How to Generate CPE information from Software Using Generative AI

Created by Venkat Pothamsetty, Modified on Tue, 9 Apr, 2024 at 8:47 AM by Venkat Pothamsetty

Step 1 : Define CPE Schema

Below is the schema we used for defining the CPE, explain what it is, with some examples to the LLM.

class CPEInformation(OpenAISchema):
    """ Information about Common Platform Enumeration (CPE) entries.
    """
    cpe_string: str = Field(..., description="CPE entry that identifies a specific instance of software or hardware, starts with cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>.  A CPE Name is a string of characters comprised of 13 colon separated values that describe a product. In CPEv2.3 the first two values are always “cpe” and “2.3”. Example: cpe:2.3:a:microsoft:windows_10:1809:*:*:*:*:*:* . Give me possible list of CPEs, so I can exhaustively search.  some times vendor and product are the same etc")

    confidence_level: float = Field(..., description="A float value between 0 and 1 indicating the confidence level that this is the correct CPE string"), 
    reason: str = Field(..., description="The reason for the given confidence level")

Step 2: Prepare your Prompt

Prepare the prompt with more examples and call OpenAI with a bit higher temperature than normal.

system_content = 'you are an excellent constructor of CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration), which involves identifying, naming, and categorizing vulnerabilities and affected software products.'
    cpe_description = """ 
    you must give at least 4 possible CPE strings. CPE strings are formatted as follows: cpe:/a:vendor:product:version:update:edition:language
    did you give 4 strings ? check yourself, think step by step, and provide the best possible CPE strings based on the information you have.

    CPE Version 2.3
    Brief overviews of the four CPE v2.3 specifications are included below, or go the Downloads section to download the individual specification documents and a CPE v2.3 reference implementation.

    Naming
    The CPE 2.3 Naming Specification defines standardized methods for assigning names to IT product classes. An example is the following name representing Microsoft Internet Explorer 8.0.6001 Beta:

    wfn:[part="a",vendor="microsoft",product="internet_explorer",
    version="8\.0\.6001",update="beta"]

    This method of naming is known as a well-formed CPE name (WFN). It is an abstract logical construction. The CPE Naming Specification defines procedures for binding WFNs to machine-readable encodings, as well as unbinding those encodings back to WFNs. One of the bindings, called a Uniform Resource Identifier (URI) binding, is included in CPE 2.3 for backward compatibility with CPE 2.2 (see the CPE Archive). The URI binding representation of the WFN above is:

    cpe:/a:microsoft:internet_explorer:8.0.6001:beta

    The Official CPE Dictionary published and maintained by NIST contains an authoritative enumeration of CPE names in the URI binding representation.

    The second binding defined in CPE 2.3 is called a formatted string binding. It has a somewhat different syntax than the URI binding, and it also supports additional product attributes. With the formatted string binding, the WFN above can be represented by the following:

    """
    user_content = "your job is to take name, version, vendor and provide 4 possible guesses of cpe based on your knowledge.  per specification \n" + "\nname:\n" + sw_name + "\nversion:\n" + sw_version + "\n cpe specification" + cpe_description
    completion = ChatCompletion (model = 'gpt-4-0125-preview', system_content=system_content, user_content=user_content, temperature=0.5, functions = [CPEInformations.openai_schema]).completion
    

    cpe_strings = json.loads (completion.choices[0].message.function_call.arguments)["cpe_informations"]

Was this article helpful?