Create and manage alias rules to match and rematch components across all products

Overview

To view vulnerabilities for a particular component, each component must be matched to known software in the NVD. Administrators can create alias rules to find known software matches for components that are unmatched, mismatched, or have multiple matches. Alias rules will not override components that were manually matched by users.

The alias rules manager enables you to set robust matching conditions for aliases, simplifying the known software search process and bringing forward more information to help you select the correct known software match.

Benefits of alias rules manager

• Centralized rule management: Manage both alias rules and EOS/EOL lifecycle rules from a single location

• Enhanced matching capabilities: Create conditions using Component name, Supplier, CPE, PURL, and Version information

• Improved transparency: View detailed information about potential matches including vulnerability counts, known versions, CPEs, PURLs, and references

• Impact visibility: See the number of affected products, versions, and components before making changes

• Conflict handling: System detects potential rule conflicts

• Automatic application: Rules are automatically applied to both existing and future SBOMs

Understanding the impact of alias rules

When alias rules are applied, they affect:

• Existing SBOMs: All matching components in previously uploaded SBOMs will have the alias rule applied

• Future SBOMs: Any new uploads with matching components will automatically have the rule applied

• Match status: Components will change from unmatched statuses to "Matched" with an "ALIAS" badge

• Vulnerability data: If the known software has vulnerabilities in the NVD, these will now be associated with your components

• Reporting: Components matched via alias rules will appear in vulnerability reports with their assigned matches

• Override hierarchy: Manual matches always take precedence over alias rules

When you edit or delete an alias rule:

• Components previously matched by that rule will return to their previous unmatched status

• Any vulnerability data associated through that match will no longer be linked to the component

• You'll need to create a new alias rule or manually match affected components to restore vulnerability data

View aliased matches

To view aliases, click the Rules item in the sidebar. If you have appropriate permissions, you will see existing alias rules in the Alias rules tab.

For all components that have been matched with an alias, you'll see a Matched status with an ALIAS badge in the Match status column of the Products page.

Add an alias rule

To resolve Select match, Not found, and other match statuses, Administrators can create alias rules directly from the unknown component or from the Rules item in the sidebar.

Create an alias rule from Rules manager

When creating an alias rule from the Rules manager, you’ll need to specify the component matching conditions under which the alias rule will be applied.

1. Click the Rules item in the sidebar. This will display the Rules page, where you can manage alias and lifecycle rules.

2. Click the Add alias rule button in the Alias rules tab. This will display the Create alias rule wizard.

3. In the first step, specify the conditions for which you want this alias rule to be automatically applied. You can add one condition for each metadata field. The exception is version, for which you can specify either an exact match with one condition, or can create a version range limiting versions by using an is less than and an is more than condition.

   • If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the criteria.

4. In the second step, specify the known component name and/or supplier, then click Search known software.

   • If you know which software you are looking for, click the option button next to that software, then click Create alias rule.

   • If you're not certain which software is the best match, click the option button to review the details for that known software component, including any vulnerability information, associated CPEs and PURLs, and references. Once you've identified and selected the correct match, click Create alias rule.

5. The new alias rule will display at the bottom of your rule list. If you want this rule to have higher priority, you can drag-and-drop it higher in the rules list.

6. The Match status for components that match this criteria will be updated to Matched with an ALIAS badge. This may take a while, since Helm is running this new alias rule against all of your SBOMs and evaluating it against all existing alias rules. If the known software is in the NVD or is in a package manager that has known vulnerabilities, it will be updated with these associated vulnerabilities.

Create an alias rule from component

When creating an alias rule from a component on the Products page, the component matching conditions will be automatically populated, which you can modify as necessary.

1. Click Products in the sidebar. This will display the Products page, which is a list of all components in this SBOM.

2. For any non-matched component status, click the badge in the Match status column or the primary button in the Actions column. Alternately, you can select View match suggestions from the ... actions overflow button. This will display the Select match suggestions panel.

3. If you want to change the component matching conditions, you can do so in step 1, then click Continue to update the possible matches in step 2. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the criteria.

4. In the Component name field, enter at least three characters to start filtering down the list. All condition rules must be alphanumeric. Enter any other information you have for the component, then click Continue. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to keep the existing rule or replace it with the new rule.

5. In the next section, enter the known software component name and/or supplier, then click Search known software to return potential matches.

   • If you know which software you are looking for, click the option button next to that software, then click Create alias rule.

