By registering CPE (Common Platform Enumeration) with FutureVuls, vulnerabilities other than OS packages can be detected.
For an explanation of CPE, please refer to IPA overview of CPE.
Two types of CPE are defined:
The URI format is called version 2.2, and the Formatted String format is called version 2.3. The amount of information displayed does not change, only the display format differs. FutureVuls can register both URI and Formatted String formats, but only the URI format is displayed.
By using CPE, vulnerabilities in software other than package managers can be detected. For example, the following vulnerabilities can be detected:
It is also possible to do the following, but methods other than CPE scanning are recommended:
The main vulnerability DB used for CPE scanning is NVD.
It is possible to detect vulnerabilities in Japanese-made software that are not defined in JVN, but there is a possibility of false positives. For details, please refer to Detecting vulnerabilities in Japanese-made software with JVN.
For software under package manager management, it is recommended to use scanner-based scanning instead of CPE scanning. For details, please refer to FAQ/CPE Scan.
The detection process for CPE scanning is shown in detail below.
CPE can be registered from
Registering CPE alone does not result in vulnerability detection. The detection process is executed when the server associated with the CPE is scanned.
Currently, there are five ways to register CPE.
Register CPE by selecting from pull-down for part and vendor.
The CPE candidates that appear in the pull-down are obtained from the NVD database. If no candidate is found in the pull-down, you can also register it manually.
If you know the format of the CPE, you can register it by pasting the CPE name.
If you are using OWASP Dependency Check, you can register the detected libraries all at once by using the outputted XML.
Please confirm again and register the CPE with low reliability.
If you have multiple CPEs to register, you can paste them in free text and register them.
You can register CPEs from your own program via REST API. See documentation for details.
For example, if you want to scan the firmware of a network device for CPEs, you can add a
Pseudo Server as an empty server and register the CPEs.
You can create a Pseudo Server from the
Add Server on the server list. Once created, you can register CPEs from software like a normal server.
Please note that Pseudo Servers are also calculated as one server for pricing purposes, like scan servers.
After registering CPEs, you can perform scans on the screen to check for vulnerabilities. Pseudo servers are automatically scanned daily and can also be scanned manually.
The timing of CPE scans differs between pseudo servers and other servers.
For normal servers, the vulnerability of the CPE associated with the normal server is detected at the following timing:
For pseudo servers, it is as follows:
The scan time is recorded in “Group settings > Scan history”.
Once registered, CPEs can be updated from the screen. By updating CPEs, you can receive alerts for vulnerabilities that are not detected with the previous version of the CPE.
CPEs that have been updated will be scanned automatically the next time the server is scanned.