Can product info / CPE be included in output?

[biancajiang]

Current output includes Name, Version, CVE ID etc. which are great. However it is very hard to traverse back from the component name and version to the actual product and vendor that they come from. Eg. If you have a gem built with ruby on rails 4.1.1, there are quite some vulnerabilities reported on rail components like the following. But it's hard to know which ones are from rails 4.1.1 or other products. Vendor, product and version info. will be very useful, CPE identifier ("cpe:/a:rubyonrails:ruby_on_rails:4.1.1" in this case) would be perfect if possible.

Name: actionpack Version: 4.1.1 Advisory: CVE-2016-2098 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q Title: Possible remote code execution vulnerability in Action Pack Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Name: actionview Version: 4.1.1 Advisory: CVE-2016-2097 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4 Title: Possible Information Leak Vulnerability in Action View Solution: upgrade to ~> 3.2.22.2, >= 4.1.14.2, ~> 4.1.14

Name: activemodel Version: 4.1.1 Advisory: CVE-2016-0753 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ Title: Possible Input Validation Circumvention in Active Model Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: activerecord Version: 4.1.1 Advisory: CVE-2014-3514 Criticality: High URL: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ Title: Data Injection Vulnerability in Active Record Solution: upgrade to ~> 4.0.9, >= 4.1.5

[JuanitoFatas]

How do we get a CPE? And sorry what does CPE stand for?

[reedloden]

https://nvd.nist.gov/cpe.cfm, but isn't this covered by our framework option?