A fundamental part of the CVE analysis process is to uniquely identify the vulnerable products affected by any given vulnerability. This effort allows consumers of our data to check for known issues for any product they may currently have in their environment (as long as they know the associated product identifier).
The NVD currently uses the CPE 2.3 specifications to accomplish this goal. CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. For more information regarding CPE and its uses, please refer to the NVD CPE products page. NVD analysts assign applicability statements consisting of CPE match strings to CVEs during the analysis process. These match strings are intended to correlate with CPEs present in the official CPE Dictionary. In the event a CPE does not exist in the CPE Dictionary, NVD staff will submit a request to have them added.
The NVD is always looking to improve on the methodologies it uses. As such SWID is being looked into as a possible replacement for CPE. SWID (Software Identification) Tags are a software product identification specification. SWID tags support automation of software inventory as part of a software asset management (SAM) process, assessment of software vulnerabilities present on a computing device, detection of missing patches, targeting of configuration checklist assessments, software integrity checking, installation and execution allowlists/denylists, and other security and operational use cases. For more information on SWID please refer to the SWID information page.