Changelog

Versioning schema

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and a core infrastructure version. Versions are depicted with web UI version first, followed by core infrastructure version, e.g., v3.2.0 | 2.71.1

How can I see my Helm versioning?

Click Help > About in the sidebar to view version information.

v4.2.47 | 2.97.2

May 3, 2025

Summary

Performance improvements & bug fix

Improvements & bug fix

Fixed issue with exporting complex license expressions to SPDX
Significantly improved performance and overall stability

v4.2.41 | 2.94.3

Apr 21, 2025

Summary

Aligned Lifecycle rules with Alias rules in Rules manager
Improvements & bug fixes

Aligned Lifecycle rules with Alias rules in Rules manager

We have aligned our Lifecycle rules look-and-feel with our new Alias rules in the Rules manager, so that you can more easily manage both matching and EOS/EOL rules. We've also made it easier to understand when components have been matched with alias and/or lifecycle rules, with informational banners at the component detail level, to ensure you understand the impact of modifying a matched component.

Improvements & bug fixes

Improved sorting for component licenses by treating the default Not set value as an empty string so that alphabetical sort works as expected.
Increased character limit for searching known software to create or edit alias rules
Streamlined version management by focusing on exact version matches for both types of rules
Enhanced component editing to prevent unnecessary table reloads
Fixed text styling for EOS/EOL values
Resolved issue where vulnerability remediation status dropdown extended below the page
Fixed scrolling issue in sidebar that previously hid the "Contact us" option when Help dropdown was expanded
Corrected view/edit modes for alias rules to prevent rule deletion in view mode
Fixed auto-rescore toggle switch display to properly reflect system state
Resolved refresh issue when viewing product SBOM file management upload history multiple times
Fixed component exploits and threats to no longer display an empty Exploits badge when no exploits or threats exist in supported sources (CISA KEV, ExploitDB, Top 25 CWE, NVD)
Corrected component editing behavior to maintain editability of component version after collapsing and expanding component details
Fixed issue where vulnerabilities associated to a component didn't get removed when the matching alias rule was deleted
Fixed component version parsing after matching alias rule applied
Enhanced toast notifications when creating, editing, and deleting alias and lifecycle rules.

v4.2.38 | 2.93.7

Mar 31, 2025

Summary

Added CVSS score persistence for consistent vulnerability assessment
Bug fix

Added CVSS score persistence for consistent vulnerability assessment

We've implemented a system to maintain the original CVSS v2 and v3 severity scores assigned by the NVD, even when these scores are later removed from the NVD feed. This enhancement provides several benefits:

Maintains consistent vulnerability severity ratings over time
Prevents vulnerability assessments from unexpectedly changing due to NVD data updates
Ensures historical vulnerability records remain intact with their original severity classifications
Provides more stable reporting for compliance and audit purposes

Originally assigned CVSS v2 and v3 scores are retained in our database and continue to be displayed in the vulnerability information, even when they no longer appear in the latest NVD feed.

Bug fix

Fixed issue where vulnerabilities were not showing up for SBOM component that was matched to an alias via the Rules manager.

v4.2.38 | 2.93.5

Mar 24, 2025

Summary

Added new alias rules manager
Distribute SBOM processing across all organizations
Added automatic cancellation of SBOM processing when archiving product versions
Bug fixes

Added new alias rules manager

We’ve replaced our previous aliases feature with a comprehensive new alias rules manager that transforms how you match components to known software in the NVD. Key improvements:

Centralized rule management: Manage both alias rules and EOS/EOL rules from a single location.
Enhanced matching capabilities: Set robust matching conditions across Component name, Supplier, CPE, PURL, and Version.
Transparent matching process: Enhanced Manage match panel shows how components were matched and the impact of modifications.
Intelligent automation: Automatically scans and applies rules to both existing and future SBOMs.
Impact visibility: See affected products, versions, and components before making changes.
Better decision support: View vulnerability counts, known versions, CPEs, PURLs, and references for potential matches.
Conflict handling: Built-in detection prevents rule conflicts.
User guidance: Clear next steps and impact information throughout the matching workflow.
Prioritized badge display: When a component matches via an alias rule, the ALIAS badge will display first, even if the match is also associated with additional sources such as a package manager or NVD.

Components must be matched to known software in the NVD to view vulnerabilities, making this enhancement critical for effective vulnerability management. Alias rules respect manual matches and won’t override user decisions. All current active aliases have been migrated to the new rules manager. This enhancement also lays the foundation for future global aliases functionality, which will simplify software matching across multiple organizations.

Distributed SBOM processing across all organizations

SBOM processing is now distributed across all user organizations. This improvement ensures that large customer SBOMs won’t block processing for other customers, resulting in faster and more reliable processing for everyone.

Bug fixes:

Fixed issue with FDA SBOM export where End of Support (EOS) and End of Life (EOL) data were incorrectly switched
Added automatic cancellation of SBOM processing when archiving product versions. This prevents potential bugs that could occur when unarchiving versions that had SBOM files that had not completed processing.
Fixed issue where product list was not displaying properly on initial page load.

v4.2.33 | 2.91.1

Mar 3, 2025

Summary

Added original SBOM file name column to Products page
Added columns for original component name and supplier to Products page
Support for importing and exporting Windows KB patch info to CycloneDX
Bug fixes

Added original SBOM file name column to Products page

Added Original file name column, showing the originating SBOM file name, to the Products page. This feature allows you to identify which SBOM a particular component was uploaded from, especially useful when consolidating multiple SBOMs for a product version. It enables teams to quickly prioritize and assign vulnerability remediation tasks to the appropriate team members. To show this column in your view, click the Columns link at the top of the table, then enable the Original file name column.

