The purl2cpe project is a dataset that contains relations between CPEs (Common Product Enumerator) and PURLs (Package URL).
Mitre Corporation’s CVE Program Mission is to Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. This program issues CVE IDs to identify new vulnerabilities.
The NIST’s National Vulnerability Database analyzes each CVE and, among other things, issues CPE (Common Product Enumerator) IDs to identify specific component versions, and publishes the list of CPE to CVE relationship.
PURL (Package URL) is an open specification that standardizes identification and location of software packages/versions in their respective repositories.
While CPEs provide a precise identification for components and versions, they do not provide an easy way to connect these vulnerable component versions with their respective Open Source repositories. These connections must be made available by human curation.
SCANOSS specializes in Software Composition Analysis and Open Source Intelligence and maintains a dataset that connects PURLs to CPEs. This dataset has now been released as Open Source.
With purl2cpe, it is now easy for anyone to monitor the Open Source packages they use for known vulnerabilities.
There are two main folders in this repo:
All purl2cpe relationship information is stored in the data folder.
The information inside this is structured based on the CPE vendor
and product
fields.
Inside the data folder there is one sub-folder for each vendor
, and subsequently one sub-folder for each product
of that vendor
.
Inside the product
folder there are two files:
cpes.yml
stores all CPEs of that productpurls.yml
stores all related purls for that product.
For example, the path for the aerospike_server
product from aerospike
vendor would be:
data/
aerospike/
aerospike_server/
cpes.yml
purls.yml
cpes:
- cpe:2.3:a:aerospike:aerospike_server:4.0.0.1:*:*:*:community:*:*:*
- cpe:2.3:a:aerospike:aerospike_server:4.0.0.6:*:*:*:community:*:*:*
- cpe:2.3:a:aerospike:aerospike_server:4.1.0.1:*:*:*:community:*:*:*
...
purls:
- pkg:docker/aerospike/aerospike-server
- pkg:github/aerospike/aerospike-server
Our automation loads the latest cpes.yml
files daily (directly from the NVD). That leaves the purls.yml
relationship data.
If you find a missing/invalid relationship, please do the following:
- Fork the repo
- Update the affected
purls.yml
files - Create a Pull Request with the details of the update
The PURL2CPE team will review these requests and accept them into list for everyone to benefit from.
Utilities to help consume this data are located in the utilities folder. More details can be found here.