This is the name of this dependency component.
This is the supplier of this dependency component.
This is the version for this dependency component.
COMING SOON!: This is the type of dependency component, such as Application or Library, that may have been uploaded in your SBOM. If you created your SBOM manually or your SBOM did not include the type, this will be blank.
There are three statuses:
Matched: Entries are either automatically matched to the NVD (which could be from CPE, PURL package manager, name, or alias) or manually matched to a suggestion by a user. Hover over the matching tokens for more information.
Multiple matches: We found one or more exact matches in our sources, as indicated by the matching tokens. See the Resolve a Multiple matches status section for more information. Not found: We were unable to find this in the NVD. When you see this status, you will always see a NOT IN NVD token. The token indicates that we were unable to find a match in the NVD, which encompasses all of the other sources (PURL package managers, aliases, CPE, names). See the Resolve a Not found status section for more information.
The Actions column displays a … (ellipses) button, which you can click to get to the available actions:
Dependency details: This will display the details about this dependency component, including how we attempted to match it, the last review note.
Review history: This will show any analysis notes or review status changes someone on your team has made. You can also add a note from here. If you change the Status, that updated status will display in the Review status column of your SBOM page.
Modify: If you have appropriate permissions, you can modify existing dependency components, including Supplier, Product name, Version, PURL, and CPE. After you’ve made any modifications, we’ll rescan it to make sure that the Match status is accurate and that any vulnerabilities are updated accordingly.
Rescan: If you have appropriate permissions, you can rescan a particular dependency component, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state.
Remove: If you have appropriate permissions, you can remove a particular dependency component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.
This displays in the Product impact column to indicate that this vulnerability has been reviewed and a user has determined that there is no impact to this dependency.