Displays original component data on Products page

The Component name, Version, and Supplier columns on the Products page now display the original values from your SBOM, rather than the enriched data Helm uses to enhance match accuracy. The enriched information remains accessible in the Manage component panel under Matched dependency name, Matched dependency version, and Matched dependency supplier. This update enhances transparency and precision in component identification.

Support for importing and exporting Windows KB patch info to CycloneDX

You can now import and export Microsoft Windows KB patching info data to your CycloneDX SBOM. This enhancement ensures consistency of patching information from one product version to the next. This reduces manual effort and streamlines your workflow, enabling you to import existing Windows KBs applied to an SBOM, to an SBOM, to quickly remediate vulnerabilities, and then export all of your existing and new patching efforts, ensuring an accurate view of your device's current security posture. Refer to for more details.

Bug fixes

Fixed customer issue wherein a component name and supplier matched two different known software components, which should have resulted in a Select match state, for the user to choose the correct match. In this example, Debian Linux was erroneously associated with Progeny and could not be modified.
Fixed a problem where previously matched components, when rematched to other known software, did not update their Enriched PURL and/or Enriched CPE fields accordingly.

v4.2.30 | 2.89.2

Feb 21, 2024

Summary

Added Microsoft Azure DevOps extension for Helm

Added Microsoft Azure DevOps extension for helm

We are excited to announce the release of our new for Helm, automating product version creation and SBOM ingestions into your CI/CD pipeline. To start using this extension, to get access to our , as you will need your Helm API client id and client secret to get started. These are the Helm email address that has access to our API and your API key, respectively.

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

You can now export Level of support and EOS/EOL data to your CycloneDX SBOM. This enhancement ensures consistency of lifecycle information from one product version to the next. You can also use our existing to set conditions for components, which will automatically add the specified level of support and EOS/EOL information to matching components. This feature streamlines your workflow by allowing you to import, manually or automatically modify, and export lifecycle data to your CycloneDX SBOM, ensuring consistency across product versions. Refer to for more information.

Support for processing non-compliant SPDX SBOMs

Our system now. processes SPDX SBOMs that do not fully adhere to the SPDX specification. This improvement increases compatibility with a wider range of SBOMs, ensuring more comprehensive analysis and integration.

Enable reloading of components in any match state

You can now reload components -- regardless of their match status — by selecting Actions > ... > Reload component. This functionality applies to components matched in the NVD or a package manager. Previously, reloading was limited to unmatched components or those in an error state.

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.88.2

Jan 28, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed the issue where the CSV export displayed an incorrect EOS time.
FIxed the issue where multiple vulnerability digest emails were sent erroneously.
Fixed the issue where EOL/EOS data was rejected during SBOM upload if it contained a single quote (').
Added filter persistence so that applied filters are retained when switching between products and product versions. To ensure users understand when filters are still applied, added a blue circle indicator next to Filters.
Fixed an issue in the VEX Status Remediation field where selecting one field option would automatically select similar strings (e.g., Affected/Unaffected).

v4.2.23 | 2.87.0

Jan 9, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where hovering on indicator that a Windows vulnerability had been patched would cause a 504 error. This was an RBAC issue that occurred if the user had edit access on SBOM and vulnerabilities, but not for users with view-only permissions for both.
Fixed issue in the Lifecycle details section of Add component detail where the Date/Text drop-down was not populating.
Removed "undefined" placeholder values from blank form fields in Add component panel.
Fixed issue where the component review status history was not displaying in the Manage component panel.
Fixed Upcoming and Expired EOS/EOL filters to accurately return search results.

v4.2.22 | 2.87.0

Jan 7, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where switching to view mode for Rule manager was prompting to save when there hadn't been any changes made.
Fine-tuned UI and user experience

v4.2.18 | 2.87.0

Dec 19, 2024

Summary

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics
Bug fixes and UI improvements

Bulk remediate vulnerabilities

You can use our powerful to remediate large groups of vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio. Select the vulnerabilities you want to bulk remediate, assign their CycloneDX and/or VEX statuses for that group of vulnerabilities and that’s it — you’re done! You can also ensure consistent remediation of a particular vulnerability or group of vulnerabilities across your products, smoothing your way to a FDA submission. This powerful new feature saves time, freeing your team to focus on clinical innovation.

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics

We’ve added Attack vector (AV) and other CVSS v3 metric columns to the vulnerabilities table, complete with color-coded badges to enable you to quickly identify and prioritize risk mitigation by attack vector and component criticality. Pair this new visibility with our powerful rescore feature to or , ensuring that you have a complete view of your device’s actual attack vector according to its unique security posture and environment.

Click the Columns link at the top of the Vulnerabilities table to enable the new Attack vector and other CVSS v3 metric columns.

Enhanced vulnerability filtering

We’re continuing to enhance our filtering mechanism and have added the oft-requested ability to drill down on component information and attack vector from the vulnerabilities table, as well as other CVSS v3 metrics. Stay tuned for more filtering updates soon!

