Regarding the Microsoft Security Update Supersedence and CPE Correspondence Issues

[JulianEXL]

Recently, I obtained the Microsoft security update and CVE corresponding data through MSRC API, and encountered the following problems:

The monthly Microsoft update JSON file contains each CVE and remediation patch KBID, and the supercedence KBID. Is there a way to list KBIDs and the KBIDs which they superceded?

The information obtained through the MSRC API includes the product name and product id, but doesn't contain CPE format provided by NVD. Is there a way to match the product name with the CPE format? https://nvd.nist.gov/products/cpe

EX: product name VS CPE Microsoft Exchange Server 2016 Cumulative Update 17 VS cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*

Thanks for the assistance!

[p0w3rsh3ll]

Using the MSRC API you get the productname and its CVE. Using additional code, you can then visit for example https://nvd.nist.gov/vuln/detail/CVE-2021-1675 and parse the page to extract CPE. NIST may also have an API to match the product name to its CPE format.

[YulerB]

We want to correlate the CVE/CPE from NIST, with the CVE/ProductName from the CVRF API, because scanning tools report CVE & Installed CPE's, and we want to calculate the KB specific to the product to apply to the devices. Fuzzy matching the product name isn't yielding the best result. For example, values like "Service Pack 1" vs "SP1". I see some of the other vendors have included CPE values as separate fields in the XLM/JSON, which works well for us. Can you at least comma separate the segments for product, vendor, version and anything else, in the full product name?

[MaKyOtOx]

up ? We are also interested having CPE in the MSRC update json files Thnks !

[fartak-pooria]

hi, do you find any approach to match product name VS CPE Microsoft Exchange Server 2016 Cumulative Update 17 VS cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:::::: ?