Get a warning icon next to your dependency component version?

After either uploading your SBOM or adding a dependency component manually, you may see a warning icon next to your dependency component version. There are two possibilities to resolve this error. Click the warning icon or click Actions > … > Fix version for more information:

• Yellow warning icon: The version format doesn’t match the expected Supplier version format. Check the version format to make sure that it matches that of the known version number. If you continue having issues, contact us.

• Red error icon: We don’t have a version parser to handle this version format. Contact us so we can resolve this issue for you. Whenever we add new version parser formats, we will automatically rescan any of your impacted SBOMs and their dependency components, and will inform you that this has been resolved.

Have a red error icon?

We've now added automatic rescanning to fix version parser errors. If you've run into an issue where a dependency component version in your SBOM isn't supported by our current version parsers, we've had you manually rescan that entry after we add a version parser for that format. We'll now automatically rescan any impacted SBOM dependency components to resolve this issue, and will attempt to automatically match it to existing software in the NVD.

How does this impact you?

This means that you could end up with multiple match suggestions, which you will need to assess to determine the correct software. Or you could end up with us not finding an exact match in the NVD, which means it could not exist in the NVD at all, meaning it has no known vulnerabilities, or it could be named differently in the NVD, in which case you'll need to check the NVD to determine if you can find the correct match, then create an alias. If we find one exact match, we will bring forward any known vulnerabilities from the NVD for you. Thus, if you're tracking the number of vulnerabilities you have and notice a discrepancy, don't be worried.