Deprecated Products API

NOTICE

The following documentation describes a deprecated API. Deprecated APIs do not receive updates or product support. Click here to be taken to documentation for the 2.0 API. All users are advised to use the 2.0 API as the 1.0 version will be retired on December 15th, 2023. Click here for more information on the NVD timeline.

Products

The Official CPE Dictionary, is a searchable repository of hardware and software products maintained by the National Vulnerability Database (NVD). The CPE API allows computer applications to access the Official CPE Dictionary and associated vulnerabilities. The purpose of this document is to describe how applications can interact with the CPE web service, version 1.0.

This quickstart assumes that you already understand at least one common programming language and are generally familiar with RESTful JSON services. REST refers to a style of services that allow computers to communicate via HTTP over the Internet. JSON specifies the format of the data returned by the REST service.

The terms product and CPE are used interchangeably throughout this page. CPE means Common Platform Enumeration, version 2.3, a standard for identifying and searching products. For more information, see the naming specification provided by the Computer Security Resource Center. The CPE Name Matching specification provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name.

Requests

All requests to the API use the HTTP GET method. REST parameters allow you to control and customize which products are returned. The parameters are akin to those found on the NVD product search page.

Retrieve CPE information

The URL stem for retrieving CPE information is shown below.

https://services.nvd.nist.gov/rest/json/cpes/1.0/

Parameters

addOns optional

This parameter is part of the URL query.

cves By default, the response returns all CPE that meet the search criteria. Including addOns=cves adds the vulnerabilities associated with the CPE.

apiKey optional

The API Key provided to the user. Including apiKey={key value}, (without brackets or spaces) allows users to make a greater number of requests in a given time than they could otherwise.

Beginning in September 2022, API keys may also be passed to the 1.0 APIs in the request header. This approach is required with the 2.0 APIs. The exact method of passing header information with a GET request varies based on the user agent.

cpeMatchString optional

This parameter is used to filter products based on the CPE match criteria. The value of cpeMatchString is compared it against the CPE Match Criteria present on all CVE applicability statements. For more information on Common Platform Enumeration (CPE) please visit NIST's Computer Security Resource Center. Examples of CPE match strings are provided below for illustration.

To find CPE names for Microsoft Windows 10, use:

cpes/1.0?cpeMatchString=cpe:2.3:o:microsoft:windows_10

To find CPE names for Microsoft Windows 10, version 1511 use:

cpes/1.0?cpeMatchString=cpe:2.3:o:microsoft:windows_10:1511

To find all CPE names for Microsoft, use:

cpes/1.0?cpeMatchString=cpe:2.3:*:microsoft

includeDeprecated optional

true A deprecated CPE is one that previously appeared in the Official CPE Dictionary but has since been replaced by one or more other CPE. CPE are deprecated for various reasons, such as when the original CPE name is discovered to be incorrect, when a more specific CPE name is added, and when a vendor name or product name evolves. By default, deprecated CPE names are not returned by the web service. includeDeprecated=true adds deprecated CPE to the request.

keyword optional

This parameter is used to retrieve records where a word or phrase is found in the CPE title or reference links.

modStartDate optional

modEndDate optional

These parameters specify a collection of CPE that were last modified during the period. If a CPE has been modified more recently than the specified period it will not be included in the response. If filtering by the modification date, both modStartDate and modEndDate are REQUIRED. Filtering with only one parameter will return a successful response without data. The maximum allowable range when using the date range parameters is 120 consecutive days. Date range parameters are in the form:

yyyy-MM-ddTHH:mm:ss:SSS Z

The T is a literal to separate the date from the time. The Z indicates an offset-from-UTC. If a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". This may be handled automatically by the user agent. An example is provided below showing a +01:00 offset-from-UTC.

https://services.nvd.nist.gov/rest/json/cpes/1.0/?modStartDate=2021-08-04T13:00:00:000 UTC%2B01:00&modEndDate=2021-10-22T13:36:00:000 UTC%2B01:00

resultsPerPage optional

This parameter specifies the maximum number of results that are returned based on the request parameters. The default value is 20. For network considerations, maximum allowable limit is 2,000.

