- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2022 02:00 PM
Hi all,
We are looking to use VCR rules to classify our vulnerabilities (platform vs application). We want to use the Common Platform Enumeration (CPE) in the VCR rule condition. The following is an example how I want to build out a VCR rule to classify vulnerabilities as an application.
All of these conditions must be met:
CPE contains cpe:/a
Set these values:
Classification = Application
Classification Type = Other
Problem is the CPE data doesnt seem to be available to select from in the condition. Am I missing it or is this not an option? I can see the CPE data in the Tenable System Import sets, but CPE is not being populated in the Third-Party vulnerability entry's or anywhere else that I can see. Is this possible?
Solved! Go to Solution.
- Labels:
-
Vulnerability Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2022 07:01 AM
Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....
The CPE data is on the Third-Party Vulnerability Entry table.
So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.
Vote up this idea so we can get the "Part" included in the TPE.
Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release.
Basic Steps
- Add a new field to the TPE
- Modify _processCpeData() (In TenableTPEUtil )
- the "obj" variable contains the raw CPE data

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2022 06:14 AM
CPE data ALSO comes in with the Vendor (Qualys, Tenable, Rapid7, etc.) Vulnerability Library (if available) during import. The CPE data is added to the Third-Party Vulnerabilities Entries table in the Vendor and Product fields.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2022 06:59 AM
Thanks all. Hope this becomes available in near future. This is really key to distinguishing os layer vs app layer vulns etc.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2022 07:40 AM
Hi,
You do not need to be an expert in SN scripting to implement this, but you should know what you are doing..... 😉
I am going to assume that you will start in the Dev environment and test, test, and retest. Then promote it through your normal stack and normal testing procedures. I am going to assume that you know about Scoped Apps and Script Includes.
I have done all of the engineering work to figure this out... and it is just two steps:
1. On the table Third-Party Vulnerability Entry [sn_vul_third_party_entry] create a new field called Part [u_part]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2022 08:22 AM
I can't find that information on the table by dot walking to Third-Party Vulnerability Entry but i do see the fields like vendor, product which I can use but would be difficult to build out the conditions using these two attributes. Also, i cant rely on summary because it may contain multiple keywords.
Your suggestion would be greatly appreciated!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2022 10:47 AM
You will need to add the 'Third-Party Vulnerability Entry' table to the Classification Group form:
The 'Third-Party Vulnerability Entry' table is where the Vendor and Product fields live.
How to:
1. Edit the System Property:
sn_sec_cmn.classificationTables
2. Add this table to the Value Field:
sn_vul_third_party_entry
It should look like this: