Vulnerability Inference

or more specifically, version-based vulnerability inference

Often, you have a piece of software and a version, and need to turn that into a list of vulnerabilities known to exist in the software. Having a vulnerability "inference" api that accepts a CPE or the requisite vendor/product/version information can come in handy in these cases. Below, we'll walk you through the process of first matching the vendor and product to the Mallory database, then matching vulnerabilities using the known product information and the version information.

Vulnerability matching to a specific version of software is a two step process. First, you'll want to match your vendor (or publisher) and product name to the Mallory database to get the appropriate vendor and product name. Then, you can use the vulnerable_configurations endpoint to get the list of vulnerable configurations for a given vendor, product and version.

Product Matching

In order to match your own product information against the Mallory database, you can use the following endpoint. This will query the Mallory database for products and vendors that match a given product name or fragment. Multiple results will be returned if multiple products match.

Search Products

post

Endpoint to search for products based on search criteria.

Query parameters

offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0

limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100

sortstringOptional

Field to sort by - either name, created_at or updated_at

Default: created_atPattern: ^(name|created_at|updated_at)$

orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$

Body

The search criteria for products

search_typestringOptional

The type of search to perform. Options are: 'standard', 'did_you_mean'. Defaults to 'standard'.

Default: standardExample: standard

cpeany ofOptional

Common Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.

Default: nullExample: cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*

stringOptional

nullOptional

typeany ofOptional

The type of the product (e.g., application, operating system). Defaults to 'application'.

Default: applicationExample: application

stringOptional

nullOptional

vendorany ofOptional

The vendor of the product.

Default: nullExample: ExampleVendor

stringOptional

nullOptional

productany ofOptional

The name of the product.

Default: nullExample: ExampleProduct

stringOptional

nullOptional

Responses

200

Successful Response

application/json

404

Not found

422

Validation Error

application/json

post

/v1/products/search

POST /v1/products/search HTTP/1.1
Host: 
Content-Type: application/json
Accept: */*
Content-Length: 150

{
  "search_type": "standard",
  "cpe": "cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*",
  "type": "application",
  "vendor": "ExampleVendor",
  "product": "ExampleProduct"
}

{
  "total": 1,
  "offset": 1,
  "limit": 1,
  "message": "text",
  "data": [
    {
      "uuid": "text",
      "created_at": "2026-01-23T15:50:33.823Z",
      "updated_at": "2026-01-23T15:50:33.823Z",
      "enriched_at": "2026-01-23T15:50:33.823Z",
      "type": "text",
      "name": "text",
      "description": "text",
      "display_name": "text",
      "website": "text",
      "vendor_name": "text",
      "vendor_display_name": "text",
      "vendor_uuid": "text"
    }
  ]
}

Vulnerability Configuration Set Matching

Now that you know the correct vendor and product to look up, you can use the vulnerable configuration search to identify associated vulnerabilities for this product and version information. Vulnerable configurations are a set of vulnerable configurations associated with a given vulnerability. In some cases, there is more than one item in a set of vulnerable configurations (such as the underlying OS and Hardware) - you can use the 'include_set_results' parameter to ensure these are included.

Vulnerable Technology Product Configuration Set Search

post

Endpoint to search for vulnerable technology product configuration sets.

Query parameters

offsetintegerOptional

The number of items to skip before starting to collect the result set.

Default: 0

limitinteger · min: 1Optional

The maximum number of items to return.

Default: 100

sortstringOptional

Field to sort by - either created_at or updated_at

Default: created_atPattern: ^(created_at|updated_at)$

orderstringOptional

Sort order - either asc or desc

Default: descPattern: ^(asc|desc)$

Body

The search criteria for vulnerable technology product configuration sets

version_matchstringOptional

The method used for version matching. Options are: 'none', 'exact', 'range', 'strict', 'loose'. Defaults to 'exact'.

Default: exactExample: exact

set_idany ofOptional

Configuration set identifier that groups related CPEs. This corresponds to 'configuration_id' from NVD data.