Bug fixes and UI improvements

Fixed scrollbar issue for new filter drop-down panels for vulnerabilities and components
Adjusted lifecycle date filters to have past and future dates in months
Fixed saving logic for Manage component panel
Fixed toasts that display if Lifecycle details section is modified
Added banner to Manage component panel to indicate if a rule is already applied. If you have unsaved changes when you click the Rules manager link in this banner, it will prompt you to save or discard changes.

v4.2.16 | 2.87.0

Dec 13, 2024

Summary

View and manage level of support and EOS/EOL data for all components
Specify lifecycle details for each component
to consistently apply lifecycle information across all components in your portfolio
Enhanced component filtering
Export lifecycle information to FDA SBOM or CSV SBOM
Bug fixes and UI improvements

Identify and prioritize components nearing EOS/EOL

We’ve added columns for Level of support and EOS/EOL to the components table, as well as providing color-coded badges to let you know what’s currently actively supported and what’s nearing or has passed its support or maintenance date. We’ve also begun ingesting lifecycle information from our partner, Tidelift, as well as the endoflife.date site, and will likely provide some automation for this in an upcoming release.

Specify lifecycle details for each component

You can specify Level of support and EOS/EOL information in a date or text format for each component in the new Lifecycle details section of the component details panel. You can then set component rules to apply this information across all products, so you only have to do this once!

Set rules to apply component lifecycle information across all products

You can now to set conditions for supplier name, component name, and version, then automatically apply the Level of support and EOS/EOL information across all of your products when conditions are met. With consistent EOS/EOL data, you minimize discrepancies across your portfolio, ensuring accurate reporting and compliance. Stay tuned for more rules-based workflow enhancements!

Export lifecycle information to FDA SBOM or CSV SBOM

After applying your Level of support and EOS/EOL information across your components, quickly to ensure you have everything you need for FDA submission! You can also export your with lifecycle data.

Enhanced component filtering

To enable you to quickly find what you need, we’ve enhanced our filtering mechanism and added lifecycle management filters. You can now filter components on Level of support and EOS/EOL information to ensure you understand which are supported and which are nearing end-of-life, enabling you to prioritize upgrades in critical areas. Stay tuned for more filtering updates soon!

Bug fixes and other improvements:

All CycloneDX remediation justification values should now be accurately exported in your FDA SBOM report.
All products should now display accurately on the components page.
Global search improvements
- Fixed issue wherein components from archived products were being returned in the global search.
- Global search results table display now extends to the bottom of the page.

Thank you!

A huge thank you to all of our customers who take the time to provide feedback on how we can continue to improve your SBOM vulnerability management experience! We’d love to on these features, as well as other features you’d like to see in the future!

v4.2.4 | 2.85.0

November 21, 2024

Summary

Automatically generate component license information
Encode pURLs with spaces during exports
Import and export component hashes
Filter on CISA KEV and remediation through our API
Updated terminology from Vendor to Supplier in SBOM CSV export

Automatically generate component license information

You can now have Helm automatically add license information for your components. For any component that you want to enrich with license information, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Encode pURLs with spaces during exports

If your SBOM has a Package URL (pURL) that contains spaces, we'll now automatically encode those when exporting. This ensures compatibility with third-party tools and eliminates issues caused by improperly formatted pURLs.

Import and export component hashes

You can now import and export component hashes in your SBOMs, and can export them in any SBOM format, as well as our FDA SBOM, improving validation and tracking of SBOM component integrity across products.

Filter on CISA KEV and remediation through our API

You can now filter vulnerabilities that are the CISA KEV list or based on their remediation via our Helm API, making it easier than ever for you to identify and prioritize high-impact vulnerabilities.

Updated terminology from Vendor to Supplier in SBOM CSV export

To align with industry standards, the SBOM CSV export now labels the Vendor column as Supplier. This terminology update improves consistency and clarity.

v4.2.4 | 2.83.0

November 7, 2024

Summary

Export EOS/EOL data to FDA SBOM report
Enhanced CPE parsing and matching
Added ability to filter components by licenses
Re-added match and review information to component details
Bug fixes and performance enhancements

Export EOS/EOL data to FDA SBOM report

If you have uploaded an SBOM that contains end-of-support (EOS) or end-of-life (EOL) data, this information will be automatically populated in your FDA SBOM report. We're in the process of adding the ability to manually add EOS/EOL info, so stay tuned!

Enhanced CPE parsing and matching

We've enhanced CPE parsing to enable the matching of incomplete CPEs to components. Although a CPE has 13 segments, not all CPEs contain all of those segments, thus Helm will now interpret CPEs that have at least 5 of the expected segments, filling in missing segments with a wildcard (*).
We've enhanced CPE enrichment to enable component matching even in scenarios where the components have the scenario wherein CPEs have multiple vendors.

Added ability to filter components by licenses

You can now filter your components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

Re-added match and review information to component details

The match and review details have been re-added to the component details panel to help you quickly access key information.

Bug fixes and performance enhancements

Resolved intermittent failure of large CycloneDX and SPDX SBOMs due to timeouts.
Improved load time of vulnerability and component pages.
Fixed display issue with rescored CVSS vector strings, ensuring accurate low, high, and none values.

v4.1.4 | 2.82.0

October 4, 2024

Summary

Enhanced component panel
License management is now available!
Customize your FDA SBOM export
Bug fixes, UX enhancements, and help updates

Enhanced component panel

Manage your components more easily with our unified details panel, providing a comprehensive view of each component. You can now quickly scan information in view mode, then switch to edit mode if you need to make any modifications.

License management is now available!

Helm now supports the ingestion of licensing information from CycloneDX and SPDX SBOMs. Via our partnership integration with Tidelift, Helm will analyze your components to determine if you are missing license information, then will automatically fix that for you, ensuring you have a comprehensive view of your legal risk. We support both SPDX and custom licenses. You can also manually enter or modify license details as needed. Check out for complete information on our new licensing feature!

