Understand and resolve unmatched dependency components

Match statuses


This status indicates that the dependency component has an exact match with software listed in the National Vulnerability Database (NVD). This status confirms that the software has reported vulnerabilities, which are visible on the Vulnerabilities page for the respective product version. Components with a correct CPE or PURL identifier but incorrect supplier information are automatically corrected and matched by our system.

Multiple matches

This status indicates that Helm found multiple potential matches using identifiers like CPE, PURL, alias, and name, so you an click Resolve to review and assess our match suggestions. Refer to Resolve a Multiple matches status to try to uniquely identify this dependency component.

Matched to package manager, but NOT IN NVD

This status indicates that a dependency component is matched to a package manager but is not found in the NVD. Refer to Resolve a Matched status with NOT IN NVD and package manager token to determine if the dependency component has a different name in the NVD than it does in the package manager.

Not found and NOT IN NVD

For components that do not match any known software in the NVD or supported package managers, refer to Resolve a Not found status with NOT IN NVD token to try to identify this dependency component.

Rules for matching

  • Components are considered matched based on exact matches in the NVD, including CPE, alias, name, and supported package managers (Cargo, NPM, Nuget, PyPI).

  • Match sources may include NVD, Alias, Name, CPE, User, or our supported package managers. Refer to Match sources for more information. The strength and confidence in a match are influenced by its source:

    • CPE: Considered the strongest match.

    • Name: Often the weakest as it relies solely on the dependency name.

You can use aliases to match any dependency components in your SBOM that have multiple matches or are unmatched to known software components in the NVD. Administrators can create new aliases.

Other statuses

  • Parsing: This is an interim status that indicates that Helm is processing this match. If you have been waiting and haven't seen this update, try refreshing the page.

  • Version rejected: The software version provided for this dependency component does not align with the expected version. This issue should be very rare. If you see this, you will also see a warning icon next to the version. Refer to Get a warning icon next to your version? for more information on resolving this issue.

  • Version unparsed: Helm was unable to parse this version. We have logged this issue and will try to rectify it quickly. Refer to Get a warning icon next to your version? for more information on resolving this issue.

  • Error: Some other error occurred while trying to parse this dependency component. Contact us for help in resolving this issue.

Removing duplicates

Helm checks CPE and PURL IDs to determine if a dependency component is unique. If a duplicate is detected, it will automatically be removed, streamlining your SBOM management.

Last updated

© Copyright MedCrypt 2023, All rights reserved.