This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
These are sample versions for this dependency (e.g., 10.1 for Windows). For NVD versions, it assumes that the supplier has submitted all versions to the NVD, which is not always the case.
This shows the strength of the match:
CPE: This dependency name has a match in a CPE string. This is considered the strongest match.
Cargo, NPM, NuGet, or PyPI: This dependency name had an exact match in the PURL string for the specified package manager.
Alias: This dependency matches an existing alias that was linked by a user.
Name: This dependency name has a match in the NVD.
This shows the type of match:
Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.
Alias match: This dependency matches an existing alias.
Possible match: This dependency has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.
Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your dependency and there are vulnerabilities that have been reported, this is likely the correct match.