Comment on page

Resolve a Matched status with NOT IN NVD and package manager tokens

Matched, NOT IN NVD token, and one of Cargo, NPM, NuGet, or PyPI tokens:

If a dependency component has a Matched status, but also has a NOT IN NVD token, it does not have an exact NVD match. This means that we cannot identify the vulnerabilities for this dependency component. This means that we were unable to locate an exact match in the NVD, but that your software does exist in the respective package manager.

Can I still see vulnerabilities if a dependency component is not matched?

If something doesn’t have an exact match in the NVD, that means that there are no known vulnerabilities in the NVD for the dependency component using that particular name. However, sometimes software is named something else in the NVD.

Try to find the matching software in the NVD

To determine whether your dependency component has a different name in the NVD, click Resolve to view possible resolutions. You may find the right match in our possible match suggestions.
Alternately, you can search the NVD on your own, then create an alias to link that software to your dependency component. This will create an NVD match which will bring forward vulnerabilities. You can keep track of analysis progress by adding review notes to make sure you and your team understand the current state of a dependency component.
© Copyright MedCrypt 2023, All rights reserved.