LogoLogo
Get FDA readyServicesSolutionsGuardian helpGet a demo
  • Helm help center home
  • Get Started
    • Helm features
    • Quickstart process
    • Understand data sources and update frequency
    • Get familiar with the Helm UI
      • Understand your dashboard
      • Helm terminology
    • Don't have an SBOM?
      • Why SBOMs are critical to your present and future
      • Generate CycloneDX SBOM with open-source tools
      • Generate SPDX SBOM with open-source tools
        • Generate SBOM with Yocto on Linux
      • Convert your SBOM from CSV to CycloneDX
      • Get expert Services help
    • Upload your first SBOM
      • Upload or convert .zst SBOM files from Yocto on Linux
  • Automate and integrate
    • Automate and integrate risk prioritization and management
    • Automate SBOM and vulnerability management via Helm API SDK
    • Automate SBOM management via GitHub action
    • Automate SBOM management via MS Azure DevOps extension
    • Create and manage lifecycle rules to automate EOS and EOL information across all products
  • Match components
    • Match unmatched components
    • Understand match statuses
    • Understand match sources
    • Create and manage alias rules to match and rematch components across all products
  • manage sboms
    • Manage SBOM
      • Manage component
      • Manage licenses
      • Create, edit, or merge SBOMs
      • Export your SBOM
      • Upload new version of SBOM with each release
      • Archive a product or product version
    • Find out what products contain a particular component
  • manage vulnerabilities
    • Check whether a particular vulnerability impacts your products
    • Manage vulnerabilities
      • Identify and prioritize exploitable vulnerabilities
        • Get email notifications for new vulnerabilities
        • Send email with vulnerability details for future prioritization
        • Understand issue severity level
          • Understand the CVSS vulnerability scoring system
      • Rescore vulnerabilities in bulk or individually
      • Remediate vulnerabilities in bulk or individually
      • Patch Windows vulnerabilities in bulk or individually
      • Export vulnerabilities
  • Ensure FDA readiness
    • FDA-ready SBOM and vulnerability reports
      • Meet FDA requirements with your FDA SBOM report
      • VEX and VDR reports
    • Understand new FDA cybersecurity requirements for cyber devices
      • Is my device a cyber device?
      • What if I already submitted my cyber device?
    • What should my cybersecurity management plan entail?
      • What does risk management entail?
      • Verification & Validation: Build the right product/service/system in the right way
      • Why do I need a Quality Management System (QMS)?
      • Cybersecurity is everyone's responsibility
  • Terminology
    • Cybersecurity terminology
    • What is CPE?
      • How do I read a CPE string?
  • Administration
    • Manage users
    • Manage products
    • Modify your organization name
  • what's new
    • Changelog
Powered by GitBook

© Copyright MedCrypt 2024, All rights reserved.

On this page
  • Overview
  • Resolve Select match, Matched to package manager, and Not found statuses
  • Review potential matches (Select match or Not found statuses only)
  • Match suggestions fields
  • Resolve Fix version status
  • Resolve Contact us status
  • Resolve Fix version status
  • Resolve Contact us status
  • Add review for component

Was this helpful?

Export as PDF
  1. Match components

Match unmatched components

Overview

After uploading your SBOM (Software Bill of Materials) or manually adding a component, you may encounter different statuses that your software component, version, and supplier combination was not automatically matched to an existing unique entry in the NVD (National Vulnerability Database).

To view vulnerabilities for your components, you'll need to resolve any statuses other than Matched NVD. By following these steps to resolve these statuses, you can ensure accurate matching of your software components to

Resolve Select match, Matched to package manager, and Not found statuses

  • A Select match status means that your software component, version, and supplier combination has multiple potential matches, making it unclear which one is the correct match.

  • A Matched status with a package manager badge (but no NVD badge) indicates that there either are no known vulnerabilities for that component, or that the component has a different name in the NVD.

  • A Not found status means that your software component, version, and supplier combination could not be automatically matched to an existing entry in the NVD. This could mean there are no vulnerabilities for this component, or it could mean the component is named differently in the NVD.

Review potential matches (Select match or Not found statuses only)

  1. Click the Match status badge to open the Resolution options modal, then click the View suggestions button in the Select match box. This will display the Multiple matches modal, where you can evaluate the option based on the following details:

    • Supplier: The name of the supplier associated with the potential match.

