Get FDA readyServices
Solutions
Guardian helpGet a demo

Resolve unmatched components

After uploading your SBOM (Software Bill of Materials) or manually adding a component, you may encounter different statuses that your software component, version, and supplier combination was not automatically matched to an existing unique entry in the NVD (National Vulnerability Database).

To view vulnerabilities for your components, you'll need to resolve any statuses other than Matched NVD. By following these steps to resolve these statuses, you can ensure accurate matching of your software components to known vulnerabilities, enhancing the security and reliability of your software inventory.

Resolve Select match, Matched to package manager, and Not found statuses

  • A Select match status means that your software component, version, and supplier combination has multiple potential matches, making it unclear which one is the correct match.

  • A Matched status with a package manager badge (but no NVD badge) indicates that there either are no known vulnerabilities for that component, or that the component has a different name in the NVD.

  • A Not found status means that your software component, version, and supplier combination could not be automatically matched to an existing entry in the NVD. This could mean there are no vulnerabilities for this component, or it could mean the component is named differently in the NVD.

To resolve statuses, you have several options:

  1. Review potential matches (Select match or Not found statuses only) Click the badge to open the Resolution options modal, then click the View suggestions button in the Select match box. This will display the Multiple matches modal, where you can evaluate the option based on the following details:

    • Supplier: The name of the supplier associated with the potential match.

    • Name: The name of the software component.

    • Sample versions: Versions that were extracted from the CVE vulnerability data.

    • Type of match: This shows sources used to determine a possible match, such as Alias, Name, CPE (Common Platform Enumeration), PURL (Package URL), or a particular package manager match.

    If you need more information to make a decision, click the details icon. This will open the Match details modal, where you can view more versions of the component and see reported vulnerabilities over time. A trend of reported vulnerabilities that aligns with your component versions suggests a strong match.

  2. Create an alias: Once you determine the correct match, you can create an alias that links this match to your component. This alias ensures that future uploads of an SBOM containing this software component, version, and supplier combination will automatically use this alias.

  3. Add a review note: Click Actions > Add review note to keep your team informed about the status of the assessment, suggest further review, or highlight any critical risks associated with the software component.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format doesn’t match the expected supplier version format.

  1. Click Actions > Fix version for the component with the warning icon.

  2. Check the version format to ensure it matches the known version number, make any necessary modifications, then save.

  3. If the issue persists, contact us for assistance.

Resolve Contact us status

After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that we do not have a version parser for this specific version format.

If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact us for expedited assistance.

What happens when we add this version parser?

When we add support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt to match them to known software in the NVD. You will be notified once the issue has been resolved.

How does this impact you?

If we find an exact match, any known vulnerabilities from the NVD will be brought forward. If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.

If we find multiple possible matches, you'll need to review these suggestions to determine the correct match.

If an exact match cannot be found in the NVD, it may indicate that the component does not exist in the NVD (implying no known vulnerabilities) or that it is listed under a different name. In these cases, you should:

  1. Check the NVD to find the correct match.

  2. Create an alias to link your software component correctly going forward.

If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this is part of the process to ensure that your components are accurately matched and that vulnerability data is correctly reported.

PreviousUnderstand match sourcesNextReview potential matches

Last updated

© Copyright MedCrypt 2024, All rights reserved.