Understand match sources

When Helm has completed matching or attempting to match all of the components in your SBOM, you will see a mMatch status along with the sources that were used to match the component.

  • Alias: This indicates that the component was matched by an alias rule. This could have been created by someone on your account or by the Helm team. This is considered a very strong match.

  • Cargo: This was exactly matched to a component in the Cargo package manager from a Package URL (PURL) uploaded in your SBOM file.

  • CPE: This was exactly matched to a component from a CPE string uploaded in your SBOM file. CPE is considered the strongest match.

  • Name: This component name/version/supplier combo exactly matches an existing component name/version/supplier combo in our system.

  • NuGet: This was exactly matched to a component in the NuGet package manager from a Package URL (PURL) uploaded in your SBOM file.

  • NPM: This was exactly matched to a component in the NPM package manager from a Package URL (PURL) uploaded in your SBOM file.

  • NVD: This component/version/supplier combo had an exact match in the National Vulnerability Database (NVD).

  • PyPI: This was exactly matched to a component in the PyPI package manager from a Package URL (PURL) uploaded in your SBOM file.

  • User: This was exactly matched by a user on this account to a possible match suggestion our system provided. If the user created an alias rule while matching, it will be considered an Alias match.

Last updated

Was this helpful?