Vulnerability Inference
or more specifically, version-based vulnerability inference
Often, you have a piece of software and a version, and need to turn that into a list of vulnerabilities known to exist in the software. Having a vulnerability "inference" api that accepts a CPE or the requisite vendor/product/version information can come in handy in these cases. Below, we'll walk you through the process of first matching the vendor and product to the Mallory database, then matching vulnerabilities using the known product information and the version information.
Vulnerability matching to a specific version of software is a two step process. First, you'll want to match your vendor (or publisher) and product name to the Mallory database to get the appropriate vendor and product name. Then, you can use the vulnerable_configurations endpoint to get the list of vulnerable configurations for a given vendor, product and version.
Product Matching
In order to match your own product information against the Mallory database, you can use the following endpoint. This will query the Mallory database for products and vendors that match a given product name or fragment. Multiple results will be returned if multiple products match.
Endpoint to search for products based on search criteria.
The number of items to skip before starting to collect the result set.
0The maximum number of items to return.
100Field to sort by - either name, created_at or updated_at
created_atPattern: ^(name|created_at|updated_at)$Sort order - either asc or desc
descPattern: ^(asc|desc)$The search criteria for products
The type of search to perform. Options are: 'standard', 'did_you_mean'. Defaults to 'standard'.
standardExample: standardCommon Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.
nullExample: cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*The type of the product (e.g., application, operating system). Defaults to 'application'.
applicationExample: applicationThe vendor of the product.
nullExample: ExampleVendorThe name of the product.
nullExample: ExampleProductSuccessful Response
Not found
Validation Error
POST /v1/products/search HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 150
{
"search_type": "standard",
"cpe": "cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*",
"type": "application",
"vendor": "ExampleVendor",
"product": "ExampleProduct"
}{
"total": 1,
"offset": 1,
"limit": 1,
"message": "text",
"data": [
{
"uuid": "text",
"created_at": "2025-10-23T16:59:32.055Z",
"updated_at": "2025-10-23T16:59:32.055Z",
"enriched_at": "2025-10-23T16:59:32.055Z",
"type": "text",
"name": "text",
"description": "text",
"display_name": "text",
"website": "text",
"vendor_name": "text",
"vendor_display_name": "text",
"vendor_uuid": "text"
}
]
}Vulnerability Configuration Set Matching
Now that you know the correct vendor and product to look up, you can use the vulnerable configuration search to identify associated vulnerabilities for this product and version information. Vulnerable configurations are a set of vulnerable configurations associated with a given vulnerability. In some cases, there is more than one item in a set of vulnerable configurations (such as the underlying OS and Hardware) - you can use the 'include_set_results' parameter to ensure these are included.
Endpoint to search for vulnerable technology product configuration sets.
The number of items to skip before starting to collect the result set.
0The maximum number of items to return.
100Field to sort by - either created_at or updated_at
created_atPattern: ^(created_at|updated_at)$Sort order - either asc or desc
descPattern: ^(asc|desc)$The search criteria for vulnerable technology product configuration sets
The method used for version matching. Options are: 'none', 'exact', 'range', 'strict', 'loose'. Defaults to 'exact'.
exactExample: exactConfiguration set identifier that groups related CPEs. This corresponds to 'configuration_id' from NVD data.
nullExample: abc123def456...Whether to include all configuration set members when a match is found. If true, returns all configurations in the same set as matched items.
falseCommon Platform Enumeration (CPE) 2.3 string. If provided, overrides type, vendor, product, and version fields.
nullExample: cpe:2.3:a:apache:httpd:2.4.1:*:*:*:*:*:*:*Unique identifier for a specific CPE configuration. This is different from set_id which groups multiple CPEs.
nullExample: 1234567890abcdef...CVE identifier string to filter by.
nullExample: CVE-2024-12345Database ID of the vulnerability record.
nullExample: 12345Filter by vulnerability status.
nullExample: trueThe vendor/manufacturer of the product.
nullExample: apacheThe name of the product.
nullExample: httpdThe type of the product (a=application, o=operating system, h=hardware). Defaults to 'a' (application) if vendor/product provided without type.
nullExample: aThe exact version for 'exact' matching mode.
nullExample: 2.4.1Start of version range for 'range' matching mode.
nullExample: 2.0.0End of version range for 'range' matching mode.
nullExample: 2.9.9The update/patch version of the product.
nullExample: SP1Successful Response
Not found
Validation Error
POST /v1/vulnerable_technology_product_configuration_sets/search HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 366
{
"version_match": "exact",
"set_id": "abc123def456...",
"include_set_results": false,
"cpe": "cpe:2.3:a:apache:httpd:2.4.1:*:*:*:*:*:*:*",
"cpe_match_id": "1234567890abcdef...",
"cve_id": "CVE-2024-12345",
"vulnerability_id": 12345,
"is_vulnerable": true,
"vendor": "apache",
"product": "httpd",
"type": "a",
"version": "2.4.1",
"version_start": "2.0.0",
"version_end": "2.9.9",
"update": "SP1"
}{
"total": 1,
"offset": 1,
"limit": 1,
"message": "text",
"data": [
{
"uuid": "text",
"created_at": "2025-10-23T16:59:32.055Z",
"updated_at": "2025-10-23T16:59:32.055Z",
"enriched_at": "2025-10-23T16:59:32.055Z",
"set_id": "text",
"vulnerability_uuid": "123e4567-e89b-12d3-a456-426614174000",
"technology_product_configuration_uuid": "123e4567-e89b-12d3-a456-426614174000",
"is_vulnerable": true
}
]
}Additional Notes
Mallory's database is a superset of the NVD CPE database.
Last updated