Common Platform Enumeration (CPE) Design - adoptium/adoptium GitHub Wiki

This page describes the Common Platform Enumeration (CPE) format design for Eclipse Temurin.

The design goals include:

• Adhere to the NIST CPE design specification.
• Keep it simple.
• The CPEs and dictionary entries must be in a form that can be generated by scripts, as and when required, from Adoptium's persistent build/repository data.
• Follow industry convention where applicable.
• Be able to represent each Temurin release product (i.e. group of artefacts).
• No need to differentiate JRE and JDKs.
• Rely on change in product version numbers for differentiation (e.g. respin).

Example cpe:2.3:a:eclipse:temurin:17.0.8:*:*:*:*:*:*:*

Legacy example from Java 1.8.0 where the version number did not change with updates. cpe:2.3:a:eclipse:temurin:1.8.0:u382:*:*:*:*:*:*

The CPEs are submitted to the CPE directory via an XML file listing each product entry. The format of the directory is defined by NIST IR 7697.

The format of the file comprises a set of <cpe-item>s contained in a <cpe-list>as follows (pseudo code):

<?xml version='1.0' encoding='UTF-8'?>
<cpe-list xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlnsscap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">

  <cpe-item>
    ...
  </cpe-item>

</cpe-list>

An example Temurin CPE directory definition includes

• name: the URL including the OpenJDK version number.
• title: the Temurin title including the full build description.
• Version link: to the GitHub release tag.
• Website and Vendor: Static values to the Adoptium and the Eclipse Foundation websites.
• cpe23 URL: as defined above.

  <cpe-item name="cpe:/a:eclipse:temurin:17.0.8">
    <title xml:lang="en-US">Eclipse Temurin 17.0.8+7</title>
    <references>
      <reference href="https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.8%2B7">artifacts</reference>
      <reference href="https://www.adoptium.net/temurin">website</reference>
      <reference href="https://www.eclipse.org/">vendor</reference>
    </references>
    <cpe-23:cpe23-item name="cpe:2.3:a:eclipse:temurin:17.0.8:*:*:*:*:*:*:*"/>
  </cpe-item>

• Describe full list of GA releases available from the Adoptium API. NOTE this API call will require multiple page requests to get them all.
• The title would be "Eclipse Temurin " with the substring of the release name following the "jdk-" and preceding the first "+".
• For JDK8 it will be different, as the version is static "1.8.0" with the update field being the release name following "jdk8u".
  • Ideally this would just be, for example, "u302", however, we have had some respins that result in new releases so will need to extend this to include the build number when the string includes a "." since that is where we annotated the respin identifier, e.g. "jdk8u302-b08.1" becomes "u302-b08.1".

Once accepted, the Temurin CPEs will be findable via the NIST directory search API, using queries such as

https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:eclipse:temurin

and

https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:eclipse:temurin:17.0.8