When <category> = “SECURITY”:
Locator Format:
"[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"
Contextual Example:
cpe:/o:canonical:ubuntu_linux:10.04:-:lts
External Reference Site: https://nvd.nist.gov/cpe
Documentation: https://cpe.mitre.org/files/cpe-specification_2.2.pdf
Locator Format:
"cpe:2\.3:[aho\*\]
(:(((\?*|\*?)([azAZ09\\._]|(\\[\\\*\?!
"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
)+(\?*|\*?))|[\*\])){5}
(:(([azAZ]{2,3}(([azAZ]{2}|[09]{3
}))?)|[\*\]))
(:(((\?*|\*?)([azAZ09\\._]|(\\[\\\*\?!
"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
)+(\?*|\*?))|[\*\])){4}"
Contextual Example:
cpe:2.3:o:canonical:ubuntu_linux:10.04::lts:*:*:*:*:*
External Reference Site: https://nvd.nist.gov/cpe
Documentation: http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf
When = “PACKAGE_MANAGER”:
Locator Format:
group:artifact[:version]
^[^:]+:[^:]+(:[^:]+)?$
Contextual Example:
org.apache.tomcat:tomcat:9.0.0.M4
External Reference Site: http://repo1.maven.org/maven2/
Documentation: https://maven.apache.org
Locator Format:
package@version
^[^@]+@[^@]+$
Contextual Example:
http-server@0.3.0
External Reference Site: https://www.npmjs.com/
Documentation: https://docs.npmjs.com/files/package.json
Locator Format:
package/version
^[^\/]+\/[^\/]+$
Contextual Example:
Microsoft.AspNet.MVC/5.0.0
External Reference Site: https://www.nuget.org/
Documentation: https://docs.nuget.org/
Locator Format:
package#version
^[^#]+#[^#]+$
Contextual Example:
modernizr#2.6.2
External Reference Site: http://bower.io/
Documentation: http://bower.io/docs/api/#install
When = “OTHER”:
no spaces, but anything else goes