CPE Scan

About CPE

By registering CPE (Common Platform Enumeration) with FutureVuls, vulnerabilities other than OS packages can be detected.

For an explanation of CPE, please refer to IPA overview of CPE.

Two types of CPE are defined:

  • URI format (example: cpe:/a:microsoft:internet_explorer:8.0.6001:beta)
  • Formatted String format (example: cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*)

The URI format is called version 2.2, and the Formatted String format is called version 2.3. The amount of information displayed does not change, only the display format differs. FutureVuls can register both URI and Formatted String formats, but only the URI format is displayed.

Uses of CPE

By using CPE, vulnerabilities in software other than package managers can be detected. For example, the following vulnerabilities can be detected:

  • Firmware for network devices (e.g. cpe:/h:cisco:12000_router)
  • Commercial middleware such as Oracle Database and Oracle WebLogic
  • Software compiled from source by oneself

It is also possible to do the following, but methods other than CPE scanning are recommended:

Vulnerability DB for CPE Scanning

The main vulnerability DB used for CPE scanning is NVD.

It is possible to detect vulnerabilities in Japanese-made software that are not defined in JVN, but there is a possibility of false positives. For details, please refer to Detecting vulnerabilities in Japanese-made software with JVN.

For software under package manager management, it is recommended to use scanner-based scanning instead of CPE scanning. For details, please refer to FAQ/CPE Scan.

Detailed Processing for CPE Scanning

The detection process for CPE scanning is shown in detail below.

image

Registering CPE

CPE can be registered from Server > Software > Add CPE.

image

Currently, there are five ways to register CPE.

1. Register by selecting from pull-down

Register CPE by selecting from pull-down for part and vendor.

The CPE candidates that appear in the pull-down are obtained from the NVD database. If no candidate is found in the pull-down, you can also register it manually.

image.png

2. Register by URI or FormattedString

If you know the format of the CPE, you can register it by pasting the CPE name.

image.png

3. Register multiple CPEs from OWASP Dependency Check XML

If you are using OWASP Dependency Check, you can register the detected libraries all at once by using the outputted XML.

Please confirm again and register the CPE with low reliability.

image.png

4. Register multiple CPEs with free text

If you have multiple CPEs to register, you can paste them in free text and register them.

image.png

5. Register via REST API

You can register CPEs from your own program via REST API. See documentation for details.

Pseudo Server

For example, if you want to scan the firmware of a network device for CPEs, you can add a Pseudo Server as an empty server and register the CPEs.

You can create a Pseudo Server from the Add Server on the server list. Once created, you can register CPEs from software like a normal server.

After registering CPEs, you can perform scans on the screen to check for vulnerabilities. Pseudo servers are automatically scanned daily and can also be scanned manually.

image

CPE scan timing

The timing of CPE scans differs between pseudo servers and other servers.

For normal servers, the vulnerability of the CPE associated with the normal server is detected at the following timing:

  • Perform manual scan on the screen
  • Timing of upload from scanner

For pseudo servers, it is as follows:

  • Perform manual scan on the screen
  • Timing of automatic daily scan

The scan time is recorded in “Group settings > Scan history”.

Updating CPEs

Once registered, CPEs can be updated from the screen. By updating CPEs, you can receive alerts for vulnerabilities that are not detected with the previous version of the CPE.

CPEs that have been updated will be scanned automatically the next time the server is scanned.