Comment on page
Helm 2.56.6 release notes
In response to customer feedback on the importance of knowing whether a dependency component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:
- Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.
- Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.
A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.
Our valued customers asked for this and we delivered! We now support CPE and PURL (Package URL) matching. We support the following PURL package managers: Cargo, NPM, NuGet, and PyPI. If you upload an SBOM, you'll automatically find any matches in these package managers. You'll see a token, such as NPM, next to each dependency component that matches a package manager. See Match sources for more information.
Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.
We’ve added a lot of information to your dependency component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token
You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.
We’ve added help icons to many columns and fields throughout the UI to get you started and unstuck. If you need more clarification on the help or if you have a question on something that doesn’t currently have help, let us know so that we can get it clarified or added.
We are working on adding some great new functionality, including:
- Windows KB patching,
- a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,
- the ability to copy/paste from a CSV or other file to create an SBOM,
- more human-readable information,
- complete CycloneDX ingestion and export,
- SPDX support,
- and other cool new things.
We'd love to get your feedback on these to make sure what we're creating will improve your management and mitigation of your software supply chain risk. It will also give you a great opportunity to let us know features and feature enhancements you'd like us to consider adding! Note that this link will create a support ticket that will let us know you're interested, then we'll contact you directly to set up some time to do some feature walkthroughs. Thank you so much for your insights and expertise!