Skip to content

CPE/PURL Assignment#

This page explains how to properly assign and manage the identifiers (CPE/PURL) that FutureVuls requires to detect vulnerabilities and EOL information.

In many cases, FutureVuls automatically detects vulnerabilities based on software version information during a scan. However, for CPE scans and supply chain risk scans, you must explicitly assign an identifier (CPE/PURL) to the software.

CPEs and PURLs are automatically assigned if they are included when a server is registered. If not, you can assign them manually, or for Windows applications, you can enable the auto-assignment setting to have them assigned during a scan.

To help you choose the appropriate method for your situation, this page will explain the following in order:

  1. Distinguishing Between CPE and PURL - First, check which identifier you should assign.
  2. Manual CPE/PURL Assignment - This is the method for manually assigning an identifier to individual software.
  3. Automatic CPE Assignment - This is the method for enabling and managing the feature that automatically assigns CPEs to Windows applications.

Distinguishing Between CPE and PURL#

Item CPE (Common Platform Enumeration) PURL (Package URL)
Primary Purpose Vulnerability detection and some EOL detection EOL detection, license detection, and vulnerability detection
Primary Targets Middleware, commercial products, etc. Mainly OSS libraries, frameworks, etc.
Identifier Example cpe:/a:apache:http_server:2.4.54 pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1
Auto-Assignment When CPE auto-assignment is enabled in Group Settings, CPEs are automatically assigned to Windows software during a scan (disabled by default). For details, see Automatic CPE Assignment. ・Libraries detected by Application Scan / SBOM Import
・Dependent libraries in AWS environments detected by Amazon Inspector (*Requires configuration of Importing Amazon Inspector SBOMs)
・Software registered via GitHub Security Alerts Integration
Cases Requiring
Manual Assignment
・Middleware built from source
・Software installed via an installer (*Some Windows applications can be handled by CPE Auto-Assignment)
・Network devices, IoT devices
・Libraries not automatically detected by scans
Detectable
Information
Vulnerabilities: Linked to vulnerability databases like NVD
EOL: Products listed on vuls-saas/endoflife.date
EOL: Detected by vuls-saas/endoflife.date and FutureVuls' proprietary logic (effective EOL)
Vulnerabilities: Vulnerability information linked to PURLs, such as GHSA
  • If your main goal is vulnerability detection, please assign a CPE (Manual Assignment or Auto-Assignment).
  • While PURLs are automatically assigned to most OSS libraries, manually registering them in the rare case they are not assigned will enable supply chain risk detection.

About Assigning CPE/PURL to OS Packages (Software Type: os)

Even if you assign a CPE or PURL to an OS package (software managed by package managers like rpm, deb, apk, etc.), it will not be used for vulnerability detection.

Vulnerability detection for OS packages is performed using OVAL or Security Trackers provided by Linux distributors, and OS-specific advisories (like Red Hat VEX). These vulnerability databases contain accurate version information that accounts for backporting and are more precise than NVD detection based on CPEs.

If you assign a CPE, the version ranges in NVD do not account for backporting, which will frequently cause false positives. For details, please see "Registering CPEs for OS Packages".

Therefore, assigning CPE/PURL to OS packages has no practical benefit and is not recommended. For OS package vulnerability management, please use scanner-based scans (local scan, remote scan, paste scan, etc.).

Behavior When Both CPE and PURL Are Assigned#

You can assign both a CPE and a PURL to a single piece of software. The order of assignment does not affect the behavior.

The vulnerability detection behavior when both are assigned depends on the software type.

Detection Target CPE only PURL only Both CPE + PURL
Vulnerabilities (NVD, etc.) ✓ (*1)
Vulnerabilities (GHSA, etc.) ✓ (*1)
EOL ✓ (Products on endoflife.date) ✓ (endoflife.date + FutureVuls proprietary logic) ✓ (Both detection methods are enabled)
OSS Licenses
Malicious Packages

Vulnerability Detection for Software Type 'library' (*1)

For software of type library, vulnerability detection works as follows:

If vulnerabilities are detected from both the CPE and the PURL, the vulnerabilities detected via the PURL take precedence, and the vulnerabilities detected via the CPE are disabled. This is because GHSA vulnerability information is more accurate for libraries, and it prevents false positives caused by poorly maintained version range information in NVD.

Vulnerability Detection for Software Types Other Than 'library'

For software types other than library:

  • Detection based on NVD, etc. (CPE-based) will be enabled
  • Detection based on GHSA, etc. (PURL-based) will not be performed

For software other than libraries, such as middleware and commercial products, CPE-based NVD detection is the primary means of vulnerability detection.

EOL Detection Priority

EOL detection methods have a priority, applied in the order of detected by endoflife.date > detected by FutureVuls proprietary logic (effective EOL).

  • Example: If endoflife.date detects "2025-06-30 EOL" and FutureVuls proprietary logic detects "2025-05-30 EOL", even though the FutureVuls logic date is earlier, the endoflife.date of 2025-06-30 will take precedence.

If both a CPE and a PURL are assigned and different EOLs are detected via endoflife.date for both, the earlier EOL date will take precedence.

  • Example: If an EOL of "2025-06-30" is detected via CPE from endoflife.date, and an EOL of "2025-12-31" is detected via PURL from endoflife.date, the earlier date of 2025-06-30 will be used.

When to Assign Both

  • When you want to add EOL, license, and malicious package detection to software (other than library) that already uses CPE for vulnerability detection: Assign a PURL in addition. NVD vulnerability detection will remain active.
  • When you also assign a CPE to a library managed by PURL: NVD vulnerability detection will not be performed, but EOL detection (via endoflife.date) will also be enabled on the CPE side. Assigning a CPE for the purpose of NVD-based vulnerability detection is unnecessary in this case.

