Quickstart process

Ready to leverage the power of Helm to streamline your vulnerability management? Let's get you up and running!

1. Upload your Software Bill of Materials (SBOM) file:

   • Got an SBOM ready? Upload your SBOM file to Helm. We support CycloneDX and SPDX SBOMs.

   • Don’t have an SBOM yet? No worries! You can generate a CycloneDX SBOM or SPDX SBOM using our open-source tool suggestions or any other tool you prefer. You can also manually create your SBOM if that works better for you. If you’re unsure how to get started, we’re here to help—contact us so we can assist you.

2. Automatic matching to the NVD: Once you’ve uploaded your SBOM, our system will automatically attempt to match your components to the NVD (National Vulnerability Database).

   • Matched status with NVD badge: For each Matched status with an NVD badge, we have identified an exact match for your component in the NVD, allowing you to see vulnerabilities associated with that component.

   • Matched status with package manager badge: For each Matched status with a package manager badge, this indicates the component was matched to a specific package manager. If you don’t see an NVD badge, it means we couldn’t locate an exact match in the NVD, but your software does exist in the respective package manager. Refer to Match statuses for more details.

3. Resolve Select match status: For each Select match status, this indicates that we found multiple potential matches in the NVD. Click Resolve to review the match suggestions. Once you find the correct software, you can link it immediately. You must resolve this status by identifying an exact match in the NVD to see vulnerabilities for the component.

4. Resolve Not found status For each Not found status, this indicates we didn’t find a match in the NVD, meaning that there are no known vulnerabilities listed for that component using the name in your SBOM. You’ll need to resolve this status by identifying an exact match in the NVD to view the vulnerabilities. Remember that software can sometimes have a different name in the NVD.

5. Save time with reusable aliases: If you’re an Administrator, you can create an alias for a dependency to known software that you identify. This alias will save time and effort by ensuring consistent matching for future SBOM uploads.

6. Resolve Fix version status: For each Fix version status, this indicates that the version you provided does not match the expected version format. You'll need to resolve this status before you can view vulnerabilities for that component.

7. Contact Us status: If you see a Contact us status, this means we were unable to process the version. We are aware of the issue and will notify you once support has been added. At that point, we will automatically reprocess the affected component to attempt to find a match in the NVD.

8. Am I impacted by that vulnerability? Where? You can quickly check whether a particular vulnerability impacts your products, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.

9. Am I impacted by that vulnerable component? Where? You can quickly check whether your products contain a particular component, and if so, which products you'll need to assess. Just enter the component name in the global search bar at the top of any page.

10. Manage vulnerabilities: You can start managing vulnerabilities for any components that have a Matched status with an NVD badge.

11. Monitor your progress: You can track your progress on your Dashboard, accessible via the Home icon on the sidebar.