Manage your SBOM

After uploading your SBOM file or manually creating your SBOM, you can manage your SBOM for each product and version in your software supply chain.

Once you've created your SBOM, we'll match your software against the National Vulnerability Database (NVD), supported Package URLs (PURL) package managers, and CPE strings. In the Match status column, you will see various matching statuses, along with the corresponding match sources.

Add and manage your SBOM

Click the Add SBOM/Manage SBOMs drop-down button to upload your first SBOM and manage your SBOMs.

1. Select your product and version.


Product name

This is the product that contains all of the dependency components from that product’s SBOM.


This is the product version.

2. Select your product and version.

Add SBOM/Manage SBOM actions

Where did the Add SBOM button go?

If you've already uploaded one SBOM, this button changes to Manage SBOMs, providing you with additional actions, including the ability to check SBOM file upload status.


Upload SBOM

This will prompt you to upload an SBOM in CycloneDX or SPDX format. Note: If you have an SBOM in another format, send it to us so that we can convert it for you. If you don’t have an SBOM, contact us so we can get you started.

Add dependency

This will prompt you to add a new dependency.

View upload status

This displays the SBOMs that have been uploaded for your products and versions. You can view the file name, file ID, when it was uploaded and by whom, the number of entries processed, and the status.

If a file has uploaded successfully, you can see the number of dependency components processed from the SBOM.

If a file has not uploaded successfully, you will see a red x icon next to the Failed to upload status. For these files, you will see an info icon to get more information on resolving the error.

Export SBOM

This will automatically download a JSON version of your SBOM. This includes any dependency components that you added manually or modifications that you made to existing dependencies. You can also export associated vulnerabilities. Refer to Export your SBOM for more information.

View dependency components in your SBOM

Make sure you've selected a product and version so that you can see that version's dependency components.

Column nameDescription

Dependency name

This is the name of this dependency component.


This is the supplier of this dependency component. Note: If you uploaded a SPDX SBOM that had supplier set to NOASSERTION, it will be treated as undefined and will not show a supplier.


This is the version for this dependency component.

See a warning icon next to your version? Refer to Get a warning icon next to your dependency component version for more information.


COMING SOON!: This is the type of dependency component, such as Application or Library, that may have been uploaded in your SBOM. If you created your SBOM manually or your SBOM did not include the type, this will be blank.

Match status

There are three statuses:

  • Matched: Entries are either automatically matched to the NVD (which could be from CPE, PURL package manager, name, or alias) or manually matched to a suggestion by a user. Hover over the matching tokens for more information.

IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token, this has not been matched in the NVD, thus will not bring forth your vulnerabilities. See the Resolve a Matched status that has a NOT IN NVD token.

  • Multiple matches: We found one or more exact matches in our sources, as indicated by the matching tokens. See the Resolve a Multiple matches status section for more information.

  • Not found: We were unable to find this in the NVD. When you see this status, you will always see a NOT IN NVD token. The token indicates that we were unable to find a match in the NVD, which encompasses all of the other sources (PURL package managers, aliases, CPE, names). See the Resolve a Not found status section for more information.


The Actions column displays a … (ellipses) button, which you can click to get to the available actions:

  • Dependency details: This will display the details about this dependency component, including how we attempted to match it, the last review note.

  • Review history: This will show any analysis notes or review status changes someone on your team has made. You can also add a note from here. If you change the Status, that updated status will display in the Review status column of your SBOM page.

  • Modify: If you have appropriate permissions, you can modify existing dependency components, including Supplier, Product name, Version, PURL, and CPE. After you’ve made any modifications, we’ll rescan it to make sure that the Match status is accurate and that any vulnerabilities are updated accordingly.

  • Rescan: If you have appropriate permissions, you can rescan a particular dependency component, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state.

  • Remove: If you have appropriate permissions, you can remove a particular dependency component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.

Filter your SBOM

You can also filter to get to exactly the dependency components you want to focus on.

Filter nameDescription

Any match status

This displays the dependency’s current Match status. There are four options:

  • Any Match status: Displays all dependencies, regardless of match status.

  • Matched: This software dependency/version/supplier combo has been matched to a known software dependency/version/supplier, thus enabling you to accurately assess risk in the Vulnerabilities page.

  • Multiple matches: There are several exact matches that we found. You should assess which one best fits your dependency. See the Resolve a Multiple matches status section for more information.

  • Not found: When you see this status, you will always see a NOT IN NVD token. The token indicates that we were unable to find a match in the NVD, while the status indicates that we were not able to find a match in any other sources (PURL package managers, aliases, CPE, names). See the Resolve a Not found status section for more information.

All sources

There are several sources that we consult. If there is a match via one or more sources, you will see a token indicator with the source name next to the NVD status for that dependency.


  • Alias: A user on this account created an alias that was used to make this exact match.

  • Cargo, NPM, Nuget, PyPI: There was an exact match in one of these supported package managers

  • CPE: There was an exact match with a CPE string in a package URL (PURL).

  • Exact: This dependency had an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name.

  • NVD: There was an exact match for this dependency/version/supplier combo in the National Vulnerability Database (NVD).

  • NOT IN NVD: We did not find this dependency in the NVD. This could be because the NVD uses a different name for this dependency, so you should check the NVD to see if there is a good match.

  • User: This dependency was manually matched by a user to one of the possible matches that we suggested.

Last updated

© Copyright MedCrypt 2023, All rights reserved.