Manual CPE/PURL Assignment#

Assigning CPE/PURL to Software#

From the Software tab, click on the target software. You can assign a CPE or PURL from "Assign CPE/PURL" on the details screen.

Assign CPE/PURL

You can choose from the following three methods to register a CPE.

  1. CPE Auto Assignment

    Automatically assigns a CPE to the software based on a verified dictionary.

  2. Assign with Vendor/Product

    Specify the vendor and product names, and the version will be automatically completed. You can choose from the following methods for specification.

    Method Description
    Recommended CPE Select a CPE with high relevance to the software name
    Search CPE Search for CPE candidates and select the version, edition, etc.
    Enter Directly Enter the CPE directly

For Japan-specific software, you can also use JVN as the vulnerability database (Details).

About the Recommendation Feature's Learning Function

The CPE information you assign to software is used to train and improve the accuracy of recommendations. Rest assured that measures are in place to prevent user identification. Terms of Service

To register a PURL, enter the PURL string (e.g., pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1) into the text box. There are no recommendation or search functions like there are for CPEs. For the PURL format, please refer to the PURL spec.

Bulk Assignment to Software#

On the Software tab, you can select multiple pieces of software to which you want to assign a CPE and assign them in bulk from the "Assign CPE" button.

For bulk assignment, you can only select vendor and product names from the recommended candidates. Select the vendor and product to assign from the dropdown menu.

Additionally, a link to the NVD search page is displayed under each vendor/product. By clicking the link, you can check if the corresponding CPE exists in NVD. Use this to help decide whether to collect JVN vulnerability information.

Bulk Assign CPEs Dialog

Deleting Assigned CPE/PURL#

If you want to delete an assigned CPE/PURL, click on the target software in the Software tab and press the delete icon. When an assignment is deleted, all vulnerability information and task information that was detected using that identifier will be deleted. However, if that vulnerability or task is also linked to other software on the same server, it will not be deleted.


Automatic CPE Assignment#

In Windows environments, it is crucial not only to manage the OS's own updates but also to address vulnerabilities in installed third-party products (like Google Chrome, Adobe Acrobat Reader, etc.). However, manually looking up and assigning CPEs for each of these applications is time-consuming and labor-intensive.

The "CPE Auto Assignment" feature uses FutureVuls' proprietary verified CPE dictionary to match with Windows software detected during a scan and automatically assigns the appropriate CPE. This allows you to detect vulnerabilities in Windows third-party products without the tedious manual registration process.

The following sections describe each step in the usage flow and explain how to disable the feature.

1. Enable Automatic CPE Assignment (Group Settings)#

To use this feature, enable "CPE Auto Assignment" in the Group Settings.

  • The default setting for newly created groups is Enabled.
  • The default setting for groups created before the February 2026 release is Disabled.

2. CPE Auto-Assignment via Scanning#

After enabling, CPEs will be automatically assigned during scans based on the verified CPE dictionary.

  • This applies only to Windows software.
  • Software to which a CPE has been manually assigned is not eligible for auto-assignment (manual assignments always take precedence).
flowchart LR
    A[Scan starts] --> B{CPE auto-assignment<br>enabled?}
    B -- No --> I[Proceed to vulnerability detection]
    B -- Yes --> F{"CPE already assigned?<br>(manually, via SBOM, etc.)"}
    F -- Yes --> I
    F -- No --> D{Match in verified<br>CPE dictionary?}
    D -- No --> I
    D -- Yes --> H[Assign verified CPE]
    H --> I

3. Checking CPE Assignment Status (Software List)#

On the Software List screen, you can check the CPE assignment status in the "CPE Assignment Type" column, which is categorized into the following five types.

CPE Assignment Type Description
Auto CPE automatically assigned based on the verified CPE dictionary.
Manual (Verified) Manually assigned CPE matches the recommended CPE from the verified CPE dictionary.
Manual (Mismatch) Manually assigned CPE differs from the recommended CPE in the verified CPE dictionary. A warning icon is displayed on the software details screen, and the recommended CPE can be viewed in a tooltip.
Manual (Not Verified) There is no corresponding entry in the verified CPE dictionary for the manually assigned CPE.
Not assigned No CPE has been assigned.

Filtering by CPE Assignment Type is also supported. For information on screen display and filter operations, please see Software List.

4. Disabling Automatic CPE Assignment for Specific Software#

If you want to exclude specific software from automatic CPE assignment, you can disable it individually. This is useful, for example, when an automatically assigned CPE's version is ANY, which creates a large number of tasks.

  • You can disable it from the Software Details screen, or in bulk by selecting multiple items from the Software List.
  • When disabled, the automatically assigned CPE is removed, and the software will be excluded from auto-assignment in subsequent scans.
  • With the removal of the CPE, related vulnerability information and tasks are also deleted (this behavior is the same as Deleting Assigned CPE/PURL). However, if that vulnerability or task is also linked to other software on the same server, it will not be deleted.

5. Disabling the Automatic CPE Assignment Feature (Group Settings)#

If you wish to disable Automatic CPE Assignment, you can turn it off from the Group Settings.

  • When disabled, no new automatic assignments will occur in subsequent scans.
  • Even when disabled, previously auto-assigned CPEs are kept by default.
  • You can select the "Bulk delete CPEs that were automatically assigned" option to delete all auto-assigned CPEs at once.
  • Performing a bulk deletion will also delete the vulnerability information and tasks associated with the deleted CPEs. However, if that vulnerability or task is also linked to other software on the same server, it will not be deleted.