Match statuses

The match status of each of your components is indicated in the Match status column of the components table. For most statuses, you can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column. We use a variety of metadata and match sources to identify a match, including the NVD, CPE, alias, name, and supported package managers (Cargo, NPM, NuGet, PyPI).

Matched status

This status means the component has an exact match with software listed in the National Vulnerability Database (NVD). This means there was an exact match for your dependency component in the NVD, and that it has associated vulnerabilities, so you can start prioritizing and remediating these risks.

If the component has a correct CPE or PURL identifier but incorrect supplier information, our system will automatically correct it and create a match. If we're able to identify the PURL that exists for your component, but is missing in your SBOM, we'll automatically add that for you to ensure a unique match.

Matched to package manager

This status shows that a component is matched to a package manager but is not found in the NVD, thus it will not show any vulnerabilities. Note that sometimes package managers might use different names or PURLs than the NVD, so you should check the NVD to make sure your component isn’t listed under a different name. Refer to Resolve match statuses for more information.

Matched to CPE

If you see a component that has a Matched status with an NVD token and CPE token, that means that there this component has at least one vulnerability that has been reported in the NVD. A CPE is only assigned to software when a vulnerability has been reported in the NVD. Refer to Resolve match statuses for more information.

Select match

This status indicates that Helm has found multiple potential matches using identifiers like CPE, PURL, alias, or name. You can click the badge or the primary action link to review and assess the suggested matches. Refer to Resolve match statuses for more information.

Not found

This indicates that the component does that match any known software in the NVD or supported package managers will have this status. Refer to Resolve match statuses for more information.

You can use aliases to match any dependency components in your SBOM that have multiple matches or are unmatched to known software components in the NVD. Administrators can create new aliases.

Other statuses

  • Scanning: This is an interim status that indicates that Helm is processing this match. If you have been waiting and haven't seen this update, try refreshing the page.

  • Fix version: The software version provided for this dependency component does not match the expected version. This issue should be rare. If you see this, you will also see a warning icon next to the version. Refer to Resolve match statuses for more information on resolving this issue.

  • Contact us: Helm was unable to parse this version. We have logged this issue and will work to resolve it quickly. Refer to Resolve match statuses for more information on resolving this issue.

  • Error: Some other error occurred while trying to parse this dependency component. Contact us for help in resolving this issue.

Automatic de-duplication

Helm checks CPE and PURL IDs to determine if a dependency component is unique. If a duplicate is detected, it will automatically be removed to streamline your SBOM management.

Last updated

© Copyright MedCrypt 2024, All rights reserved.