National Vulnerability Database (internals)
There is often a difference between what we call a product (the TKU type) and what NVD calls a product (the NVD type). We have an algorithm described in this documentation to try and map one to the other.
Software instances
The following method is used to map the TKU type to the NVD type for Software Instances and UNIX operating systems. Sometimes the TKU type and NVD type are identical. If they are different, the mappings described in the table below are used.
TKU publisher | NVD publisher |
|---|---|
Apache | Apache Software Foundation |
BMC | BMC Software |
Dell | Dell EMC |
RedHat | Red Hat |
Symantec Veritas | Veritas |
For a single-word TKU type, it might be the NVD type is identical to the TKU type (e.g. a tku_type of OpenLDAP is the same as an NVD type of OpenLDAP). Or it might be the NVD type is the word repeated twice (e.g, a TKU type of Snort is an NVD type of “Snort Snort”).
It is also possible to remove the following words or word pairs from a TKU type to see if it matches an NVD type, for example, the TKU type “HP ServiceGuard Cluster Daemon” is mapped to “HP ServiceGuard” because “cluster” is viewed as a terminating word):
- Administration
- application server
- Agent
- Agents
- Architect
- automation agent
- backup agent
- Client
- cluster
- cluster engine
- collector
- community
- connect
- console
- core
- dashboard
- database server
- design studio
- designer
- development
- enterprise
- Foundation
- gateway
- host agent
- management server
- master
- monitoring agent
- monitoring studio
- node
- on demand
- portal
- proxy
- runtime
- server
- service
- site server
- software
- studio
- supervisor
- universal agent
- web console
- worker
Also, it is recommended to remove “for X” from a TKU type (e.g. TKU type “IBM Content Collector for Microsoft SharePoint” becomes “IBM Content Collector”).
Network Devices operating systems
When the TKU type and NVD type are different, the mappings described in the table below are used.
TKU type | NVD type |
|---|---|
APIC | Application Policy Infrastructure Controller (APIC) |
ASA | Adaptive Security Appliance (ASA) Software |
IOS-XE | IOS XE |
NAM | Prime Network Analysis Module |
Prime Network Analysis Module Software | |
Prime Virtual Network Analysis Module Software | |
PIX | PIX Firewall Software |
WAAS | Wide Area Application Services (WAAS) |
Wide Area Application Services |
The vendor that TKU calls Ubiquiti NVD calls UI.
If the second word of the TKU type is one of the following, it should be removed to see if that leads to a match:
- communications
- corporation
- international
- networks
- packet
- systems
- technology
Also, it is possible to add firmware to the TKU type to see if that leads to a match.
Network Devices and Printers
Publisher mappings
This method is used to map the TKU type to the NVD type for NetworkDevice and Host nodes. Sometimes the TKU type and NVD type are identical. If they are different, the mappings described in the table below are used.
TKU publisher | NVD publisher |
|---|---|
3Com | HP 3Com |
Arista Networks | Arista |
Cisco Systems Avaya | Avaya |
Cisco Systems | Cisco |
F5 Networks | F5 |
Juniper Networks | Juniper |
Dell Inc. | Dell |
Hewlett-Packard | HP |
Lexmark International | Lexmark |
Oracle Corporation Oracle | Oracle |
Oracle Corporation | |
TOSHIBA Corporation | TOSHIBA TEC |
Xerox Corporation | Xerox |
Publisher branding
It is available to add one of the following words as either the first or the second word:
- Switch (e.g. 3Com 4200G 12-Port maps to HP 3Com Switch 4200G)
- Router (e.g. 3Com 6080 maps to HP 3Com Router 6080)
- Series
- Model
There is no need to add the words if the publisher has already used branding, like one of the following:
- Aironet
- BigIron
- BIG-IP
- Catalyst
- Corebuilder
- FastIron
- Meraki
- Minolta
- Nexus
- ProCurve
It is recommended to add "-" at the end of the name, e.g. Lexmark International CX310dn maps to Lexmark CX310 -.
Name mappings
TKU type | NVD type |
|---|---|
Catalyst<space> | WS-C |
Catalyst 1-WS | |
Catalyst 1-WSC | Catalyst<space> |
Corebuilder | CoreBuilder |
CSS | Content Service Switch (CSS) |
FastIron Edge | FES |
\(ISE\-[\w-]+\) | (ISE) |
ISR | Integrated Services Router |
MFP | Multifunction Printer |
PWR<space> | <no value> |
R(\d+) | Router (\d+) |
Super Stack | SuperStack |
Switch | <no value> |
Wireless Controller | Wireless LAN Controller |
WLC |
If the standard mappings fail, the following custom mappings are used:
Publisher | Customer mappings |
|---|---|
Cisco Systems |
|
HP 3Com |
|
HP | Map Hewlett-Packard 9200C Digital Sender to HP Network Printer HP Digital Sender 9200C, and similarly for similar products |
Removal of data
If our mappings do not work, it is necessary to remove the data from the TKU type to get a match to the NVD type.
The following examples show options for changing the TKU type to get matching.
- Cisco Systems Catalyst 3750G-12S-E.
Matching option: Cisco 3750G-12S and Cisco 3750G, similarly for similar TKU types - If Lexmark B2442dw doesn't match
Matching option: Lexmark B2442 - Juniper MAG-2600 doesn't
Matching option: Juniper MAG2600 (not applicable for the model consisting just of numbers, e.g. If the 3Com Corebuilder 9000-4 does not match, the 3Com Corebuilder 90004 is the incorrect option) - Cisco Systems ISR 4331/K9
Matching option: Cisco Systems ISR 4331
If that fails, remove the following words from the TKU type to see if that results in a match:
- access gateway switch
- appliance
- enterprise switch
- gateway
- integrated service router
- integrated services router
- multiservice provisioning platform \(mspp\)
- printer
- series
- server
- switch
- stack
- wireless access point
- wireless controller
- \d+\-port
It is also recommended to add the words mentioned above to the TKU type to see if that results in a match.
CPE Strings for Windows OS
The version 2.2 CPE strings for Windows hosts are manually generated. The fields are the following:
Cpe |
/o |
Microsoft |
Windows_server_<version field from os_version attribute on host>: |
R2 or - (depending on whether R2 is in the os_version field) |
One of · sp<value from host service_pack attribute> · R2 if version is 2003 R2 · Gold if no service_pack attribute and there is a value CPE string that contains gold · Nothing otherwise |
One of · ~~<edition>~~<architecture>~ · ~~~<architecture>~ · <edition>_<architecture> · <edition> |
The CPE 2.3 string and the CPE ID are obtained by mapping the table from the CPE 2.2 string.
CPE ID
If a CPE string is available, get the CPE ID from the web page https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=<cpe string>. Each link on that page is one of the form products/cpe/detail/<cpe id>.