Glossary
CPE (Common Platform Enumeration)
What Is CPE (Common Platform Enumeration)?
CPE (Common Platform Enumeration) is the standardized naming scheme used in vulnerability databases to identify software, operating systems, and hardware — the precise identifier that links a specific product and version to the CVEs that affect it.
Every CVE record references one or more CPE strings to indicate which products are affected. A CPE follows a structured format that names the vendor, product, version, and additional attributes — for example, cpe:2.3:a:openssl:openssl:3.0.0 identifies OpenSSL version 3.0.0. Without a CPE match, a vulnerability scanner cannot connect a finding in your environment to a CVE in the database.
This is how scanners like Tenable, Qualys, and Rapid7 work: they detect installed software, generate CPE strings from what they observe, and look up matching CVEs. But they can only generate CPEs for what their detection methods can see — typically packages reported by the operating system or declared in manifests. They cannot generate a CPE for a library statically linked inside an executable, a dependency vendored into a project's source tree, or a component embedded in firmware. No CPE means no CVE match, which means the vulnerability never appears in the scanner's report — even when it is fully present and exploitable inside the binary.
NetRise Turbine generates CPE strings directly from the components it identifies in compiled software, including statically linked libraries, vendored dependencies, and other components that traditional scanners cannot see. This enables CVE matching against components that would otherwise be invisible to vulnerability management — closing the gap between what scanners report and what is actually running.
Related Terms
CVE · Vulnerability Management · Binary Composition Analysis · Statically Linked Dependency · NetRise Turbine


