1 of 90

Helm Docs

Helm help center

Upload SBOM and match to known software

Prioritize and remediate risk

API & Administration

Helm overview

Introducing Helm

Introducing Helm by Medcrypt

What is Helm?

Helm is a comprehensive (SBOM) and vulnerability management tool designed to give you full visibility over your software supply chain and help you manage cybersecurity risks effectively. Helm is designed especially for medical device manufacturers (MDM) to effectively identify and remediate medical device risk, which often have long lifespans and infrequent updates. It enables you to track multiple software versions across devices, ensuring compliance with FDA cybersecurity guidelines. about how Helm helps you meet FDA cybersecurity expectations.

Specifically designed to address FDA cybersecurity guidelines

Helm provides a host of features specifically designed to address the cybersecurity guidelines of the FDA:

Vulnerability management: Helm helps MDMs implement robust plans for addressing post-market vulnerabilities. With its proactive approach, Helm identifies and manages potential risks before they pose significant threats. In the event of a major vulnerability like Log4j or Wannacry, Helm can determine which devices could be impacted within seconds.
Software Bill of Materials (SBOM): Helm supports SBOMs from open source software (OSS), commercial software composition analysis (SCA) tools, and even manually created SBOMs. All SBOMs are organized in an intuitive UI to ensure full transparency about all components used in your medical device software, in compliance with FDA guidelines.
Industry specific frameworks: MedCrypt has developed a Cybersecurity Quality tool that provides an easy to follow template and model implementation of a Secure Product Development Framework (SPDF).
Broad software, firmware, and OS awareness: Helm provides visibility into both open source software (OSS) and commercial third party software. It supports tracking operating systems (OS), including real-time operating systems (RTOS), ensuring you have a comprehensive view of your software ecosystem.
Compliant SBOM maintenance: With Helm, you can be assured that your SBOMs meet both NTIA minimum requirements and the FDA’s cybersecurity requirements for human- and machine-readable formats.

Get started with Helm

How do we identify matches in your SBOM to known software in the NVD?

In order to match the software in your SBOM to known software in the NVD, we normalize values (e.g, “windows10”, “windows_10”, and “win 10” will all be converted to the official value, such as Windows 10). If you see a status of Matched, that means that the dependency has an exact match in the NVD (once we have normalized values), including having an exact match on a CPE string, alias, dependency component name, or supported PURL package manager.

What matching sources do we use?

Understand your current vulnerability risk

Monitoring new vulnerabilities

Helm facilitates continuous monitoring for new vulnerabilities, highlighting those with available exploits or malware kits. It also suggests Windows KB updates for resolution (specific to Windows operating systems) and provides updates from the National Vulnerability Database (NVD).

Rescore vulnerabilities individually or in bulk

Monitor your overall security posture

Stay on top of new vulnerabilities

Search vulnerabilities and dependency components across your products

Search vulnerabilities for a particular CVSS score range across your products

Patch Windows operating systems

For any products you have that are running a Windows operating system, you can apply Windows KBs to each of your product versions. For any vulnerabilities associated with a Windows operating system, you'll see suggested KB updates that you can apply to resolve each vulnerability. Alternately, you can collect the KB updates to create tickets for your team to address for your next release. You can also track which KBs have been applied to your digital version of your physical test device, so you can keep these in sync.

Manage licenses

Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed. For each dependency component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the dependency component details panel.

Export FDA-ready reports

Export vulnerabilities

Why SBOMs are critical to your present and future

By having an SBOM that represents the current state of your product, you now have a catalog of all of your “ingredient lists”, creating visibility and transparency across your software security supply chain and ensuring that your software is updated and patched on a regular basis. You can then quickly identify any potential exploitable vulnerabilities you need to assess and mitigate.

What is an SBOM?

SBOMs are a critical component for operationalizing software supply chain security; they are key building blocks in your software supply chain cybersecurity programs. SBOMs act like a list of ingredients for the software that makes up applications. You may call these individual software “components” or “dependencies”. Helm enables you to provide transparency to your own company, your auditors, and even your customers, depending on your company policies, on your software supply chain, ensuring that stakeholders are aware of otherwise invisible dependencies on proprietary, open source and licensed, Commercial Off-the-Shelf (COTS) libraries.

Common elements of an SBOM include:

Open-source libraries.
Plug-ins, extensions, and add-ons
Custom source code created in-house
Information about versions, licensing status, and patch status of dependency components
SaaS: Third-party services and API information required to run the SaaS application.

