Resolve a Matched status with NOT IN NVD and package manager tokens

Matched, NOT IN NVD token, and one of Cargo, NPM, NuGet, or PyPI tokens:

If a dependency component has a Matched status, but also has a NOT IN NVD token, it does not have an exact NVD match. This means that we cannot identify the vulnerabilities for this dependency component. This means that we were unable to locate an exact match in the NVD, but that your software does exist in the respective package manager.

Why don't I see vulnerabilities for a dependency component matched to a package manager?

If something doesn't have a match in the NVD, this likely means that there are no vulnerabilities for this dependency component.

Why don't I see vulnerabilities for an unmatched dependency component

If something doesn’t have an exact match in the NVD, that means that there are no known vulnerabilities in the NVD for the dependency component using that particular name. You should check to make sure that your dependency component is not named differently in the NVD.

Try to find dependency component match in the NVD

To determine whether your dependency component has a different name in the NVD, click Resolve to view possible resolutions. You may find the right match in our possible match suggestions.

Alternately, you can search the NVD on your own, then create an alias to link that software to your dependency component. This will create an NVD match which will bring forward vulnerabilities. You can keep track of analysis progress by adding review notes to make sure you and your team understand the current state of a dependency component.