Links

View dependency component details

You can view details about a dependency components, including how it was matched. In the Software Bill of Materials (Products) page, select Actions ... > View details to view dependency component details.

Dependency detail modal fields

Field name
Description
Dependency name
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency supplier
This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Dependency version
This is the version for this dependency name (e.g., 10.1 for Windows)
CPE
This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)
PURL
This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

How is dependency matched?

Field name
Description
Supplier
This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)
Name
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version
This is the version we matched on for this dependency name (e.g., 10.1 for Windows)
PURL repository
This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
CPE
This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.
Vulnerability source
This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.
Type
This is the type of match:
  • Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name.
  • Alias match: This dependency was matched to an existing user-specified alias.
  • User: This dependency was manually matched to a suggestion by a user.
Matched on
This shows the sources that we used in making the match. See Match sources for more details.
Matched by
This shows how the dependency was matched:
  • System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information.
  • User name: This user manually matched this dependency to a suggestion.
This shows whether our system made the match or whether a particular user on your account made the match. If it is a user, the user could have either created an alias for the match or could have selected a possible match we provided.

Review details

Column name
Description
DETAILS
Dependency name
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency supplier
This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Dependency version
This is the version for this dependency name (e.g., 10.1 for Windows)
CPE
This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)
PURL
This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
HOW IS DEPENDENCY MATCHED?
Supplier
This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)
Name
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version
This is the version we matched on for this dependency name (e.g., 10.1 for Windows)
PURL repository
This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
CPE
This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.
Vulnerability source
This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.
Type
This is the type of match:
  • Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name.
  • Alias match: This dependency was matched to an existing user-specified alias.
  • User: This dependency was manually matched to a suggestion by a user.
Matched on
This shows the sources that we used in making the match. See Match sources for more details.
Matched by
This shows how the dependency was matched:
  • System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information.
  • User name: This user manually matched this dependency to a suggestion.
This shows whether our system made the match or whether a particular user on your account made the match. If it is a user, the user could have either created an alias for the match or could have selected a possible match we provided.
REVIEW DETAILS
Review status
This shows whether the dependency has been reviewed.
Last reviewed on
This shows the last date the dependency was reviewed.
Last reviewed by
This shows which user last reviewed this dependency.
Last review note
This is the last review note that the last reviewer left on this dependency to help inform the team or progress, final status, or critical risk.
© Copyright MedCrypt 2023, All rights reserved.