Can a component be added with only a SWID tag?

[mrmoosefish]

Our asset management tool only tracks SWID tags, not CPEs. When I create a component with only a SWID tag, there are no vulnerabilities reported. However, if I add the CPE for the component, the vulnerability list is populated. Is the SWID tag merely a reference to the component that cannot stand alone for the purpose of vulnerability lookups? Do any vulnerability mapping services (e.g., NVD) support lookups by SWID?

If SWID can't stand alone, is there a way to map them to CPEs (inside or outside DT)?

[stevespringett]

The NVD has deprecated CPE, however, they have failed to provide any guidance or solutions for supporting SWID as its replacement. Refer to NISTIR 8060.

From my understanding, the NVD has SWID mappings for many/most CPEs in the NVD, but they have not yet published it. To my knowledge, there are no sources of vulnerability intelligence that support SWID for component identity. This was suppose expected to occur roughly two years ago with the NVD, but it hasn't yet.

There is no way to map SWID (decentralized) to CPE (centralized) currently. The only two identifiers commonly used for vulnerability management purposes are Package URL (purl) and CPE.

[mrmoosefish]

Thanks for the quick response even if it wasn't what I wanted.