I wonder how many of you know what these are, at the bottom of (say) a Host node:
or like this, on a SoftwareInstance node:
Well, NIST maintains a National Vulnerability Database that provides a common classification of software in the form of those CPR Strings (Common Platform Enummeration is a structured naming scheme in URI format) and CPE ID.
If you have the Extended Data Pack installed (used to be a separately license entity), you will have the National Vulnerability Database patterns that generate this data. We currently conform to the still-supported CPE version 2.2, although we are looking to update in a future TKU as part of DRDC1-12249.
For my Postgres SI example, you get an link:
which takes you to this list at NIST.
I would be interested to know if anyone is actively using this data, and how. Are you feeding other security analysis tools?