Comment on page
Resolve a Matched status with NOT IN NVD and package manager tokens
If a dependency component has a Matched status, but also has a NOT IN NVD token, it does not have an exact NVD match. This means that we cannot identify the vulnerabilities for this dependency component. This means that we were unable to locate an exact match in the NVD, but that your software does exist in the respective package manager.
If something doesn’t have an exact match in the NVD, that means that there are no known vulnerabilities in the NVD for the dependency component using that particular name. However, sometimes software is named something else in the NVD.
To determine whether your dependency component has a different name in the NVD, click Resolve to view possible resolutions. You may find the right match in our possible match suggestions.
Alternately, you can search the NVD on your own, then create an alias to link that software to your dependency component. This will create an NVD match which will bring forward vulnerabilities. You can keep track of analysis progress by adding review notes to make sure you and your team understand the current state of a dependency component.