View dependency component details

You can view details about a dependency components, including how it was matched. In the Software Bill of Materials (Products) page, select Actions ... > View details to view dependency component details.

Field name	Description
Dependency name	This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency supplier	This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Dependency version	This is the version for this dependency name (e.g., 10.1 for Windows)
CPE	This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)
PURL	This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

Field name

Description

Dependency name

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

Dependency supplier

This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Dependency version

This is the version for this dependency name (e.g., 10.1 for Windows)

CPE

This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)

PURL

This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

How is dependency matched?

Field name	Description
Supplier	This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)
Name	This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version	This is the version we matched on for this dependency name (e.g., 10.1 for Windows)
PURL repository	This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
CPE	This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.
Vulnerability source	This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.
Type	This is the type of match: Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name. Alias match: This dependency was matched to an existing user-specified alias. User: This dependency was manually matched to a suggestion by a user.
Matched on	This shows the sources that we used in making the match. See Match sources for more details.
Matched by	This shows how the dependency was matched: System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information. User name: This user manually matched this dependency to a suggestion. This shows whether our system made the match or whether a particular user on your account made the match. If it is a user, the user could have either created an alias for the match or could have selected a possible match we provided.

Field name

Description

Supplier

This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)

Name

Version

This is the version we matched on for this dependency name (e.g., 10.1 for Windows)

PURL repository

This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

CPE

This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.

Vulnerability source

This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.

Type

This is the type of match:

Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name.
Alias match: This dependency was matched to an existing user-specified alias.
User: This dependency was manually matched to a suggestion by a user.

Matched on

This shows the sources that we used in making the match. See Match sources for more details.

Matched by

This shows how the dependency was matched:

System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information.
User name: This user manually matched this dependency to a suggestion.

This shows whether our system made the match or whether a particular user on your account made the match. If it is a user, the user could have either created an alias for the match or could have selected a possible match we provided.

Review details

Column name	Description
DETAILS
Dependency name	This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency supplier	This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Dependency version	This is the version for this dependency name (e.g., 10.1 for Windows)
CPE	This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)
PURL	This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
HOW IS DEPENDENCY MATCHED?
Supplier	This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)
Name	This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version	This is the version we matched on for this dependency name (e.g., 10.1 for Windows)
PURL repository	This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
CPE	This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.
Vulnerability source	This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.
Type	This is the type of match: Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name. Alias match: This dependency was matched to an existing user-specified alias. User: This dependency was manually matched to a suggestion by a user.
Matched on	This shows the sources that we used in making the match. See Match sources for more details.
Matched by	This shows how the dependency was matched: System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information. User name: This user manually matched this dependency to a suggestion. This shows whether our system made the match or whether a particular user on your account made the match. If it is a user, the user could have either created an alias for the match or could have selected a possible match we provided.
REVIEW DETAILS
Review status	This shows whether the dependency has been reviewed.
Last reviewed on	This shows the last date the dependency was reviewed.
Last reviewed by	This shows which user last reviewed this dependency.
Last review note	This is the last review note that the last reviewer left on this dependency to help inform the team or progress, final status, or critical risk.

Column name

Description

DETAILS

Dependency name

Dependency supplier

This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Dependency version

This is the version for this dependency name (e.g., 10.1 for Windows)

CPE

This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)

PURL

This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

HOW IS DEPENDENCY MATCHED?

Supplier

This is the supplier name we matched on for this dependency (e.g., Microsoft for Windows)

Name

Version

This is the version we matched on for this dependency name (e.g., 10.1 for Windows)

PURL repository

This is the PURL package we found in your SBOM (e.g., scheme:type/namespace/name@version?qualifiers#subpath)

CPE

This is the CPE we found in your SBOM (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other). CPE is considered the strongest match.

Vulnerability source

This is the source where we found this dependency. The source is NVD if we found it in the NVD. If we did not find it in the NVD, it will show a NOT IN NVD token.

Type

This is the type of match:

Exact match: This dependency had an exact match in the NVD, which could be from CPE, PURL package manager, or name. Of the exact match types, CPE is considered the strongest match, while Name is the weakest, as it goes off the Dependency name.
Alias match: This dependency was matched to an existing user-specified alias.
User: This dependency was manually matched to a suggestion by a user.

Matched on

This shows the sources that we used in making the match. See Match sources for more details.

Matched by

This shows how the dependency was matched:

System: We automatically matched this dependency based on an exact match in the NVD, which could be from CPE, PURL package manager, name, or alias. Check the Matched on field and hover over matching tokens for more information.
User name: This user manually matched this dependency to a suggestion.

REVIEW DETAILS

Review status

This shows whether the dependency has been reviewed.

Last reviewed on

This shows the last date the dependency was reviewed.

Last reviewed by

This shows which user last reviewed this dependency.

Last review note

This is the last review note that the last reviewer left on this dependency to help inform the team or progress, final status, or critical risk.

PreviousArchive a product or remove a product version NextView dependency components and vulnerabilities for products

Last updated 28 days ago

Dependency detail modal fields

How is dependency matched?

Review details