When someone registers a CVE, a vulnerability, for a product the CNA that opens the issue adds a name for the product called a CPE. The owner of the product is not always involved and the name is not very specific. This leads to problems when we try to match names in our SBOM with the names in the CVE and NVD databases to see if there's any issues. A "not found" answer means both "product not found" and "product found, but no CVEs reported" - which is confusing.

The community is heading towards PURL, package URL, as a name specification. The PURL specification will be standardised by ECMA, spearheaded by OWASP, which is a good step forward. It's an extensible naming scheme that can be used for a large variety of packages - NPM, Maven, Linux packaging, crates and more. It can also be used for projects and products outside of these systems.

Naming is important and we do hope that coming versions of the CVE/NVD will adopt PURLs. Check it out at https://github.com/package-url/purl-spec

As other systems already use PURL, make sure you have PURLs in your SBOM!

#PURL #SBOM #CVE #NVD #CNA #CyberSecurity #SoftwareTransparency