Vulnerability Inference
or more specifically, version-based vulnerability inference
Often, you have a piece of software and a version, and need to turn that into a list of vulnerabilities known to exist in the software. Having a vulnerability "inference" api that accepts a CPE or the requisite vendor/product/version information can come in handy in these cases. Below, we'll walk you through the process of first matching the vendor and product to the Mallory database, then matching vulnerabilities using the known product information and the version information.
Vulnerability matching to a specific version of software is a two step process. First, you'll want to match your vendor (or publisher) and product name to the Mallory database to get the appropriate vendor and product name. Then, you can use the vulnerable_configurations endpoint to get the list of vulnerable configurations for a given vendor, product and version.
Product Matching
In order to match your own product information against the Mallory database, you can use the following endpoint. This will query the Mallory database for products and vendors that match a given product name or fragment. Multiple results will be returned if multiple products match.
Endpoint to search for products based on search criteria.
The number of items to skip before starting to collect the result set.
0The maximum number of items to return.
100Field to sort by - either name, created_at or updated_at
created_atPattern: ^(name|created_at|updated_at)$Sort order - either asc or desc
descPattern: ^(asc|desc)$The search criteria for products
Common Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.
The name of the product.
The type of search to perform. Options are: 'standard', 'did_you_mean'. Defaults to 'standard'.
standardExample: ["standard","did_you_mean"]The type of the product (e.g., application, operating system). Defaults to 'application'.
The vendor of the product.
POST /v1/products/search HTTP/1.1
Host: api.mallory.ai
Authorization: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 103
{
"cpe": "text",
"product": "text",
"search_type": [
"standard",
"did_you_mean"
],
"type": "text",
"vendor": "text"
}{
"data": [
{
"created_at": "2025-06-27T09:50:50.223Z",
"description": "text",
"display_name": "text",
"name": "text",
"type": "text",
"updated_at": "2025-06-27T09:50:50.223Z",
"upstream_id": "text",
"uuid": "text",
"website": "text"
}
],
"limit": 1,
"message": "text",
"offset": 1,
"total": 1
}Vulnerability Matching
Now that you know the correct vendor and product to look up, you can use the vulnerable configuration search to identify associated vulnerabilities for this product and version information. Vulnerable configurations are a set of vulnerable configurations associated with a given vulnerability. In some cases, there is more than one item in a set of vulnerable configurations (such as the underlying OS and Hardware) - you can use the 'include_set_results' parameter to ensure these are included.
Endpoint to search for vulnerabilities.
The number of items to skip before starting to collect the result set.
0The maximum number of items to return.
100Field to sort by - either created_at, updated_at, published_at, or collected_at
published_atPattern: ^(created_at|updated_at|published_at|collected_at)$Sort order - either asc or desc
descPattern: ^(asc|desc)$The search criteria for vulnerable configurations
Common Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.
Whether to include all items found in matched config sets. (Defaults to False)
falseExample: [false,true]The name of the product.
["ExampleProduct","Windows","macOS"]The type of the product (e.g., application, operating system). Defaults to 'application'.
The update version of the product.
The vendor of the product.
["ExampleVendor","Microsoft","Apple"]The version of the product.
The method used for version matching. Options are: 'exact'. Defaults to 'exact'.
exactExample: ["exact"]POST /v1/vulnerable_configurations/search HTTP/1.1
Host: api.mallory.ai
Authorization: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 216
{
"cpe": "text",
"include_set_results": [
false,
true
],
"product": [
"ExampleProduct",
"Windows",
"macOS"
],
"type": "text",
"update": "text",
"vendor": [
"ExampleVendor",
"Microsoft",
"Apple"
],
"version": "text",
"version_match": [
"exact"
]
}{
"data": [
{
"cpe23_uri": "text",
"cpe_id": "text",
"created_at": "2025-06-27T09:50:50.223Z",
"edition": "text",
"is_vulnerable": true,
"language": "text",
"other": "text",
"set_id": "text",
"sw_edition": "text",
"target_hw": "text",
"target_sw": "text",
"updateEndIncluding": "text",
"updateStartIncluding": "text",
"updated_at": "2025-06-27T09:50:50.223Z",
"uuid": "text",
"versionEndExcluding": "text",
"versionEndIncluding": "text",
"versionStartExcluding": "text",
"versionStartIncluding": "text"
}
],
"limit": 1,
"message": "text",
"offset": 1,
"total": 1
}Endpoint to search for vulnerabilities.
The number of items to skip before starting to collect the result set.
0The maximum number of items to return.
100Field to sort by - either created_at, updated_at, published_at, or collected_at
published_atPattern: ^(created_at|updated_at|published_at|collected_at)$Sort order - either asc or desc
descPattern: ^(asc|desc)$The search criteria for vulnerable configurations
Common Platform Enumeration (CPE) 2.3 string. Overrides type, vendor, and product if provided.
Whether to include all items found in matched config sets. (Defaults to False)
falseExample: [false,true]The name of the product.
["ExampleProduct","Windows","macOS"]The type of the product (e.g., application, operating system). Defaults to 'application'.
The update version of the product.
The vendor of the product.
["ExampleVendor","Microsoft","Apple"]The version of the product.
The method used for version matching. Options are: 'exact'. Defaults to 'exact'.
exactExample: ["exact"]POST /v1/vulnerable_configurations/search HTTP/1.1
Host: api.mallory.ai
Authorization: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 216
{
"cpe": "text",
"include_set_results": [
false,
true
],
"product": [
"ExampleProduct",
"Windows",
"macOS"
],
"type": "text",
"update": "text",
"vendor": [
"ExampleVendor",
"Microsoft",
"Apple"
],
"version": "text",
"version_match": [
"exact"
]
}{
"data": [
{
"cpe23_uri": "text",
"cpe_id": "text",
"created_at": "2025-06-27T09:50:50.223Z",
"edition": "text",
"is_vulnerable": true,
"language": "text",
"other": "text",
"set_id": "text",
"sw_edition": "text",
"target_hw": "text",
"target_sw": "text",
"updateEndIncluding": "text",
"updateStartIncluding": "text",
"updated_at": "2025-06-27T09:50:50.223Z",
"uuid": "text",
"versionEndExcluding": "text",
"versionEndIncluding": "text",
"versionStartExcluding": "text",
"versionStartIncluding": "text"
}
],
"limit": 1,
"message": "text",
"offset": 1,
"total": 1
}Additional Notes
Mallory's database is a superset of the NVD CPE database.
Last updated