Match unmatched components
Overview
After uploading your SBOM (Software Bill of Materials) or manually adding a component, you may encounter different statuses that your software component, version, and supplier combination was not automatically matched to an existing unique entry in the NVD (National Vulnerability Database).
To view vulnerabilities for your components, you'll need to resolve any statuses other than Matched NVD. By following these steps to resolve these statuses, you can ensure accurate matching of your software components to
Resolve Select match, Matched to package manager, and Not found statuses
A Select match status means that your software component, version, and supplier combination has multiple potential matches, making it unclear which one is the correct match.
A Matched status with a package manager badge (but no NVD badge) indicates that there either are no known vulnerabilities for that component, or that the component has a different name in the NVD.
A Not found status means that your software component, version, and supplier combination could not be automatically matched to an existing entry in the NVD. This could mean there are no vulnerabilities for this component, or it could mean the component is named differently in the NVD.
Review potential matches (Select match or Not found statuses only)
Click the Match status badge to open the Resolution options modal, then click the View suggestions button in the Select match box. This will display the Multiple matches modal, where you can evaluate the option based on the following details:
Supplier: The name of the supplier associated with the potential match.
Name: The name of the software component.
Sample versions: Versions that were extracted from the CVE vulnerability data.
Type of match: This shows sources used to determine a possible match, such as Alias, Name, CPE (Common Platform Enumeration), PURL (Package URL), or a particular package manager match.
If you need more information to make a decision, click the details icon. This will open the Match details modal, where you can view more versions of the component and see reported vulnerabilities over time. A trend of reported vulnerabilities that aligns with your component versions suggests a strong match.
Create an alias: Once you determine the correct match, you can create an alias that links this match to your component. This alias ensures that future uploads of an SBOM containing this software component, version, and supplier combination will automatically use this alias.
Add a review note: Click Actions > Add review note to keep your team informed about the status of the assessment, suggest further review, or highlight any critical risks associated with the software component.
Match suggestions fields
To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.
Supplier
This is the organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Details icon
Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your component and there are vulnerabilities that have been reported, this is likely the correct match.
Product name
This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Matched on
This shows the strength of the match. Refer to Match sources for more information.
Type
This shows the reliability of the match.
Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.
Alias match: This component matches an existing alias.
Possible match: This component has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.
You can assess the likelihood that this is the correct match by viewing the trend of reported vulnerabilities over time and the known versions for this match suggestion. Multiple matches that have a trend of reported vulnerabilities and that match your component's versions (or at least version formats) are considered stronger matches.
Match details fields
To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.
Reported vulnerabilities over time
Multiple matches that have a trend of reported vulnerabilities indicate that this is a frequently-used component. If you don’t see many reported vulnerabilities over time, it is likely that this is not the correct match. Check that the component’s versions (or at least version formats) are considered strong matches.
Known versions
These are the known versions for this suggested match that are coming from the CVE vulnerability ID. Check that your component’s versions (or at least version formats) match these.
Resolve Fix version status
After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format doesn’t match the expected supplier version format.
Click the Fix version status badge for the component with the warning icon. Alternately, select Actions > Fix version for the component with the warning icon.
Check the version format to ensure it matches the known version number, make any necessary modifications, then save.
If the issue persists, contact us for assistance.
Resolve Contact us status
After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that we do not have a version parser for this specific version format.
If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact us for expedited assistance.
What happens when we add this version parser?
When we add support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt to match them to known software in the NVD. You will be notified once the issue has been resolved.
How does this impact you?
Exact match: Any known vulnerabilities from the NVD will be brought forward.
Vulnerability discrepancy: If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.
Multiple matches: Review these suggestions to determine the correct match.
No match: If an exact match cannot be found in the NVD, it may indicate that the component does not exist in the NVD (implying no known vulnerabilities) or that it is listed under a different name. In these cases, you should:
Check the NVD to find the correct match.
Create an alias to link your software component correctly going forward.
Resolve Fix version status
After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format or PURL value doesn’t match the expected values.
Click the Fix version match status badge or click Actions > ... > Fix version for the component with the warning icon. This will open the Manage component panel.
Version warnings are generally caused by an incorrect PURL or version format. Check the component's PURL and version to see whether this solves the problem. Make sure that the version format matches the known version number and PURL.
If the issue persists, contact support.
Resolve Contact us status
After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that a version parser for this specific version format is unavailable. If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact support.
What happens when we add this version parser?
Upon adding support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt matching them to known software in the NVD. You will be notified once the issue is resolved.
How does this impact you?
Exact match found: Any known vulnerabilities from the NVD will be associated with the component. If there's a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.
Select match: You'll need to review these suggestions to determine the correct match.
No match found: This may indicate that the component doesn't exist in the NVD (implying no known vulnerabilities) or is listed under a different name. In these cases, you should check the NVD to find the correct match, then create an alias to link your software component correctly going forward.
Add review for component
After matching or assessing a potential match or doing some other research, you can add a note for your team to reduce parallel efforts.
Click Actions > ... > Add review. This will display the Review component panel.
If the component does not already have a Reviewed status, this will automatically update it to Reviewed.
Add a review note, then save. This will update the Review status for that component and will add a note icon. Ensure this column is visible in your view.
Last updated
Was this helpful?