    • Name: The name of the software component.

    • Sample versions: Versions that were extracted from the CVE vulnerability data.

    • Type of match: This shows sources used to determine a possible match, such as Alias, Name, CPE (Common Platform Enumeration), PURL (Package URL), or a particular package manager match.

  2. If you need more information to make a decision, click the details icon. This will open the Match details modal, where you can view more versions of the component and see reported vulnerabilities over time. A trend of reported vulnerabilities that aligns with your component versions suggests a strong match.

  3. Create an alias: Once you determine the correct match, you can create an alias that links this match to your component. This alias ensures that future uploads of an SBOM containing this software component, version, and supplier combination will automatically use this alias.

  4. Add a review note: Click Actions > Add review note to keep your team informed about the status of the assessment, suggest further review, or highlight any critical risks associated with the software component.

Match suggestions fields

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Name
Description

Supplier

This is the organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Details icon

Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your component and there are vulnerabilities that have been reported, this is likely the correct match.

Product name

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

Matched on

This shows the strength of the match. Refer to Match sources for more information.

Type

This shows the reliability of the match.

  • Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.

  • Alias match: This component matches an existing alias.

  • Possible match: This component has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.

You can assess the likelihood that this is the correct match by viewing the trend of reported vulnerabilities over time and the known versions for this match suggestion. Multiple matches that have a trend of reported vulnerabilities and that match your component's versions (or at least version formats) are considered stronger matches.

Match details fields

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Name
Description

Reported vulnerabilities over time

Multiple matches that have a trend of reported vulnerabilities indicate that this is a frequently-used component. If you don’t see many reported vulnerabilities over time, it is likely that this is not the correct match. Check that the component’s versions (or at least version formats) are considered strong matches.

Known versions

These are the known versions for this suggested match that are coming from the CVE vulnerability ID. Check that your component’s versions (or at least version formats) match these.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format doesn’t match the expected supplier version format.

  1. Click the Fix version status badge for the component with the warning icon. Alternately, select Actions > Fix version for the component with the warning icon.

  2. Check the version format to ensure it matches the known version number, make any necessary modifications, then save.

Resolve Contact us status

After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that we do not have a version parser for this specific version format.

If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact us for expedited assistance.

What happens when we add this version parser?

When we add support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt to match them to known software in the NVD. You will be notified once the issue has been resolved.

How does this impact you?

  • Exact match: Any known vulnerabilities from the NVD will be brought forward.

  • Vulnerability discrepancy: If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.

  • Multiple matches: Review these suggestions to determine the correct match.

  • No match: If an exact match cannot be found in the NVD, it may indicate that the component does not exist in the NVD (implying no known vulnerabilities) or that it is listed under a different name. In these cases, you should:

    • Check the NVD to find the correct match.

    • Create an alias to link your software component correctly going forward.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format or PURL value doesn’t match the expected values.

  1. Click the Fix version match status badge or click Actions > ... > Fix version for the component with the warning icon. This will open the Manage component panel.

  2. Version warnings are generally caused by an incorrect PURL or version format. Check the component's PURL and version to see whether this solves the problem. Make sure that the version format matches the known version number and PURL.

Resolve Contact us status

What happens when we add this version parser?

Upon adding support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt matching them to known software in the NVD. You will be notified once the issue is resolved.

How does this impact you?

  • Exact match found: Any known vulnerabilities from the NVD will be associated with the component. If there's a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.

  • Select match: You'll need to review these suggestions to determine the correct match.

Add review for component

After matching or assessing a potential match or doing some other research, you can add a note for your team to reduce parallel efforts.

  1. Click Actions > ... > Add review. This will display the Review component panel.

  2. If the component does not already have a Reviewed status, this will automatically update it to Reviewed.

PreviousCreate and manage lifecycle rules to automate EOS and EOL information across all productsNextUnderstand match statuses

Last updated 1 month ago

Was this helpful?

If the issue persists, for assistance.

If the issue persists, .

After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that a version parser for this specific version format is unavailable. If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please .

No match found: This may indicate that the component doesn't exist in the NVD (implying no known vulnerabilities) or is listed under a different name. In these cases, you should check the NVD to find the correct match, then to link your software component correctly going forward.

Add a review note, then save. This will update the Review status for that component and will add a note icon. .

contact us
contact support
contact support
create an alias
Ensure this column is visible in your view