Community resources
Community resources
Community resources
Robust CVE ↔ Asset Matching in Jira Assets (Data Center) using CPE - Best Practice?
Hi everyone
we are currently planning to designing a CVE integration in Jira Assets (Data Center) based on NVD (NIST) data and would like to validate our architectural approach with the community.
Our goal is not just to import CVEs, but to achieve reliable vulnerability matching between infrastructure assets and CVEs, ideally based on CPE rather than free-text product matching (free-text was our first approach ;)).
Current Situation
NVD data is imported into a dedicated CVE schema in Assets
Our CMDB (Assets) contains infrastructure objects and installed software
Software names are currently not normalized to CPE format
A ScriptRunner-based matching approach exists, but it relies on vendor/name/version string comparisons
As expected, this leads to:
false positives
false negatives
maintainability concerns
Target Architecture (Conceptual)
We are considering introducing:
A normalized product catalog schema
Storing CPE identifiers per product
Mapping software instances → product objects → CPE
Matching CVEs based on CPE and version logic
Before implementing this, we would like to understand:
Has anyone successfully implemented CPE-based CVE matching in Jira Assets?
Did you model a separate normalized product catalog?
How do you handle CPE version ranges?
Did you automate CPE assignment or maintain it manually?
At what point did you decide to integrate a dedicated vulnerability scanner instead?
We are aware that Assets is not a native vulnerability management system. Our objective is to understand whether a robust CPE-based model inside Assets is sustainable long-term or whether most organizations move toward integrating a scanner.
Any architectural insights or lessons learned would be highly appreciated.
Thanks in advance!
Nick Kölliker