   • If you're not certain which software is the best match, click the option button to review the details for that known software component, including any vulnerability information, associated CPEs and PURLs, and references. Once you've identified and selected the correct match, click Create alias rule.

6. The new alias rule will display at the bottom of your rule list. If you want this rule to have higher priority, you can drag-and-drop it higher in the rules list.

7. The Match status for this component and all components that match this criteria will be updated to Matched with an ALIAS badge. Updating all of the components may take awhile, since Helm is running this new alias rule against all of your SBOMs and evaluating it against all existing alias rules. If the known software is in the NVD or is in a package manager that has known vulnerabilities, it will be updated with these associated vulnerabilities.

Rule naming conventions

Rules are named according to the criteria specified for them, for example: [Supplier name]/[Component name]/[Version]. If there For version ranges, the name will reflect the conditions specified in the following format: [Supplier name]/[Component name] [less than 10.1], such as Google Chrome less than 10.1. You cannot currently edit rule names. If this is important to you, let us know.

Edit alias rule

If you need to edit an alias rule, note that any changes will be applied to both existing and future SBOMs.

1. Click the Rules item in the sidebar.

2. Click the Alias rules tab.

3. In the Alias rules tab, click Edit on any rule you want to modify. This will display the Manage alias rule wizard. This will display the current component matching conditions and the selected known software match.

4. If you want to change the component matching conditions, you can do so in step 1, then click Continue to update the possible matches in step 2. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the crtieria.

5. In the second step, you will see the currently selected match, as well as other possible matches based on that search criteria. In the details section for the selected match, you'll see several tabs to help you understand the impact of the existing rule across your portfolio, known vulnerabilities, known CPEs and PURLs, as well as additional references.

6. If you want to change the match criteria, enter part or all of the known software you are looking for, then click Search known software.

7. If you change matching conditions or the selected known match, you will not be able to see the impact of this change until you apply it, then go back in to edit the rule.

8. Click Save & apply changes. You'll see a success notification when the change has been applied. Editing a rule will not change its current position in the list, so drag-and-drop it higher or lower to change its priority.

Set priority order of alias rules

Alias rules are applied according to their position on the rules list.

1. Drag-and-drop them higher to increase their priority or lower to decrease their priority.

2. If you have only reprioritized rule order, but haven't marked any rules for deletion, click Save & apply changes. This will apply the reprioritizations.

3. If you've marked rules for deletion in addition to reprioritizing rules, this button will be Review changes to give you an opportunity to view the impact of these pending deletions before confirming these changes.

Delete alias rule

If you find that your team has added an incorrect alias rule, you can easily remove it if you are an Administrator.

1. Click the Rules item in the sidebar.

2. Click the Alias rules tab.

3. Click Mark for deletion on the alias rules you want to delete.

4. If you need to change priority of any rules as a result of these impending deletions, drag-and-drop the respective rules higher or lower in the list.

5. Click Review changes button.

6. This will display a confirmation panel showing the impact of your potential deletions across your portfolio. If you have multiple pending deletions, click Continue to move to the next one. You can also click Save & apply changes if you don’t need to examine your deletion impacts. You can't currently change this impact. Let us know if this is something that you need!

7. After making your changes, click the global Save & apply changes button at the bottom of the aliases rule list. The rule will no longer be associated to existing SBOMs and will not be applied to future ones.

Troubleshooting and best practices

• Rule naming: You cannot currently edit rule names. They are automatically generated based on conditions.

• Rule conflicts: When creating rules with similar conditions, ensure they don't unintentionally overlap. The system will warn about exact duplicates.

• Session persistence: Always save your changes before navigating away, as unsaved changes will be lost.

• Rule prioritization: Place more specific rules higher in the list, as they take precedence over more general rules.

• Performance considerations:

  • Creating many rules with complex conditions may increase processing time

  • Large-scale rule changes may take time to propagate across all SBOMs

• Verification: After applying rules, check a sample of components to verify the rules are working as expected.

• Maintenance: Periodically review your alias rules to ensure they still reflect your current software matching needs.

Alias permissions

• Administrator: Users with an Administrator role can view and edit all products, as well as create aliases and use existing aliases to link software in their SBOMs to known software in the NVD.

• User with edit permissions for a product: Users who have edit permissions for a particular product, but are not Administrators, will be able to view and use existing aliases for that product to link software in their SBOM to known software in the NVD, but will not be able to create aliases unless they have an Administrator role.

• User with read-only permissions for a product: These users will be able to view aliases for that product, but will not be able to use these aliases to link software.