Comment on page
Resolve a Multiple matches status
To view vulnerabilities for your dependency components, you'll need to resolve any Match status of Multiple matches or Not found. Multiple matches means that your software dependency/version/supplier combo has not been automatically matched to an existing software dependency/version/supplier combo, because there were several strong matches. To resolve this, you can assess the multiple matches we provide, create an alias for this dependency, or add review notes:
- 1.Click Resolve in the Actions column. This will display the Resolution options modal.
- 2.Click the View suggestions button in the Multiple matches box. This will display the Multiple matches modal.
- 3.In the Multiple matches modal, you can assess the likelihood of an option being the correct match from the supplier, name, sample versions, sources used to determine a possible match, and the type of match. Sample versions show the versions that were extracted from the CVE vulnerability. Matched on shows the sources that were used, which could include Alias, Name, CPE, or a PURL match (Cargo, NPM, NuGet, or PyPI package manager token will display). These match sources are explained in more detail in the Match sources section below.
- 4.If you need more information, click the details icon to view more versions, as well as to view reported vulnerabilities over time. In this Match details modal, you can view known versions of this dependency component. If the versions match your dependency and there is a trend of reported vulnerabilities, that is considered a strong match.
- 5.If you don’t feel that one of these stronger matches applies, you can check the NVD to see if there is a strong match to your software dependency/version/supplier combo. Once you feel confident, you can create an alias that will link this new match to your existing software dependency going forward. This means that next time you or anyone on your account uploads an SBOM that contains this software dependency/version/supplier combo, it will automatically be linked using this alias.
- 6.You can also add review notes to ensure that your team is informed of the progress in assessing this issue, let someone else know that they need to look into it further, or highlight an especially critical risk with this software dependency.
Make sure to create aliases for any manual matches!
If anyone on your account has selected one of our suggested possible matches, these will not be automatically matched when you upload your exported SBOM file, nor will any review notes. To make sure that these are automatically matched, you will need to go into any dependency components with a Matched status that have a User token, then click Resolve to display the Resolution options modal. From there, you’ll need to create a permanent alias.