Hi @Nick Kölliker welcome
This is a great architectural exercise, and in my opinion your instinct to move toward CPE-based matching is the right one.
On CPE-based matching in Jira Assets, it's doable, but you need to go in with realistic expectations. CPE matching sounds precise on paper, but the NVD's CPE data itself is inconsistent, vendors populate it unevenly, and the same product can appear under multiple CPE URIs across different CVE entries. So CPE gets you significantly closer to correctness than free-text, but it doesn't eliminate the need for curation.
Normalizing the product catalog is almost universally the approach teams land on after struggling with direct software-instance-to-CVE matching. The typical working model looks like: Software Instance → Product (with CPE) → CVE. The product catalog becomes your normalization layer. The key discipline is that only the product catalog layer owns CPE identifiers — software instances link to catalog entries, never define their own CPE strings. This makes CPE maintenance tractable.
For CPE version ranges is where the architecture gets painful. NVD expresses vulnerable ranges using versionStartIncluding, versionEndExcluding, etc., and implementing proper semver range logic in ScriptRunner/Groovy is non-trivial. You'll need a dedicated comparison function, and you'll immediately hit edge cases: four-part version strings, non-numeric suffixes like -patch1, OS-specific versioning. Most teams implement a simplified range check that covers ~90% of cases and flag the rest for manual review rather than trying to handle every edge case programmatically.
On automating CPE assignment hybrid is the realistic answer. You can automate CPE lookup against the NVD CPE dictionary API when new products are added, presenting candidates ranked by string similarity, but human confirmation before the CPE is committed to the catalog is strongly advisable. Fully automated CPE assignment without review produces subtle errors that are hard to audit later.
On when to bring in a dedicated scanner is the most important question. The honest answer is that most organizations doing this work in a CMDB eventually integrate a scanner, and the tipping point is usually one of three things: when version-range logic becomes a maintenance burden, when you need authenticated scan data to reliably detect installed versions, or when audit/compliance requirements demand scan evidence rather than CMDB-derived matching. Tools like Tenable, Qualys, and Rapid7 all have Jira integrations that can push findings into Assets as objects, at which point your CMDB model shifts from doing the matching to providing context (ownership, criticality, environment) that enriches scanner findings.
In my experience if your environment is under 500 managed software products and your team has ScriptRunner capacity, the CPE-catalog model is sustainable and worth building, it also forces good CMDB hygiene that pays dividends regardless. If you're looking at thousands of products or need to demonstrate scan coverage to auditors, budget for a scanner integration now and design your Assets schema to receive findings from it rather than generate them internally. The two approaches aren't mutually exclusive; many mature teams run both, using scanner findings to validate their CMDB and CMDB context to prioritize scanner findings.
The architecture you've outlined, product catalog with CPE, software instances linking to catalog entries, ScriptRunner doing the version-range matching, is a solid foundation either way.
This is my opinion from my experience. Hope it helps u
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.