So my naive approach was to query NVD for CPE URIs of software products I use.
Unfortunately I notice a lot of entries don't have CPE entries. (e.g. for 2016 there are currently 1332 without CPE URI).
So this means I have to grep through these for keywords, which is quite error prone.
Are there any other ways to get all CVEs for software X?
Since you did not delivered some examples, such as: where did you get information that a CVE does not deliver CPE - either by the basis of some platform or files provided by some specific vendor. I assume you are using the National Vulnerability Database (NVD) Data Feeds, either in XML 2.0 or JSON format provided by NIST at https://nvd.nist.gov/vuln/data-feeds, because the information collected from NIST's (NVDCVE) files is the same in CVEDetails.com.
You claim that there are over a thousand entries without CPE:
$ ls -lh total 96136 -rw-r--r-- 1 test test 44M Aug 18 03:25 nvdcve-2.0-2016.xml -rw-r--r-- 1 test test 2.6M Aug 20 06:57 nvdcve-2.0-2016.xml.zip $ grep -c "\*\* REJECT \*\*" nvdcve-2.0-2016.xml 1106 If you are wondering, why did I used the keyword "REJECT": This is the only way that there is a CVE and cannot find a CPE. For example:
$ grep -A5 "<entry id=\"CVE-2016-0001\">" nvdcve-2.0-2016.xml <entry id="CVE-2016-0001"> <vuln:cve-id>CVE-2016-0001</vuln:cve-id> <vuln:published-datetime>2017-05-11T10:29:55.767-04:00</vuln:published-datetime> <vuln:last-modified-datetime>2017-05-11T10:29:55.767-04:00</vuln:last-modified-datetime> <vuln:summary>** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.</vuln:summary> </entry> The reason why this happens, I have explained in this question: Categorizing CVE product name
