Ctrlk
Get FDA readyServicesGuardian helpGet a demo
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Understand match sources

Overview

When Helm has completed matching or attempting to match all of the components in your SBOM, you will see a Match status along with the sources that were used to match the component.

Understanding Workspace Context for Match Sources

When reviewing match sources and their reliability:

  • Organization-wide sources: All match sources (NVD, CPE, package managers, aliases) are organization-wide resources

  • Match reliability: Source strength and reliability apply consistently across all workspaces

  • Alias benefits: Aliases created by admins in any workspace benefit component matching organization-wide

  • Workspace focus: While sources are organization-wide, you only see components and their match sources for your current workspace

Match source types

IMPORTANT: If you have a Matched status that does not have an NVD badge, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. Refer to Resolve matched statuses for more information. You must identify an exact match in the NVD in order to see vulnerabilities for that component.

  • Alias: This indicates that the component was matched by an alias rule. This could have been created by someone on your account or by the Helm team. This is considered a very strong match.

  • NVD: This component/version/supplier combo had an exact match in the National Vulnerability Database (NVD).

  • Package managers:

    • Cargo: This was exactly matched to a component in the Cargo package manager from a Package URL (PURL) uploaded in your SBOM file.

    • NuGet: This was exactly matched to a component in the NuGet package manager from a Package URL (PURL) uploaded in your SBOM file.

    • NPM: This was exactly matched to a component in the NPM package manager from a Package URL (PURL) uploaded in your SBOM file.

    • PyPI: This was exactly matched to a component in the PyPI package manager from a Package URL (PURL) uploaded in your SBOM file.

  • Other sources:

    • CPE: This was exactly matched to a component from a CPE string uploaded in your SBOM file. CPE is considered the strongest match.

    • Name: This component name/version/supplier combo exactly matches an existing component name/version/supplier combo in our system.

    • User: This was exactly matched by a user on this account to a possible match suggestion our system provided. If the user created an alias rule while matching, it will be considered an Alias match.

PreviousUnderstand match statusesNextCreate and manage alias rules to match and rematch components across all products

Last updated

Was this helpful?