SBOMs are critical to secure your present and future

SBOMs are critical to realizing a better and more secure future for your company, your customers, and their patients. It is the latest step in the path to ensure that through making your software dependencies visible, you can then manage vulnerabilities of this software, ensuring that you are focusing on the highest-risk and most critical vulnerabilities first. Per the FDA, it’s no longer sufficient to rely on “security through obscurity”, as medical device manufacturers, you need to take responsibility and realize your pre-market and post-market liability for insecure software being used in your devices and systems, which are then passed down to customers and patients.

According to Gartner, by 2026, at least 60% of companies with mission-critical software solutions will mandate SBOM disclosures in their license and support agreements.

Recent cybersecurity attacks and changing economic conditions

Over the past few years, there have been a number of high-profile software supply chain attacks. Today’s connected devices rely on many software libraries, including home-grown, third-party, and open source projects. As a result of the pandemic, there have been a number of business-critical supply chain shortages, which have forced device and product manufacturers to expand outside their network of trusted suppliers, adding another layer of risk to the software supply chain. Here are a few of the more recent and most impactful attacks, although there are many more:

SolarWinds

In 2020, the SolarWinds attack on the software supply chain has a deep and lasting impact on the US governmental infrastructure and many companies across the US, Europe, Asia, and the Middle East, as IT networks were hacked by intruders over a months-long operation against SolarWinds, which supplied the hacked companies with a network monitoring and management platform. It cast a sobering spotlight on the extent to which medical device manufacturers know about the software that is used in their devices.

Log4Shell (Log4j)

In 2021, a critical remote-code execution vulnerability was discovered in the ubiquitous Apache Log4j open-source Java logging library. Its widespread usage combined with its ease of exploitation for even inexperienced hackers makes it especially dangerous, putting any Java applications with a user interface at risk of a Log4Shell attack. It made the risk inherent in using open source components in devices painfully clear. Systems and services that use the Log4j library include Twitter, Tesla, Apple, Minecraft, and many others.

WannaCry

In 2017, the WannaCry (also known as WannaCrypt) ransomware attack targeted computers running the Microsoft Windows operating system by using the EternalBlue exploit to encrypt data and the DoublePulsar tool to install and execute copied of itself, then demanding cryptocurrency payments to unencrypt the data. While Microsoft had released patches to close the exploit, many organizations had not applied these patches or were using older Windows operating systems that were past their end-of-life. According to Europol, WannaCry infected over 200K computers across 150 countries, impacting the National Health Service and a myriad of other companies.

Is my company impacted by Log4j or WannaCry?

You can easily check that once you’ve generated and uploaded your SBOM into Helm!

For Log4j, you can search for “log4j” in our global search to return all dependency components that are potentially impacted, or you can search on the vulnerability ID CVE-2021-44228. If you think you are impacted, refer to CISA's Log4j Vulnerability Guidance for more information.

For WannaCry, you can search for older Windows operating systems (e.g., Windows XP and upwards) to make sure that they have been patched. You can also search for associated vulnerability IDs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148. If you think that you could be impacted, refer to CISA's WannaCry fact sheet for more information.

Meet government requirements

According to Gartner, by 2026, at least 60% of companies with mission-critical software solutions will mandate SBOM disclosures in their license and support agreements.

Secure your company's present and future

The US government published Executive Order 14028 for Improving the Nation’s Cybersecurity in 2021, after which federal agencies were subsequently required to adopt NIST guidelines, including using SBOMs to conform with NIST secure software development practices.

Meet hospital requirements

Hospitals, the consumer of medical devices, are increasingly requesting a detailed SBOM as part of their Business Associate Agreements (ex. Mayo Clinic), with expectations including the device or application name, the vendor and product name based on the NIST CPE dictionary and the version, as well as who is responsible for providing and applying any software updates, how often the software will be updated, how often security patches are applied (particularly when there is a known vulnerability), whether the software is critical for the device to function, how the MDM will notify the Mayo Clinic in case of updates, and expected end-of-life date for the device or application. Due to their need to reduce operating expenses while maintaining the highest quality of healthcare, health systems like the Mayo Clinic will continue to reject supplier price increases, pass-thru taxes (e.g., the Medical Device Tax), or other loss of value. They have asked that MDMs continue to streamline processes and increase efficiencies.

Recent cybersecurity attacks and changing economic conditions

SolarWinds

Log4Shell (Log4j)

Is my company impacted by Log4j?

