Common Platform Enumeration (CPE): Name Format and Description

Following security best practices is essential to maintaining the security of IT systems. To this end, several specification languages exist for describing vulnerabilities, testing system state, and expressing security checklists. But descriptions of vulnerabilities and configuration best practices have greater utility when all participants share common names for the entities described. Further, use of consistent and meaningful names can speed application, foster interoperability, improve correlation of test results, and ease gathering of metrics. Today, a popular and widespread naming scheme exists for vulnerabilities; the Common Vulnerabilities and Exposures (CVE) naming scheme is widely used for identifying and describing IT system vulnerabilities. A somewhat similar scheme has been recently introduced for secure configuration best practices: the Common Configuration Enumeration (CCE). This note describes a structured naming scheme for IT systems, platforms, and packages: the Common Platform Enumeration (CPE). It is based on the generic syntax for Uniform Resource Identifiers. The CPE specification includes the naming syntax, conventions for constructing CPE Names from product information, a matching algorithm, and an XML schema for binding descriptive and diagnostic information to a name. Using a clear and uniform naming specification, community members will be able to generate names for new IT platforms in a consistent and predictable way.