Customize your FDA SBOM export

We've just made our expert FDA SBOM even better! When exporting your FDA SBOM, you can now include CycloneDX and VEX vulnerability remediation analysis, as well as review information for components. These enhancements will help ensure you're ready for your FDA submission. Thank you to our customers for highlighting their need to include review statuses and notes! We very much appreciate your insights and expertise in continuing to enhance your SBOM vulnerability management and streamline your FDA submission process!

Bug fixes, UI enhancements, and help updates

Bug fixes:

Fixed the date filter on the Vulnerabilities page such that the start date is now midnight and end date is 11:59:59 pm. This fixes both the date range presets as well as the timeframes covered in the new vulnerability emails.

UI enhancements

Improved component matching to handle component names prepended with special characters, such as "@".
Updated component lists to show all components, even when they match the same NVD product and version. Your SBOM export will also include this higher level of specificity.

Help updates: To quickly get you up to speed on these new updates, we've added or extensively revised the following topics:

v4.1.3 | 2.81.1

September 24, 2024

Summary

Implemented human-readable URL parameters
Bug fixes and performance enhancements

Implemented human-readable URL parameters

We've implemented human-readable URL parameters across the entire UI, which now reference unique IDs of products, product versions, components, and vulnerabilities, as well as applied filters and searches, and more. You'll also see this improvement when you sign in to Helm from new vulnerability emails you receive. This deep linking enables you to more easily share information. These enhancements prepare Helm for upcoming features like breadcrumb navigation and expanded bulk actions, beginning with bulk remediation.

Bug fixes and performance enhancements

Resolved a performance issue to enable Helm to handle large volumes of vulnerabilities, minimizing timeouts and unexpected errors.
Fixed issue wherein some SPDX exports were failing under specific conditions, particularly with larger SBOMs.
Enhanced SBOM component rescanning and matching, improving reliability when the initial scanning process fails during an SBOM upload or when the component is manually added.

v4.0.46 | 2.80.4

September 9, 2024

Summary

Enhanced matching for Linux packages

Enhanced matching for Linux packages

We’re excited to announce a major improvement to our Linux package matching process, increasing efficiency by reducing manual work for users.

Previously, some Linux packages without identifiers in SBOMs were challenging to match. After collaborating with customers to address this issue, we’ve just released a solution that delivers a 29% improvement in matching accuracy.

As shown in the graph below, you can see a significant reduction in unmatched components and a clear increase in matched components after applying this enhancement. This means fewer manual interventions and more streamlined package management.

v4.0.46 | 2.79.2

August 30, 2024

Summary

Helm's new design system is live: Work smarter and stay focused
Multi-task and remediate risk faster across multiple Helm tabs
Help updates

Helm’s new design system is live: work smarter & stay focused

We’re thrilled to announce that Helm’s new design system is now live! 🎉

When you next sign in to Helm, you’ll notice a refreshed look-and-feel to enhance your experience and streamline your workflow. Here’s a quick overview of what you’ll see:

Light and dark themes: Choose between our newly updated dark theme or our brand-new light theme. To switch themes, click the sun/moon icon in the main navigation bar.
More intuitive badges and colors: We’ve standardized and enhanced our badges and color schemes for quicker component matching and vulnerability prioritization.
Enhanced UI elements: Enjoy a cleaner and more intuitive interface with refined controls, error handling, and new icons to improve navigation and usability.
Customizable data display: Take control of how you view and interact with data. You can now adjust table column visibility, perform multi-sorts, and choose your preferred display density.
Contextual actions: Easily access additional information or perform actions directly from tables by clicking on cell values.

Customizable data display

Our new design offers even more flexibility in how you view and manage your data:

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.
Multi-column sorting: Focus on what’s important by applying complex sorts across multiple columns. Access this feature through the Sort fields link at the top of each table.
Flexible display density: Optimize your view by selecting a compact or expanded display mode and adjusting the number of rows per page to suit your preferences.
Advanced date picker: Gain precise control over date filtering with options for absolute/relative dates, custom ranges, and multi-month views.

Multi-task and remediate risk faster across multiple Helm tabs

If you’ve tried to have multiple Helm tabs open, you may have found yourself signed out. Great news! You can now work in Helm across multiple browser tabs.

Help updates

As part of our new design system, we've completely revised several related topics to help you match components and remediate vulnerabilities faster:

Assess match suggestions

v3.6.34 | 2.79.2

August 13, 2024

Summary

Automated enrichment of missing CPEs and PURLs
Automated enrichment of missing licenses for open-source components

Automated enrichment of missing CPEs and PURLs

During the component matching process, if a component in your SBOM does not have a CPE or PURL (not ingested or manually added), Helm's AI copilot will now automatically generate and assign the appropriate enriched CPE or PURL to that component. You can view any Enriched CPE or Enriched PURL in the component details. This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Auto-enrich open-source components with missing licenses

For your open-source SBOM components that have PURLs, but do not have licenses identified yet, Helm will check whether those components have licenses. If so, Helm will automatically enrich those components with that license information. Helm will not change the license information for any components that already have one or more licenses identified. This information will be included in any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report. As mentioned in our last release, we are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

v3.6.34 | 2.78.0

July 15, 2024

Summary

Export license information in SBOM
Bug fixes

Export license information in FDA reports

You can now export license information for any FDA reports that include SBOM components, including your original or enriched SBOM, your FDA SBOM, or your VDR report. We are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

Bug fixes

Fixed issue where CPE or PURL information would not display in some instances

v3.6.34 | 2.77.0

June 21, 2024

Summary

Added remediation evidence to vuln export
Enhanced severity filtering
Ingest CycloneDX SBOM entries that have an empty or omitted Type field
Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux
Bug fixes and UX improvements

Added remediation evidence to vulnerability export

We've enhanced our vulnerability export functionality to include remediation evidence for each vulnerability. This provides a clearer picture of the actions taken to address vulnerabilities, enabling you to more easily demonstrate compliance and the remediation steps taken or planned to secure your products.

