Assess match suggestions

You can determine the likelihood of this potential match by checking the sample versions for the expected format, checking how many and which sources were used to identify the suggested match, and the type of match. A match based on CPE is considered the strongest match.

If the match was suggested via multiple sources, such as Alias and a PURL package manager (Cargo, NPM, Nuget, or Pypi), that is an even stronger match. Alias and User matches indicate that a user manually assessed this dependency to find the right match. Name is considered the weakest match.

Match suggestions modal

Column name	Decription
Supplier	This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Name	This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Sample versions	These are sample versions for this dependency (e.g., 10.1 for Windows). For NVD versions, it assumes that the supplier has submitted all versions to the NVD, which is not always the case.
Matched on	This shows the strength of the match: CPE: This dependency name has a match in a CPE string. This is considered the strongest match. Cargo, NPM, NuGet, or PyPI: This dependency name had an exact match in the PURL string for the specified package manager. Alias: This dependency matches an existing alias that was linked by a user. Name: This dependency name has a match in the NVD.
Type	This shows the type of match: Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match. Alias match: This dependency matches an existing alias. Possible match: This dependency has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.
Info icon	Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your dependency and there are vulnerabilities that have been reported, this is likely the correct match.

Column name

Decription

Supplier

This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Name

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

Sample versions

These are sample versions for this dependency (e.g., 10.1 for Windows). For NVD versions, it assumes that the supplier has submitted all versions to the NVD, which is not always the case.

Matched on

This shows the strength of the match:

CPE: This dependency name has a match in a CPE string. This is considered the strongest match.
Cargo, NPM, NuGet, or PyPI: This dependency name had an exact match in the PURL string for the specified package manager.
Alias: This dependency matches an existing alias that was linked by a user.
Name: This dependency name has a match in the NVD.

Type

This shows the type of match:

Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.
Alias match: This dependency matches an existing alias.
Possible match: This dependency has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.

Info icon

Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your dependency and there are vulnerabilities that have been reported, this is likely the correct match.

PreviousWhen does a CPE match get made?NextGet more details on match suggestion

Last updated 1 month ago