When does a CPE match get made?

If you see a dependency component that has a Matched status with an NVD token and CPE token, that means that there this dependency component has at least one vulnerability that has been reported in the NVD. A CPE is only assigned to software when a vulnerability has been reported in the NVD.

Note: In order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM, as this feature is not retroactive. Alternately, you will shortly be able to edit a particular dependency component to add or change a CPE string.