Resolve a Multiple matches status

To view vulnerabilities for your dependency components, you'll need to resolve any Match status of Multiple matches or Not found. Multiple matches means that your software dependency/version/supplier combo has not been automatically matched to an existing software dependency/version/supplier combo, because there were several strong matches. To resolve this, you can assess the multiple matches we provide, create an alias for this dependency, or add review notes:

1. Click Resolve in the Actions column. This will display the Resolution options modal.

2. Click the View suggestions button in the Multiple matches box. This will display the Multiple matches modal.

3. In the Multiple matches modal, you can assess the likelihood of an option being the correct match from the supplier, name, sample versions, sources used to determine a possible match, and the type of match. Sample versions show the versions that were extracted from the CVE vulnerability. Matched on shows the sources that were used, which could include Alias, Name, CPE, or a PURL match (Cargo, NPM, NuGet, or PyPI package manager token will display). These match sources are explained in more detail in the Match sources section below.

4. If you need more information, click the details icon to view more versions, as well as to view reported vulnerabilities over time. In this Match details modal, you can view known versions of this dependency component. If the versions match your dependency and there is a trend of reported vulnerabilities, that is considered a strong match.

5. If you don’t feel that one of these stronger matches applies, you can check the NVD to see if there is a strong match to your software dependency/version/supplier combo. Once you feel confident, you can create an alias that will link this new match to your existing software dependency going forward. This means that next time you or anyone on your account uploads an SBOM that contains this software dependency/version/supplier combo, it will automatically be linked using this alias.

6. You can also add review notes to ensure that your team is informed of the progress in assessing this issue, let someone else know that they need to look into it further, or highlight an especially critical risk with this software dependency.

For each Not found item, you can manually create an alias that will be used to match this item going forward. Refer to the Resolve a Not found status for more information.