Enhanced severity filtering

We've refined vulnerability severity filtering to prioritize rescores over base scores. This ensures that you can better prioritize vulnerabilities based on their actual risk, helping you focus on the most exploitable issues first.

Ingest CycloneDX SBOM entries that have an empty or omitted Type field

We now support the ingestion of CycloneDX SBOM entries that have an empty or omitted Type field.

Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux

If you are generating your SPDX SBOM using Yocto on Linux, it will often generate OpenEmbedded() as a vendor, which is not helpful for matching purposes. We will now ignore this value, maintaining a cleaner and more relevant database.

Bug fixes and UX improvements

Fixed exporting CVSS scores in VEX and VDR reports for SBOM entries that do not have a CVSS score. Our exports now reflect a blank score field instead of the previous default of -1.0 when a CVSS score is not available.
Enhanced new vulnerability email subject to handle edge cases, including ensuring that vulnerability emails are sent on the expected day, regardless of time zone.

v3.6.32 | 2.76.0

June 6, 2024

Summary

Automatic enrichment of CVE vulnerabilities with CPEs
Automatically create product versions and upload SBOMs with our GitHub action
Enhanced information in vulnerability emails
Fixes for SPDX SBOM upload failures
Support for SPDX SBOMs with NOASSERTION in supplier field
Added CycloneDX and VEX remediation status filters
Added Source column for vulnerabilities
Support for .zst SBOMs generated by Yocto on Linux
Bug fixes and UX improvements

Automatic enrichment of CVE vulnerabilities with CPEs

Our advanced Large Language Model (LLM) now enriches vulnerability data from the National Vulnerability Database (NVD), which has not kept pace with CPE and other data enrichment for the past six months, leaving those of us in the cybersecurity space in a bit of a quandary.

To remedy this issue, we have fine-tuned an LLM to replicate and possibly enhance the data processing traditionally performed by the NVD. Below you can see how this interim approach can help you to deal with this gap. Refer to our for more details.

Our approach identifies vulnerabilities impacting your products and automatically enriches the information retrieved from the NVD with CPE data, aiding in more precise identification of vulnerabilities. This provides you with a more complete view of your overall risk, and ensures that you're focusing your time and effort on the most exploitable vulnerabilities that are affecting your product. Vulnerabilities that came from the NVD, and through our CPE enrichment, were identified as impacting your products will have an AI badge in the new Source column on the page.

Automatically create product versions and upload SBOMs with our GitHub action

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Enhanced information in vulnerability emails

If you're one of the cybersecurity experts who doesn't have any new vulnerabilities for the day/week/month cycle, congratulations! These updates include handling the scenario of zero new vulnerabilities and providing clearer details on the period covered by each email.

Fixes for SPDX SBOM upload failures

We've made a number of back-end improvements to help ensure that your SPDX SBOMs upload successfully.

Support for SPDX SBOM files with supplier set to NOASSERTION

We now treat suppliers set to NOASSERTION in SPDX SBOM files as undefined when importing this information into Helm, thus the Supplier column for that vulnerability will show as a blank.

Added CycloneDX and VEX remediation status filters

You can now based on their CycloneDX and CycloneDX VEX remediation statuses, enabling more precise vulnerability management.

Added Source column for vulnerabilities

We've added a Source column to the Vulnerabilities page. This allows you to identify whether a vulnerability originated from an external data source (currently only NVD) or came from the NVD, but was enriched via our LLM AI. Vulnerabilities enriched with CPE data and identified as impacting your products will display an AI badge in this column on the page.

Support for .zst SBOMs

Helm now supports SPDX SBOMs that are in .zst compressed files, which are automatically created when using Yocto Linux native SBOM generation capabilities."

Bug fixes & UX/docs improvements

Fixed issues with multiple toast notifications for some SBOM uploads
New topic:

v3.6.17 | 2.75.2

May 13, 2024

Summary

Auto-update vulnerability temporal metrics across product version
Enhanced omponent matching for fewer unmatched components
Purl and cpe id’s now considered in sbom entry uniqueness
Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components
Performance improvements on SBOM page loading
Enhanced CycloneDX VEX and VDR reports with vulnerability rescores
New sign in page
Bug fixes and UX improvements

Auto-update vulnerability temporal metrics across product version

Let us take some of the load of managing vulnerabilities off of you! When you create or modify a rescoring profile for product version, you can set all V3 vulnerabilities for that version to automatically rescore with any changes to their temporal score metrics coming from the NVD. This enhancement streamlines your vulnerability management process, ensuring that temporal scores reflect the most up-to-date information, saving you time spent manually monitoring and updating this information, thereby reducing the risk of missing critical updates, so you can ensure you're focusing on the vulnerabilities that matter most.

Auto-update vulnerability temporal scores

You can also set individual vulnerabilities to automatically update their temporal scores based on NVD data refreshes. This timesaving feature ensures your vulnerability information stays current with minimal manual effort.

Enhanced component matching for fewer unmatched components

We've improved our component matching algorithm to better handle scenarios where a vendor of an unknown component doesn't directly match known software. We will now automatically match unknown components that have CPE and PURL matches, but have an incorrect supplier. Previously, these components were initially marked with a Not found in NVD status, but could actually be resolved to the correct component via our match suggestions. Helm now identifies the corresponding known software, which will either be uniquely identified or will have a Multiple matches status (if there are still multiple possibilities). Our enhanced matching process should result in fewer unmatched components, thus ensuring more accurate and efficient component resolution.

Enhanced determination of component uniqueness

We have added CPE and PURL IDs when determining if an SBOM component is unique or is a duplicate.

Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

In response to feedback, we've added the CycloneDX bom-ref parameter to all components in your SBOM export, enabling you to point each vulnerability back to a component, regardless of whether it is matched to known software. Initially, the bom-ref only displayed for matched components. For any unknown (unmatched or not uniquely matched) software, this will be the unique ID that was generated for that SBOM component when it was added to Helm. This will now be in your SBOM or VDR report.

Performance improvements on SBOM page loading

We've made a number of coding and query improvements to load SBOMs more quickly, which may also improve load time for your vulnerabilities.

Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

If you've rescored your vulnerabilities either across a product version or individually, your CycloneDX VEX and VDR reports will now include vulnerability rescore information. This will now align with the Vulnerabilities report. You will now see a ratings section in your JSON file that will include a rating for any rescore on that vulnerability. For vulnerabilities rescored both at the product version level and individually, all associated scores will be included. While CVSS v2 scores remain static, they are also included in the ratings section to provide a comprehensive view. The source for all score data is set to Medcrypt Helm.

We've replaced our initial sign in page with a new look-and-feel. After clicking Sign in, you'll be prompted to enter your username and password on our authentication page.

v3.6.10 | 2.74.2

April 30, 2024

Summary

Rename products and versions
Enhanced granularity for CVSS score filtering
UX improvements

Rename products and versions

In response to customer feedback, we've added the ability for you to rename products and versions right from the product and version drop-downs on each page of Helm. Simply hover over the product or version in the respective drop-down to display the edit icon, then edit the product name or version.

Enhanced granularity for CVSS score filtering

We've improved the CVSS score filtering functionality to support floating-point values, allowing you to pinpoint vulnerabilities with greater precision. Now you can filter vulnerabilities using specific scores like 7.9, which will return everything from 7.9 to 10. This will enable you to precisely target and remediate vulnerabilities that fall within a more granular threshold.

UX improvements

Enhanced API key generation from the UI
Improved loading performance

v3.6.8 | 2.73.0

April 11, 2024

Summary

Enhanced support for large SBOMs
CycloneDX 1.5 support
Daily and monthly digests for new vulnerabilities
Bug fixes, UX and doc improvements

Enhanced support for large SBOMs

Our platform now let you upload SBOMs of up to 50MB in size. This significant enhancement enables organizations with larger software inventories to efficiently manage and analyze their software bill of materials within our platform.

CycloneDX 1.5 support

You can now upload your CycloneDX 1.5 SBOM to Helm. Any information in your file that is not currently supported in Helm will still be retained if you want to export either your original or enhanced SBOM.

Daily and monthly digests for new vulnerabilities

In response to customer feedback on our new weekly that keep you informed of the latest new vulnerabilities impacting your products, we've expanded this offering to include daily and monthly digests. You can choose one or more email frequencies based on your needs, and can manage your email preferences in your user profile.

Bug fixes, UX, and doc improvements

Fixed issue where loading page status displayed on the Vulnerabilities table after sorting columns. The Vulnerabilities Detected/Updated field now sorts only by date detected and not by date updated.
Resolved caching issue where some components would not display when the SBOM page was filtered.
Adjusted permissions to allow non-admin users with SBOM and Vulnerability modification access to create rescore profiles for product versions.
Numerous UI improvements
Updated doc:

v3.3.0 | 2.71.1

March 22, 2024

Summary

Processing modals
Bug fixes and UI improvements
New & updated docs

Processing modals

For larger SBOMs that can take longer to load, we've added a processing modal so you'll know when your upload is completed and whether it was successful. Similarly, we've added a processing modal for other operations that could take longer, including when you're rescoring a lot of vulnerabilities across an entire product version or if you've just added a component manually and we're attempting to automatically match it to known software in the NVD or package manager.

Bug fixes and UI improvements

We've improved performance when filtering your SBOM. We also fixed a bug where filters were not persisting if you copied a Helm URL that included a match status to another tab, or if you navigated from a filtered item from the global search results (Discover) page.

We've added and enhanced "empty state" pages to help you get started quickly, improved visibility of system status, enhanced our , and made other UI improvements.

New & updated help docs

Since we're continually adding and enhancing great new features, we want to make sure you can take advantage of all the new functionality, so we'll let you know any important doc updates in this section.

Enhanced docs:

: Added to help you manage user permissions
: Added new info on aliasing and removing an alias.

v3.2.0 | 2.71.1

March 14, 2024

Summary

Added VDR (Vulnerability Disclosure Report) report
Email notifications for new vulnerabilities
Support for CycloneDX XML SBOMs
Enhanced API documentation
Bug fixes and other improvements

VDR reports

As part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we've added VDR (Vulnerability Disclosure Reports) to our suite of reports. Offering comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats.

Stay on top of new vulnerabilities

Never miss a beat with our notification system. Stay ahead of the curve by receiving timely alerts for any new vulnerabilities impacting your software supply chain. Manage your preferences effortlessly through your user avatar > My profile in the top navigation area of Helm.

Support for CycloneDX XML SBOMs

You can now in XML format for improved compatibility and versatility.

Enhanced API documentation

Automate your calls to our Helm application using our . You can upload an SBOM for a new or existing product and version, get a list of all unmatched entries, and a list of all vulnerabilities.

Bug fixes and other improvements

We've made numerous enhancements to improve the UI and SBOM loading performance.

We'd love to hear your feedback!

Thank you for your continued support and feedback as we strive to deliver top-notch solutions to meet your evolving cybersecurity needs! if you have suggestions on how to improve your experience!

v3.0.1 | 2.70.0

February 15, 2024

Summary

VEX reports
Improved vulnerability query performance

VEX reports

Introducing (Vulnerability Exploitability eXchange) reports – the latest addition to your cybersecurity arsenal! These reports focus on vulnerability exploitability, ease of exploitation, and potential impact. Now, effortlessly communicate vulnerabilities with a VEX remediation status, empowering your customers to focus on fixing the vulnerabilities that matter most.

Stay tuned! As a part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will be adding VDR (Vulnerability Disclosure Reports) to our suite of reports soon. Offering detailed insights into identified vulnerabilities, VDR reports equip you with comprehensive understanding and proactive mitigation strategies, ensuring robust security posture against emerging threats.

v2.68.0 | 2.69.1

January 29, 2024

Summary

FDA-ready reports
Export SDPX SBOM
New About modal

FDA-ready reports

Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements! In addition, you'll now get a to make meeting FDA cybersecurity requirements a breeze, including your enhanced SBOM in CycloneDX or CSV format, as well as your vulnerabilities in CSV format.

In our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will also be adding VDR (Vulnerability Disclosure Reports) and VEX (Vulnerability Exploitability eXchange) reports to our suite of reports soon. VDR reports provide detailed insights into identified vulnerabilities, providing a comprehensive understanding of vulnerability details, impact, and mitigation strategies to proactively respond to potential security threats. VEX reports focus on the exploitability of vulnerabilities, how easily they can be exploited, and their potential impact.

Export SPDX SBOM

You can now export your original or enhanced SPDX SBOM in JSON. For an enhanced SBOM, you can also include PURL and CPE info for any matches, as well as include all associated vulnerabilities.

You may have noticed that the bottom bar where your Helm version displays has been removed. Don’t worry, you can still get to your version from the sidebar > Help > About. This will launch an About modal, where you can see your current Helm version.

v2.66.1 | 2.66.1

January 4, 2024

Summary

Added ability to remediate vulnerabilities
Bug fixes, UI, and performance improvements

Remediate vulnerabilities

You can now remediate vulnerabilities to add granular status information, including tracking remediation changes and providing evidence for why changes were made. For each vulnerability, you can now set a CycloneDX 1.4 and/or CycloneDX 1.4 VEX status, or both. We're adding a more robust audit trail, and you can see the next step toward this in the Vulnerability details modal. You can see any interim statuses and notes you provided manually, as well as automatic tracking of any new remediation changes. If you set any interim statuses, the last one you set will now be reflected in that vulnerability's VEX status.

Bug fixes and other improvements

Fixed issue where a rescore profile would fail when rescoring large numbers of vulnerabilities
Several UI and experience improvements

v2.65.2 | 2.65.13

December 7, 2023

Summary

Rescore all vulnerabilities in a product version via rescore profiles
Rescore individual vulnerabilities
Support for SPDX SBOMs
Enhanced SBOM export now includes CPE and PURL data
New exploits and threats info, including EPSS and CISA KEV
Bug fixes and other improvements

Rescore all vulnerabilities in a product version via rescore profiles

You can create and apply rescore profiles to a product version based on your product's particular environment and usage, ensuring you're focusing on the most exploitable and impactful vulnerabilities. Any newly detected vulnerabilities for that product version will be automatically rescored with that profile.

Rescore individual vulnerabilities

You can now rescore the CVSS v3 score of any individual vulnerability associated with a particular product version so that it reflects your product's particular environment and usage. This will override any rescore profile already applied to the associated product version.

Support for SPDX SBOM format

You can now upload SPDX SBOM files, including those generated using Yocto on Linux. You can take all of your generated SPDX files, zip them using WinZip or gzip, then upload that zipped file to Helm. We'll do the rest!

Enhanced SBOM export now includes CPE and PURL data

When you upload your SBOM, we'll attempt to find exact matches in the NVD, as well as in supported package managers. If we find an exact CPE or PURL match in a package manager or if you manually specify the CPE and/or PURL for a component, you'll now be able to export an enhanced SBOM that includes CPE and PURL data.

Focus on the most exploitable vulnerabilities

You can now benefit from robust exploit and threat information from a variety of sources, including CISA KEV, ExploitDB, Metasploit, and Top 25 CWEs. You can also ensure that you're focusing on the most impactful and exploitable vulnerabilities via EPSS scores.

Bug fixes and other improvements

Improved performance when loading SBOM and vulnerability information
Improved onboarding to get you started or unstuck quickly. We now provide in-page guidance to help you upload an SBOM, view components for a particular product version, or expand your search criteria when there are no results. You'll see these in our SBOM, Vulnerabilities and Discover (Global search) pages.
Numerous user interface improvements

v2.62.6 | 2.62.6

November 2, 2023

Summary

Windows KB patch support
In-app status notifications
Performance and user experience improvements

Native support for Microsoft Windows KBs

Although a lot of medical devices run on Microsoft Windows operating systems, the NVD does not account for vulnerabilities having been patched by Windows KBs, making it very difficult to understand what vulnerabilities might still be impacting your device. You can now add KBs to your devices running a Windows OS, aligning your digital product version with your physical test device and thus ensuring that you have an accurate list of vulnerabilities that impact your Windows device.

In-app status notifications

You’ll now see in-app status notifications in the top-right corner to let you know that an action has been completed, such as uploading an SBOM or applying KBs to a product version.

Performance improvements and bug fixes

We’ve made significant performance improvements, as well as several enhancements to improve your user experience.

