Resolve match statuses

After uploading your SBOM (Software Bill of Materials) or manually adding a dependency component, you may encounter different statuses indicating that your software component, version, and supplier combination could not be automatically matched to an existing entry in the NVD (National Vulnerability Database). These statuses are designed to help you identify and resolve issues, ensuring accurate vulnerability tracking for your components.

To view vulnerabilities for your dependency components, you'll need to resolve any statuses other than Matched. By following these steps to resolve these statuses, you can ensure accurate matching of your software components to known vulnerabilities, enhancing the security and reliability of your software inventory.

Resolve Select match or Not found status

• A Select match status means that your software dependency, version, and supplier combination has multiple potential matches, making it unclear which one is the correct match.

• A Not found status means that your software dependency, version, and supplier combination could not be automatically matched to an existing entry in the NVD. This could mean there are no vulnerabilities for this component, or it could mean the component is named differently in the NVD.

To resolve either of these statuses, you have several options:

1. Review potential matches Click the badge to open the Resolution options modal, then click the View suggestions button in the Select match box. This will display the Multiple matches modal, where you can evaluate the option based on the following details:

   • Supplier: The name of the supplier associated with the potential match.

   • Name: The name of the software component.

   • Sample versions: Versions that were extracted from the CVE vulnerability data.

   • Type of match: This shows sources used to determine a possible match, such as Alias, Name, CPE (Common Platform Enumeration), PURL (Package URL), or a particular package manager match.

   If you need more information to make a decision, click the details icon. This will open the Match details modal, where you can view more versions of the dependency component and see reported vulnerabilities over time. A trend of reported vulnerabilities that aligns with your dependency versions suggests a strong match.

2. Create an alias: Once you determine the correct match, you can create an alias that links this match to your dependency. This alias ensures that future uploads of an SBOM containing this software dependency, version, and supplier combination will automatically use this alias.

3. Add a review note: You can also add review notes to keep your team informed about the status of the assessment, suggest further review, or highlight any critical risks associated with the software dependency.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format doesn’t match the expected supplier version format.

1. Click Actions > Fix version for the component with the warning icon.

2. Check the version format to ensure it matches the known version number, make any necessary modifications, then save.

3. If the issue persists, contact us for assistance.

Resolve Contact us status

After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that we do not have a version parser for this specific version format.

If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact us for expedited assistance.

What happens when we add this version parser?

When we add support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt to match them to known software in the NVD. You will be notified once the issue has been resolved.

How does this impact you?

If we find an exact match, any known vulnerabilities from the NVD will be brought forward. If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.

If we find multiple possible matches, you'll need to review these suggestions to determine the correct match.

If an exact match cannot be found in the NVD, it may indicate that the component does not exist in the NVD (implying no known vulnerabilities) or that it is listed under a different name. In these cases, you should:

1. Check the NVD to find the correct match.

2. Create an alias if needed, to link your software component correctly going forward.

If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this is part of the process to ensure that your components are accurately matched and that vulnerability data is correctly reported.