Match sources
You may see the following match sources: NVD, Alias, Name, CPE, User, or one of our supported PURL package managers: PyPI, NPM, NuGet, and Cargo. If you’re in the Dependency details panel, you’ll see any of our supported package managers, NVD or NOT IN NVD, Alias, User, Exact, Name, CPE, and System. You can use these to gauge the strength of a match and your corresponding confidence in the match by the source.
Alias: This displays if a user on your account created an alias for this software component/version/supplier combo. You can hover over the token for more information on whether the alias was created by a user in this session (Matched by user) or automatically matched by our system (Matched by system).
Cargo: This was exactly matched to a component in the Cargo package manager from a Package URL (PURL) uploaded in your SBOM file.
CPE: This was exactly matched to a component from a CPE string uploaded in your SBOM file. CPE is considered the strongest match.
Name: This dependency name/version/supplier combo exactly matches an existing dependency name/version/supplier combo in our system.
NuGet: This was exactly matched to a dependency in the NuGet package manager from a Package URL (PURL) uploaded in your SBOM file.
NPM: This was exactly matched to a dependency in the NPM package manager from a Package URL (PURL) uploaded in your SBOM file.
NVD: This dependency/version/supplier combo had an exact match in the National Vulnerability Database (NVD).
PyPI: This was exactly matched to a dependency in the PyPI package manager from a Package URL (PURL) uploaded in your SBOM file.
User: This was exactly matched by a user on this account to a possible match suggestion our system provided, or the user created an alias in this session. If the user created an alias in a previous session, that will be considered an automatic match, and will have a System token.
System: This was exactly matched to an alias that was created by you or the Helm team.
Last updated