vendorname or productname does not fit the NVD writing, or i cant provide a cpe to do an exact matching.
Improvement: You could take the NVD CPE Dictonary file and parse the components listed in this file as Base Component List. This would give the ability to choose from those components - you could see it as an input validation lite. In this case I don't have to mind if a component without does really have no vulnerabilities or could just not be found. The system tell me I cant find this in my list maybe you should take a closer look.