Supported Products
Attestd currently covers eight software products. Coverage is intentionally narrow: each product in the set has low sentinel rates in NVD, well-maintained CPE records, and enough historical CVE data to produce reliable synthesis output.
Pass the exact slug shown below as the product parameter. Product names are normalized to lowercase with spaces replaced by underscores, so Apache Log4j and log4j resolve to the same record.
log4jJava logging library from the Apache Software Foundation. Covers both the 1.x and 2.x release families, each tracked under separate NVD CPE namespaces.
JVM applications, enterprise middleware, Elasticsearch
nginxHTTP server and reverse proxy. CVE coverage spans pre- and post-F5 acquisition records, merged across two NVD vendor namespaces.
Web servers, load balancers, API gateways
apache_httpdThe Apache HTTP Server Project's web server, tracked as apache:http_server in NVD. Coverage includes module-specific vulnerabilities such as mod_proxy and mod_cgi.
Web servers, shared hosting infrastructure
opensshOpenBSD's SSH implementation. The portable suffix on version strings (9.2p1, 9.3p2) is stripped before comparison against NVD version ranges.
Remote administration, server fleets, network devices
microsoft_exchangeMicrosoft's on-premises mail server. Version strings using CU notation (Exchange 2019 CU14) are normalized before range comparison.
Enterprise email infrastructure, hybrid Office 365 deployments
vmware_esxiVMware's bare-metal hypervisor, tracked as an OS-class CPE (cpe:2.3:o). Version strings using Update notation (7.0 U3) are normalized before comparison.
Virtualization hosts, private cloud infrastructure
postgresqlThe PostgreSQL open-source relational database. Coverage includes server-side vulnerabilities and privilege bypass issues in the query engine.
Application databases, analytics workloads
redisIn-memory data structure store. CVE records are merged across two NVD vendor namespaces reflecting the 2021 vendor name change from redislabs to redis.
Caching layers, session stores, message queues
How products are selected
Not every software product produces reliable output from a CPE-based synthesis pipeline. A product must meet all three criteria before it is added:
Sentinel rate below 50%
A sentinel range is an NVD record that names a product as affected but omits version data. High sentinel rates mean the pipeline cannot determine which versions are affected, producing unreliable results. Products with ecosystem-level CVE noise (CMSes, plugin platforms) typically fail this criterion.
At least 10 CVEs with valid version ranges
Products with fewer than 10 usable records produce output that may reflect NVD coverage gaps rather than actual security posture. Thin datasets do not provide enough signal for accurate risk classification.
Complete CPE namespace coverage
When a vendor is acquired or renames itself, NVD may maintain two separate CPE namespaces for the same product. Both must be queried and merged to avoid silently missing historical CVEs. nginx, log4j, and Redis each required this treatment.
Request a product
Coverage expands based on demand. Email support@attestd.io with the product name and your use case. Products with structural NVD data quality problems (high sentinel rates, inconsistent CPE namespaces) cannot be added until those issues are resolved upstream.