Default: nullExample: abc123def456...

stringOptional

nullOptional

include_set_resultsbooleanOptional

Whether to include all configuration set members when a match is found. If true, returns all configurations in the same set as matched items.

Default: false

cpeany ofOptional

Common Platform Enumeration (CPE) 2.3 string. If provided, overrides type, vendor, product, and version fields.

Default: nullExample: cpe:2.3:a:apache:httpd:2.4.1:*:*:*:*:*:*:*

stringOptional

nullOptional

cpe_match_idany ofOptional

Unique identifier for a specific CPE configuration. This is different from set_id which groups multiple CPEs.

Default: nullExample: 1234567890abcdef...

stringOptional

nullOptional

cve_idany ofOptional

CVE identifier string to filter by.

Default: nullExample: CVE-2024-12345

stringOptional

nullOptional

vulnerability_idany ofOptional

Database ID of the vulnerability record.

Default: nullExample: 12345

integerOptional

nullOptional

is_vulnerableany ofOptional

Filter by vulnerability status.

Default: nullExample: true

booleanOptional

nullOptional

vendorany ofOptional

The vendor/manufacturer of the product.

Default: nullExample: apache

stringOptional

nullOptional

productany ofOptional

The name of the product.

Default: nullExample: httpd

stringOptional

nullOptional

typeany ofOptional

The type of the product (a=application, o=operating system, h=hardware). Defaults to 'a' (application) if vendor/product provided without type.

Default: nullExample: a

stringOptional

nullOptional

versionany ofOptional

The exact version for 'exact' matching mode.

Default: nullExample: 2.4.1

stringOptional

nullOptional

version_startany ofOptional

Start of version range for 'range' matching mode.

Default: nullExample: 2.0.0

stringOptional

nullOptional

version_endany ofOptional

End of version range for 'range' matching mode.

Default: nullExample: 2.9.9

stringOptional

nullOptional

updateany ofOptional

The update/patch version of the product.

Default: nullExample: SP1

stringOptional

nullOptional

Responses

200

Successful Response

application/json

404

Not found

422

Validation Error

application/json

post

/v1/vulnerable_technology_product_configuration_sets/search

POST /v1/vulnerable_technology_product_configuration_sets/search HTTP/1.1
Host: 
Content-Type: application/json
Accept: */*
Content-Length: 366

{
  "version_match": "exact",
  "set_id": "abc123def456...",
  "include_set_results": false,
  "cpe": "cpe:2.3:a:apache:httpd:2.4.1:*:*:*:*:*:*:*",
  "cpe_match_id": "1234567890abcdef...",
  "cve_id": "CVE-2024-12345",
  "vulnerability_id": 12345,
  "is_vulnerable": true,
  "vendor": "apache",
  "product": "httpd",
  "type": "a",
  "version": "2.4.1",
  "version_start": "2.0.0",
  "version_end": "2.9.9",
  "update": "SP1"
}

{
  "total": 1,
  "offset": 1,
  "limit": 1,
  "message": "text",
  "data": [
    {
      "uuid": "text",
      "created_at": "2026-01-23T15:50:33.823Z",
      "updated_at": "2026-01-23T15:50:33.823Z",
      "enriched_at": "2026-01-23T15:50:33.823Z",
      "set_id": "text",
      "vulnerability_uuid": "123e4567-e89b-12d3-a456-426614174000",
      "technology_product_configuration_uuid": "123e4567-e89b-12d3-a456-426614174000",
      "is_vulnerable": true
    }
  ]
}

Additional Notes

Mallory's database is a superset of the NVD CPE database.

Last updated 3 months ago

hashtagProduct Matching

hashtagSearch Products

hashtagVulnerability Configuration Set Matching

hashtagVulnerable Technology Product Configuration Set Search

hashtagAdditional Notes

Product Matching

Search Products

Vulnerability Configuration Set Matching

Vulnerable Technology Product Configuration Set Search

Additional Notes