The response content totalResults indicates the number of CPE results that match request parameters. If the value of totalResults is greater than the value of resultsPerPage, the parameter startIndex may be used in subsequent requests to identify the starting point for the request.

startIndex optional

This parameter determines the first CPE in the collection returned by the response. The index is zero-based, meaning the first CPE is at index zero. The response element totalResults indicates the number of CPE results that match request parameters. If the value of totalResults is greater than the value of resultsPerPage, the parameter startIndex may be used in subsequent requests to identify the first CPE for the request.

The best, most efficient, practice for keeping up to date with the NVD is to use the date range parameters in order to request only those CPE that have been published or modified since the last request.

Presently NVD contains more than 325,000 products relating to thousands of vendors and vulnerabilities. Multiple consecutive requests are required to return all available records. Requesting an API key significantly raises the number of requests that can be made in a given time frame. However, NIST firewall rules put in place to prevent denial of service attacks on NVD can thwart your application. To avoid this, it is recommended that your application sleeps for several seconds between requests so that legitimate requests are not denied.

Response

This section describes the response returned by the product API.

Response Body

The products API returns four primary elements in the body of the response: resultsPerPage, startIndex, totalResults, and result.

The first three elements identify how many CPE meet the search criteria and how many CPE have been returned in this response. The element totalResults indicates the number of CPE results that match search criteria. If the value of totalResults is greater than the value of resultsPerPage, then additional requests are necessary to return the remaining CPE. The parameter startIndex may be used in subsequent requests to identify the starting point for the request next. More information and the best practices for using resultsPerPage and startIndex are described above.

The result element contains an array of five additional elements. dataType, feedVersion, cpeCount, and feedTimestamp describe the request while the fifth element cpes contains the CPE.

The following example shows the JSON response to the request:

https://services.nvd.nist.gov/rest/json/cpes/1.0/?cpeMatchString=cpe:2.3:*:microsoft&resultsPerPage=1

		        
	{
		"resultsPerPage": 1,
		"startIndex": 0,
		"totalResults": 5278,
		"result": {
			"dataType": "CPE",
			"feedVersion": "1.0",
			"cpeCount": 5278,
			"feedTimestamp": "2021-08-05T12:34Z",
			"cpes": [
				{
					"deprecated": false,
					"cpe23Uri": "cpe:2.3:a:microsoft:antispyware:-:*:*:*:*:*:*:*",
					"lastModifiedDate": "2007-09-14T17:36Z",
					"titles": [
						{
							"title": "Microsoft antispyware",
							"lang": "en_US"
						}
					],
					"refs": [],
					"deprecatedBy": [],
					"vulnerabilities": []
				}
			]
		}
	}

cpes

At the high-level, each vulnerability in the cpes array can have the following elements:

cpe23Uri required

This element identifies a CPE by the CPE 2.3 Naming specification. The CPE 2.3 Naming specification requires that special charters are preceded by a backslash. When backlashes appear in the JSON syntax of the response they are represented as \\. While the schema requires only the cpe23Uri element to be present, in practice each CPE always contains a lastModifiedDate.

lastModifiedDate required

This element specifies when the CPE was last modified.

deprecated not required

deprecatedBy not required

This element identifies whether the CPE is deprecated. By default, deprecated CPE are not included in the response. The value of this element is either true or false. When deprecated=true, the deprecatedBy element shows one or more other CPE that replace this CPE.

titles not required

This element contains the human-readable, English title for the CPE.

refs not required

This element contains one or more Internet links associated with the CPE. NIST categorizes links using the type elements, e.g., Advisory.

vulnerabilities not required

This element identifies the vulnerabilities associated with the CPE. By default, vulnerabilities are not included in the response. Including the optional query parameter addOns=cves adds the vulnerabilities associated with the CPE.

Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov

Created September 20, 2022 , Updated September 11, 2023

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database