Support for CPE Vendor and Product Names

Previously, Code Insight did not automatically provide the Common Platform Enumeration (CPE) vendor and product data for a given OSS or third-party component, as defined in the National Vulnerabilities Database (NVD); nor did Code Insight consistently provide the component’s CPE name, which incorporates the vendor and product names. (The vendor and product properties are key in distinguishing between multiple components with the same name.) Users could manually create and manage a custom CPE name for a component, but the use of vendor and product strings in the name’s format was not validated.

Starting in this release, the Code Insight data library (PDL) stores a component’s current CPE name as well as its vendor and product names, as published in the NVD. This information is available in the Code Insight Web UI and public API responses.

Code Insight will continue to support custom CPE names for components. Any previously created custom CPE name is stored in the PDL with null values for the vendor and product strings. For new custom CPE names created from this release on, Code Insight validates the name to ensure that it is in cpe://<part>:<vendor>:<product> format so that the vendor and product information for the component can be extracted and stored in the PDL.

Users can delete NVD-published CPE names and continue to delete custom CPE names as needed for a given component. (The deletion process removes the CPE name from the component entry in the PDL.)

The following is a summary of the CPE support changes in this release:

•

Appropriate REST and Java APIs now include component CPE vendor and product names in responses and allow filtering by these names. See for API Enhancements to Support CPE Data details.

•

Code Insight now validates any new CPE name that a user creates from the Research > Component page in the Code Insight Web UI to ensure that the name uses the proper format.