To address false positives and false negatives in vulnerability detection caused by inconsistent CPE identifiers in the NVD database within heterogeneous systems, this paper proposes a Unified CPE (uCPE) framework. Leveraging named entity recognition, dependency parsing, and knowledge graph modeling, uCPE systematically resolves over 50% of vendor name ambiguities for the first time, enabling semantic-level configuration matching. The method integrates graph neural networks for context-aware retrieval, achieving precision of 0.766 and recall of 0.926 on standard benchmarks—substantially outperforming existing tools. Key contributions include: (1) the first standardized CPE semantic representation framework tailored for vulnerability management; and (2) a component-dependency-driven, context-aware retrieval paradigm that enhances vulnerability localization accuracy and improves system-wide network resilience.

The dynamic landscape of cybersecurity demands precise and scalable solutions for vulnerability management in heterogeneous systems, where configuration-specific vulnerabilities are often misidentified due to inconsistent data in databases like the National Vulnerability Database (NVD). Inaccurate Common Platform Enumeration (CPE) data in NVD further leads to false positives and incomplete vulnerability retrieval. Informed by our systematic analysis of CPE and CVEdeails data, revealing more than 50% vendor name inconsistencies, we propose VulCPE, a framework that standardizes data and models configuration dependencies using a unified CPE schema (uCPE), entity recognition, relation extraction, and graph-based modeling. VulCPE achieves superior retrieval precision (0.766) and coverage (0.926) over existing tools. VulCPE ensures precise, context-aware vulnerability management, enhancing cyber resilience.