Announcement

**Isomorphic** · 2025-12-05T18:08:19

SmartClient and SmartGWT do not currently have official CPE identifiers.

Because our products are commercial libraries and not distributed through public package registries or the NVD, there are no vendor-issued CPEs associated with them.

Most customers generating an SBOM include SmartClient/SmartGWT using a PURL or a custom component identifier (for example: pkg:isomorphic/smartclient@<version> or a Maven-style coordinate for SmartGWT) rather than a CPE.

If industry practice shifts and it becomes valuable for customers, we can evaluate publishing formal CPEs for each version/edition, but at present there is no vulnerability feed that would consume them.

Announcement

SmartGWT / Isomorphic CPEs

Comment