LogoLogo
Get FDA readyServicesSolutionsGuardian helpGet a demo
  • Helm help center home
  • Get Started
    • Helm features
    • Quickstart process
    • Understand data sources and update frequency
    • Get familiar with the Helm UI
      • Understand your dashboard
      • Helm terminology
    • Don't have an SBOM?
      • Why SBOMs are critical to your present and future
      • Generate CycloneDX SBOM with open-source tools
      • Generate SPDX SBOM with open-source tools
        • Generate SBOM with Yocto on Linux
      • Convert your SBOM from CSV to CycloneDX
      • Get expert Services help
    • Upload your first SBOM
      • Upload or convert .zst SBOM files from Yocto on Linux
  • Automate and integrate
    • Automate and integrate risk prioritization and management
    • Automate SBOM and vulnerability management via Helm API SDK
    • Automate SBOM management via GitHub action
    • Automate SBOM management via MS Azure DevOps extension
    • Create and manage lifecycle rules to automate EOS and EOL information across all products
  • Match components
    • Match unmatched components
    • Understand match statuses
    • Understand match sources
    • Create and manage alias rules to match and rematch components across all products
  • manage sboms
    • Manage SBOM
      • Manage component
      • Manage licenses
      • Create, edit, or merge SBOMs
      • Export your SBOM
      • Upload new version of SBOM with each release
      • Archive a product or product version
    • Find out what products contain a particular component
  • manage vulnerabilities
    • Check whether a particular vulnerability impacts your products
    • Manage vulnerabilities
      • Identify and prioritize exploitable vulnerabilities
        • Get email notifications for new vulnerabilities
        • Send email with vulnerability details for future prioritization
        • Understand issue severity level
          • Understand the CVSS vulnerability scoring system
      • Rescore vulnerabilities in bulk or individually
      • Remediate vulnerabilities in bulk or individually
      • Patch Windows vulnerabilities in bulk or individually
      • Export vulnerabilities
  • Ensure FDA readiness
    • FDA-ready SBOM and vulnerability reports
      • Meet FDA requirements with your FDA SBOM report
      • VEX and VDR reports
    • Understand new FDA cybersecurity requirements for cyber devices
      • Is my device a cyber device?
      • What if I already submitted my cyber device?
    • What should my cybersecurity management plan entail?
      • What does risk management entail?
      • Verification & Validation: Build the right product/service/system in the right way
      • Why do I need a Quality Management System (QMS)?
      • Cybersecurity is everyone's responsibility
  • Terminology
    • Cybersecurity terminology
    • What is CPE?
      • How do I read a CPE string?
  • Administration
    • Manage users
    • Manage products
    • Modify your organization name
  • what's new
    • Changelog
Powered by GitBook

© Copyright MedCrypt 2024, All rights reserved.

On this page
  • Matched to NVD status
  • Matched to package manager
  • Matched to alias
  • Matched to CPE
  • Matched to name
  • Matched by user
  • Select match
  • Not found
  • Create an alias rule to automatically link to known software
  • Other statuses
  • Automatic enrichment
  • Automatic de-duplication

Was this helpful?

Export as PDF
  1. Match components

Understand match statuses

PreviousMatch unmatched componentsNextUnderstand match sources

Last updated 2 months ago

Was this helpful?

The match status of each of your components is indicated in the Match status column of the components table. You can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column. We use a variety of metadata and to identify a match, including the NVD, CPE, alias, name, and supported package managers (Cargo, NPM, NuGet, PyPI).

Matched to NVD status

This status means the component has an exact match with software listed in the National Vulnerability Database (NVD). This means there was an exact match for your component in the NVD, and that it has associated vulnerabilities, so you can start these risks.

Matched to package manager

This status shows that a component is matched to a package manager but is not found in the NVD, thus it will not show any vulnerabilities. Note that sometimes package managers might use different names or PURLs than the NVD, so you should check the NVD to make sure your component isn’t listed under a different name. Refer to for more information.

If matched to a package manager Package URL (PURL), it will have a badge of the package manager, such as Cargo, PyPI, NPM, or NuGet.

Matched to alias

The Matched status with an ALIAS badge indicates that a component was matched according to an . Refer to for more information.

Matched to CPE

If you see a component that has a Matched status with an NVD badge and CPE badge, that means that there this component has at least one vulnerability that has been reported in the NVD. A CPE is only assigned to software when a vulnerability has been reported in the NVD. Refer to for more information. CPE is considered the strongest match.

Matched to name

The Matched status with a NAME badge indicates that the component name/version/supplier combo exactly matches a known component name/version/supplier combo

Matched by user

The Matched status with a USER badge indicates that this was manually matched by a user on this account. If the user created an alias rule while matching, it will be considered an Alias match.

Select match

Not found

Create an alias rule to automatically link to known software

Other statuses

  • Scanning: This is an interim status that indicates that Helm is processing this match. If you have been waiting and haven't seen this update, try refreshing the page.

Automatic enrichment

If the component has a correct CPE or PURL identifier but incorrect supplier information, our system will add an Enriched CPE or Enriched PURL field, to preserve your original data. If we're able to identify a CPE or PURL for your component that is missing in your SBOM, we'll automatically add that to these fields for you to ensure a unique match.

Automatic de-duplication

Helm checks CPE and PURL IDs to determine if a component is unique. If a duplicate is detected, it will automatically be removed to streamline your SBOM management.

This status indicates that Helm has found multiple potential matches using identifiers like CPE, PURL, alias, or name. You can click the badge or the primary action link to review and assess the suggested matches. Refer to for more information.

The Not found status will show which sources were searched. This indicates that the component does that match any known software in the NVD or supported package managers. Refer to for more information.

Administrators can create to match any components in your SBOM that have multiple matches or are unmatched to known software components in the NVD.

The software version provided for this component does not match the expected version. This issue should be rare. If you see this, you will also see a warning icon next to the version. Refer to for more information on resolving this issue.

Helm was unable to parse this version. We have logged this issue and will work to resolve it quickly. Refer to for more information on resolving this issue.

Error: Some other error occurred while trying to parse this component. for help in resolving this issue.

match sources
prioritizing and remediating
Match or rematch components
alias rule
Match or rematch components
Match or rematch components
alias rules
Contact us
Resolve match statuses
Resolve match statuses
Resolve match statuses
Resolve match statuses
Fix version:
Contact us: