Inconsistent / invalid CPE - classifier must not be null

[juavol]

I am trying to get started with monitoring a set of components - 3rd party libraries, applications & nuget packages - and am facing some difficulties. Since this is not my primary domain, I am confused about how components are identified.
The two primary aspects seem to be PURL and CPE, both of which are methods to identify a component.

In my first attempt, I have tried to manually add a project and add monitoring for an application: Notepad++. However, clicking on 'Add Component' and populating the 'Component Details' dialog as follows:

• Component name = Notepad++
• Version = 8.6
• CPE = cpe:2.3:a:notepad-plus-plus:notepad++:8.6:::::::* (taken from the NIST NVD website)

This results in an error: classifier must not be null. What am I doing wrong?

In my second attempt, I have used syft to scan my Notepad++ installation folder, creating an sbom with the following component details (part of the JSON):

"type" : "application",
"bom-ref" : "b3af7797-437e-4495-b1e6-fe2e1a00199e",
"name" : "Notepad++",
"version" : "8.6",
"cpe" : "cpe:2.3:a:Notepad\\+\\+:Notepad\\+\\+:8.6:*:*:*:*:*:*:*",

Uploading that works fine, but I do not get any vulnerabilities, although NIST NVD lists that version as vulnerable to CVE-2026-25926 and CVE-2025-15556.
I also notice that the CPE from syft is different from the one used in NIST.

How can I properly use dependency tracker here? How do I normally get to the proper component details?
I my examples, I haven't used PURL yet, perhaps as Notepad++ is an application.

[Geelofhar]

Hi @juavol ,
the correct cpe is: cpe:2.3:a:notepad-plus-plus:notepad\+\+:8.6:*:*:*:*:*:*:* (taken from https://nvd.nist.gov/vuln/detail/CVE-2026-25926)

I also had this issue before since not all software components have a cpe already and some are inconsistent with their naming.

[Geelofhar]

AH, now i found your error. You are required to fill in the classifier, which is "hidden" on the extended page