You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The 1.0 APIs have been retired and are no longer accessible.
Click here for more information on
the retirement timeline.
Products
The Official CPE Dictionary, is a searchable repository of hardware and software products
maintained by the National Vulnerability Database (NVD). The CPE API allows computer applications to access the Official CPE Dictionary and associated
vulnerabilities. The purpose of this document is to describe how applications can interact with the CPE web service, version 1.0.
This quickstart assumes that you already understand at least one common programming language and are generally familiar with RESTful JSON services.
REST refers to a style of services that allow computers to communicate via HTTP over the Internet. JSON specifies the format of the data returned
by the REST service.
The terms product and CPE are used interchangeably throughout this page. CPE means Common Platform Enumeration, version 2.3, a standard for
identifying and searching products. For more information, see the naming specification provided by the
Computer Security Resource Center.
The CPE Name Matching specification provides a method for conducting a
one-to-one comparison of a source CPE name to a target CPE name.
Requests
All requests to the API use the HTTP GET method. REST parameters allow you to control and customize which products are returned. The parameters
are akin to those found on the NVD product search page.
Retrieve CPE information
The URL stem for retrieving CPE information is shown below.
The API Key provided to the user. Including apiKey={key value}, (without brackets or spaces) allows users to make a greater number of requests in a given time than they could otherwise.
Beginning in September 2022, API keys may also be passed to the 1.0 APIs
in the request header. This approach is required with the 2.0 APIs.
The exact method of passing header information with a GET request varies
based on the user agent.
This parameter is used to filter products based on the CPE match criteria. The value of cpeMatchString is compared
it against the CPE Match Criteria present on all CVE applicability statements. For more information on Common Platform Enumeration
(CPE) please visit NIST's Computer
Security Resource Center. Examples of CPE match strings are provided below for illustration.
true
A deprecated CPE is one that previously appeared in the Official CPE Dictionary but has since been replaced by one or more other CPE.
CPE are deprecated for various reasons, such as when the original CPE name is discovered to be incorrect, when a more specific CPE
name is added, and when a vendor name or product name evolves. By default, deprecated CPE names are not returned by the web service.
includeDeprecated=true adds deprecated CPE to the request.
These parameters specify a collection of CPE that were last modified during the period. If a CPE has been modified more recently
than the specified period it will not be included in the response. If filtering by the modification date, both
modStartDate and modEndDate are REQUIRED.
Filtering with only one parameter will return a successful response without data. The maximum allowable range when using
the date range parameters is 120 consecutive days. Date range parameters are in the form:
yyyy-MM-ddTHH:mm:ss:SSS Z
The T is a literal to separate the date from the time. The Z indicates an offset-from-UTC. If a positive Z value is used
(such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". This may be handled
automatically by the user agent. An example is provided below showing a +01:00 offset-from-UTC.
This parameter specifies the maximum number of results that are returned based on the request parameters. The default value is 20.
For network considerations, maximum allowable limit is 2,000.
The response content totalResults indicates the number of CPE results that match request parameters. If the value of
totalResults is greater than the value of resultsPerPage, the parameter startIndex
may be used in subsequent requests to identify the starting point for the request.
This parameter determines the first CPE in the collection returned by the response. The index is zero-based, meaning the first CPE is
at index zero. The response element totalResults indicates the number of CPE results that match request parameters. If
the value of totalResults is greater than the value of resultsPerPage, the parameter startIndex
may be used in subsequent requests to identify the first CPE for the request.
The best, most efficient, practice for keeping up to date with the NVD is to use the date range parameters in order to request only
those CPE that have been published or modified since the last request.
Presently NVD contains more than 325,000 products relating to thousands of vendors and vulnerabilities. Multiple consecutive requests
are required to return all available records. Requesting an API key significantly raises the number of requests that can be made in a
given time frame. However, NIST firewall rules put in place to prevent denial of service attacks on NVD can thwart your application. To
avoid this, it is recommended that your application sleeps for several seconds between requests so that legitimate requests are not denied.
Response
This section describes the response returned by the product API.
The products API returns four primary elements in the body of the response: resultsPerPage, startIndex,
totalResults, and result.
The first three elements identify how many CPE meet the search criteria and how many CPE have been returned in this response. The element
totalResults indicates the number of CPE results that match search criteria. If the value of totalResults is greater
than the value of resultsPerPage, then additional requests are necessary to return the remaining CPE. The parameter startIndex
may be used in subsequent requests to identify the starting point for the request next. More information and the best practices for using resultsPerPage
and startIndex are described above.
The result element contains an array of five additional elements. dataType, feedVersion, cpeCount,
and feedTimestamp describe the request while the fifth element cpes contains the CPE.
The following example shows the JSON response to the request:
This element identifies a CPE by the CPE 2.3 Naming specification.
The CPE 2.3 Naming specification requires that special charters are preceded by a backslash. When backlashes appear in the JSON syntax
of the response they are represented as \\. While the schema requires only the cpe23Uri element to be present, in practice
each CPE always contains a lastModifiedDate.
This element identifies whether the CPE is deprecated. By default, deprecated CPE are not included in the response. The
value of this element is either true or false. When deprecated=true, the deprecatedBy
element shows one or more other CPE that replace this CPE.
This element identifies the vulnerabilities associated with the CPE. By default, vulnerabilities are not included in the
response. Including the optional query parameter addOns=cves adds the vulnerabilities associated with the CPE.
Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov
Created
September 20, 2022,
Updated
August 27, 2024