Manage component

Overview

The Manage component panel includes information on the product the component is in, the component itself and how it was matched, as well as its lifecycle and license information, and any review details. components table, select Actions ... > Manage component to modify component details.

Product details

• Product name: This is your product name.

• Product version: This is your product version.

Individual component actions

• Manage component: This will display all details for this component in view mode. This will also show how Helm matched the component, as well as any review information from your team. If you edit the component, you'll be prompted to confirm this change. This is because Helm will reload the component and rematch it, which will discard any review information you may have added.

• Add review note: Add a review note, then change the review status to Reviewed. You'll see this updated status in the Review status column, along with a note icon.

• Review history: This will show any analysis notes or review status changes your team has made. You can also add a review note from here.

• Reload component: If a component is in an error state that is not caused by an inaccurate or unsupported version, you can reload it, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state. Helm will discard any previous information for the component, and attempt to match it to known software.

• Auto-enrich CPEs and PURLs: Helm automatically updates and enriches component identification CPE and PURL data for more precise matching.

• Add missing license information: Automatically enrich components with missing license data from Helm's data sources.

• Create lifecycle rules: Set up automated rules to manage Level of support and EOS/EOL information across products (via Rules manager).

• Click Match status badge: Match status badges in Helm tables are clickable, enabling you to quickly drill down for more information, such as disambiguating a match, fixing a version, contacting us and more.

• Clear next step: For each component, if there is a clear next step you need to take, that will be in the Actions column. If not, you'll just see the actions overflow ... button.

• Delete components: Remove individual components from a product version.

Bulk component actions

• Bulk edit lifecycle and license information across multiple components.

• Create lifecycle rules: Set up automated rules to manage Level of support and EOS/EOL information across products (via Rules manager).

Component details

• Component name: This is the component (dependency) name (e.g., firmware, software, framework, library, file, operating system, etc.) that is installed on the physical representations of your device (e.g., Windows, OpenSSL). This is the component name from your SBOM.

• Version: This is the version for this component name (e.g., 10.1 for Windows) from your SBOM.

• Supplier: This is the organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows). This is the component supplier from your SBOM.

• Matched dependency name: During matching, Helm may enrich your component name to increase match accuracy. This field will only display if the name was enriched.

• Matched dependency version: During matching, Helm may enrich your component version to increase match accuracy. This field will only display if the version was enriched.

• Matched dependency supplier: During matching, Helm may enrich your supplier name to increase match accuracy. This field will only display if the supplier was enriched.

• Original CPE: This is the original PURL assigned to this component in your SBOM file. Example format: (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)

• Enriched CPE: This is the PURL that was added or enriched from the respective package manager during the component matching process. This will only display if populated. You cannot edit this.

• Original PURL: This is the original CPE assigned to this component in your SBOM file. Example format: (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

• Enriched PURL: This is the CPE that was added or enriched by our AI copilot during the component matching process. This will only display if populated. You cannot edit this.

Auto-enrichment of CPEs and PURLs

Helm will automatically update and enrich your component's CPE or PURL if we are able to detect or derive a more precise match. You can override this auto-matching if you require exact matches to the CPEs or PURLs you provide.

• Enriched CPE: If Helm's AI copilot locates a match or a more precise match for your component's CPE, it will automatically populate that information into the Enriched CPE field for that component. If you already had a CPE, that is still retained in the Original CPE field.

• Incomplete CPE: Helm will interpret incomplete CPEs (with at least 5 of the possible 13 segments of a CPE), Helm will now fill in missing CPE segments with a wildcard (*).

• Enriched PURL: If Helm's AI copilot locates a match or a more precise match for your component's PURL, it will automatically populate that information into the Enriched PURL field for that component. If you already had a PURL, that is still retained in the Original PURL field.

This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Match details

This is how Helm matched or attempted to match your component.

• Match status: This shows the current match status, as well as what sources were matched on.

• Vuln source: This is the source where we located this component. This is currently always NVD. If it was not in the NVD, it will show a Not found badge.

• Matched by:

  • System: Helm automatically matched this component based on an exact match in the NVD, which could be from a CPE, PURL package manager, or name/version/supplier.

  • Alias: Helm automatically matched this component based on an alias your team has created.

  • System alias: Helm automatically matched this component based on a global alias we have created.

  • User name: This user manually matched this component to a suggested match or created a new alias to link it to known software.

Lifecycle details

When building a new device, you can ensure that your component is actively maintained or prioritize upgrading to a more stable version. When updating devices in the field, you can prioritize upgrades for components that are nearing end-of-support or end-of-life. This will help you ensure that the stability and security of your device throughout its lifecycle.

This information will also be populated into your FDA SBOM report or SBOM CSV report.

• Level of support: Specify whether the component is actively maintained or not. You can specify a date or text value.

• EOS/EOL: Provide an EOS or EOL date or other text value.

Ensure consistent lifecycle information across portfolio

Create rules to automatically update lifecycle information for particular component criteria across products in the Rules manager.

License details

The License details section displays comprehensive license information for each component. Helm supports ingestion of licensing information from CycloneDX and SPDX SBOMs and enriches this information via partnership integration with Tidelift. Refer to Manage licenses for more information.

License information fields

• License type: This field is populated from the license information in your SBOM and can be one of the following:

• License expression: For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception

• Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses

• No license (NONE in SPDX): If you are certain that your SBOM component does not have an associated license

• Unknown (NOASSERTION in SPDX): If you are not sure whether your SBOM has an associated license

Automatic license enrichment

For components with "No license" or "Unknown" status, Helm automatically attempts to identify and add license information for open-source components that have unique PURLs, using data from Tidelift partnership integration.

Automatically add missing component license information

Helm will detect and automatically enrich missing licenses for any new SBOM components that do not have any license associated with them. You can also have Helm automatically add license information for your existing components.

1. For any component that you want to enrich with license information, click Actions > Reload component.

2. You'll be prompted to confirm this reload, as it will discard any metadata (e.g., review information, match status, associated vulnerabilities, etc.). This will then re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Review details

This shows the last review added for this component. You can also add your own review or view all review information.

• Review status: Shows whether the component has been reviewed or needs to be reviewed. You can click this badge to set a new status.

• Last reviewed on: Shows the last time a user reviewed this component.

• Last reviewed by: Shows who last reviewed this component.

• Last review: This is the last review note made on this component to inform the team or progress, final status, or critical risk.

Edit individual component

This topic covers managing component details, but all other component actions are available from the Actions column of the components table.

1. On the component you want to edit, click Actions ... > Manage component.

2. Click Edit on the section you would like to edit. Note that you cannot edit the Match details section.

3. If you edit fields in the Component details section, then save your changes, you will be prompted to reload this component. Note that this will assess the component anew, which will lose any previous metadata, including matching, EOS/EOL, licensing, or review information that you have manually added.

4. If you don't see your updated component display, make sure Auto-refresh is on or click Refresh to manually update the page.​​

Delete component

Click Actions > Remove (Delete) component. You will be prompted to confirm, as you cannot recover deleted components. This will only delete this component from this product version.