Let us know how we’re doing!

We on these new features, and would about other feature suggestions that would further enhance your experience.

Get a V&V report

If you would like a V&V report for your QMS, .

v2.60.1

November 2023

Summary

Allowing SBOMs that pass NTIA minimum requirements
Performance improvements and bug fixes

Allowing SBOMs that pass NTIA minimum requirements

We improved our capabilities to handle SBOMs that pass NTIA minimum requirements. If the SBOM you are uploading is an invalid CycloneDX SBOM, Helm will still accept it and process it for vulnerabilities.

Performance improvements and bug fixes

This release has improvements to performance and a few bug fixes on the dashboard page.

v2.59.2

November 2023

Summary

Performance improvements and bug fixes
Online help documentation added

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Online help documentation added

We’ve added a lot of great information to ensure you can get started, get your SBOM components matched quickly, and begin (or continue) to assess and mitigate your vulnerability risk across your software supply chain. Check it out on !

v2.57.3

November 2023

Summary

New Get started modal
Export SBOM with vulnerabilities
Combined Upload SBOM modal
Improved feedback when SBOM fails to upload
Other usability improvements and bug fixes

If you haven’t uploaded any SBOM yet or created one manually, you will see a new Get started modal pop up when you sign in to Helm. You’ll have four different options:

You need help with your FDA submission: You can request help from our expert Services team and leverage our best practices, templates, and checklists in improving your FDA submission.
You have a CycloneDX format. You can upload your SBOM file all in one step.
You have an SBOM in another format. You can contact us and we’ll get right back to you to get you moving.
You don’t know what an SBOM is or don’t have one yet. We’re here to help. Our expert Services team will help you create your SBOM, assess your current state, and help you identify and mitigate cybersecurity risks.

Export your SBOM with vulnerabilities

You can now choose to export your original SBOM or your enhanced SBOM with identified vulnerabilities. This will include the source name (currently always the NVD), a link to the vulnerability, both its v2 and v3 CVSS scores and vector strings, when the vulnerability was first detected, when it was updated, and more. Refer to for more information.

We’ve simplified your upload experience. If you’re uploading your first SBOM, you’ll see an Add SBOM drop-down button, from which you can select Upload SBOM. You can now browse to your SBOM file and specify your product name and product version in one step. Once you’ve uploaded at least one SBOM, this drop-down button changes to Manage SBOMs. In that case, you’ll be able to either select an existing product name and version, or create a new product name/version pair.

Improved feedback when an SBOM file fails to upload

If you upload an SBOM file, you can hover over the FAIL status to get more information on why the file failed to upload, including scenarios such as: missing required fields, additional fields present that are not defined in the JSON schema when the schema does not allow additional properties, and field values not matching expected data types.

v2.56.6

October 2023

Summary

Added match status tokens and enhanced status indicators
Added CPE and PURL package manager support
Enhanced details for components
Enhanced filters for SBOMs
In-product help added

Added NVD and NOT IN NVD tokens and enhanced status indicators

In response to customer feedback on the importance of knowing whether a component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:

Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.
Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.

A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.

Added CPE and PURL package manager support

Our valued customers asked for this and we delivered! We now support CPE and PURL (Package URL) matching. We support the following PURL package managers: Cargo, NPM, NuGet, and PyPI. If you upload an SBOM, you'll automatically find any matches in these package managers. You'll see a token, such as NPM, next to each component that matches a package manager. See for more information.

Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.

Enhanced details for components

We’ve added a lot of information to your component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token

Enhanced filters for SBOMs

You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.

In-product help added

We’ve added help icons to many columns and fields throughout the UI to get you started and unstuck. If you need more clarification on the help or if you have a question on something that doesn’t currently have help, so that we can get it clarified or added.

Let us know if you see other areas we could improve!

If you run into issues or would like to request new features or feature enhancements, we'd love to ! Thank you so much for taking the time to help us improve your experience!

Interested in providing feedback on upcoming features?

We are working on adding some great new functionality, including:

Windows KB patching,
a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,
the ability to copy/paste from a CSV or other file to create an SBOM,
more human-readable information,
complete CycloneDX ingestion and export,
SPDX support,
and other cool new things.

We'd love to on these to make sure what we're creating will improve your management and mitigation of your software supply chain risk. It will also give you a great opportunity to let us know features and feature enhancements you'd like us to consider adding! Note that this link will create a support ticket that will let us know you're interested, then we'll contact you directly to set up some time to do some feature walkthroughs. Thank you so much for your insights and expertise!

v2.55.5

September 2023

Summary

Enhanced global search
Changed date first detected time
Added date dashboard was last updated
Removed character restrictions on input fields
Added SSO support for PingID

New global search

Global search is now expanded to include searching across all your Product SBOMs for a particular component. You can still search for a specific CVE via CVE-ID, now you get a summary of the vulnerability as well as a list of any products that might be potentially impacted.

Changes to first detected time

The first detected date in Helm on the Vulnerabilities page now reflects the date when Helm detected the vulnerability for your component.

Last update timestamp

On the Metrics dashboard you can now see when the dashboard was last updated.

Character restrictions in input fields

Helm had strict character restrictions in input fields that have now been removed.

SSO support for PingID

Helm supports SSO for organizations on the enterprise plan. We now have a working integration with PingID.

v2.54.7

September 2023

Summary

Enhanced look-and-feel with new page layouts
Performance improvements and bug fixes

New page layouts

Both the Products page and the Vulnerabilities page now have a new look and feel as well as some new functionality for vulnerability filters.

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

PreviousModify your organization name

Last updated 1 day ago

Was this helpful?