Assess match suggestions

You can determine the likelihood of this potential match by checking the sample versions for the expected format, checking how many and which sources were used to identify the suggested match, and the type of match. A match based on CPE is considered the strongest match.

If the match was suggested via multiple sources, such as Alias and a PURL package manager, that is an even stronger match. Alias and User matches indicate that a user manually assessed this dependency to find the right match. Name is considered the weakest match.

Match suggestions modal

Column name

Decription

Supplier

This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Details icon

Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your dependency and there are vulnerabilities that have been reported, this is likely the correct match.

Product name

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

Matched on

This shows the strength of the match. Refer to for more information.

Type

This shows the reliability of the match.

Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.
Alias match: This dependency matches an existing alias.
Possible match: This dependency has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.

PreviousResolve match statuses NextGet more details on match suggestion

Last updated 5 months ago

Was this helpful?