You can easily check that once you’ve generated and uploaded your SBOM into Helm! Simply search for “log4j” in our global search to return all dependency components that are potentially impacted.

Meet government requirements

To further support this, the US government published Executive Order 14028 for Improving the Nation’s Cybersecurity in 2021, after which federal agencies were subsequently required to adopt NIST guidelines, including using SBOMs to conform with NIST secure software development practices.

Meet hospital requirements

What can I use SBOMs for?

You can use SBOMS to proactively understand and prevent or reduce risks, as well as to respond to incidents when they do occur.

By having an SBOM that represents the current state of your product, you can create a catalog of all of your “ingredient lists” to create visibility and transparency across your software security supply chain, as well as identifying any potential exploitable vulnerabilities you need to assess and mitigate.

Meet Mayo Clinic requirements

If you’re doing business with the Mayo Clinic, they often request a detailed SBOM as part of their Business Associate Agreements, including the device or application name, the vendor and product name based on the NIST CPE dictionary and the version, as well as who is responsible for providing and applying any software updates, how often the software will be updated, how often security patches are applied (particularly when there is a known vulnerability), whether the software is critical for the device to function, how the MDM will notify the Mayo Clinic in case of updates, and expected end-of-life date for the device or application. Due to their need to reduce operating expenses while maintaining the highest quality of healthcare, the Mayo Clinic will continue to reject for supplier price increases, pass-thru taxes (e.g., the Medical Device Tax), or other loss of value. They have asked that MDMs continue to streamline processes and increase efficiencies.

Pre-market dependency and vulnerability tracking

Per the FDA guidance in Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, manufacturers should be addressing cybersecurity during the design and development of their medical device, which often results in more robust and efficient mitigation of patient and operator risks. Medical device manufacturers also need to establish design inputs for their device related to cybersecurity, as well as establishing a cybersecurity vulnerability and management approach as part of the software validation and risk analysis required by 21 CFR 820.30(g). This approach should address the following:

Identification of assets, threats, and vulnerabilities
Assessment of the impact of threats and vulnerabilities on device functionality and operators/patients
Assessment of the likelihood of a threat and of a vulnerability being exploited
Determination of risk levels and suitable mitigation strategies
Assessment of residual risk and risk acceptance criteria.

Medical devices that can connect (wirelessly or hard-wired) to another device, to the internet, to another network, or to portable media (e.g., USB or CD) are more vulnerable to cybersecurity threats than devices that are not connected. The extent to which security controls are needed depends on the device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited, and the probable risk of patient harm due to a cybersecurity breach. To determine whether your device is considered a cyber device, refer to the What does the FDA classify as a cyber device? section.

Post-market dependency and vulnerability tracking

Per the FDA guidance in Postmarket Management of Cybersecurity in Medical Devices, due to constantly changing nature of cybersecurity risks to medical devices, manufacturers cannot completely mitigate risks through pre-market controls alone. Thus, it is critical that manufacturers implement comprehensive cybersecurity management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including complaint handling, quality audit, corrective and preventive action, software validation and risk analysis, and servicing.

Cybersecurity risk management programs should address vulnerabilities that will potentially allow the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information stored, accessed, or transferred from a medical device which may result in patient harm. This program should include:

Monitoring cybersecurity information sources for identifying and detecting cybersecurity vulnerabilities and risks.
Maintaining robust software lifecycle processes, including mechanisms for:
- monitoring third-party software components for new vulnerabilities throughout the device’s lifecycle
- design verification and validation for software updates and patches that are used to remediate vulnerabilities, including for off-the-shelf software
Understanding, assessing, and detecting the presence and impact of a vulnerability
Establishing and communicating processes for vulnerability intake and handling.
Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond, and recover from cybersecurity risk
Adopting a coordinated vulnerability disclosure policy and practice
Deploying mitigations that address cybersecurity risk early and prior to exploitation.

Per the FDA guidance in Postmarket Management of Cybersecurity in Medical Devices, it is strongly recommended that medical device manufacturers participate in an ISAO that shares vulnerabilities and threats that impact medical devices. Sharing and disseminating cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful post-market cybersecurity surveillance program.

In case you weren’t aware, Medcrypt owns an ISAO, MedISAO - we’d love to have you join us in sharing information!

Threat modeling

As part of your cybersecurity program, FDA post-market guidance states that manufacturers should define the safety and essential performance of their device, the potential for and severity of patient harm should the device be compromised, as well as the risk acceptance criteria, all of which will enable you to quickly triage vulnerabilities for remediation and mitigation. Threat modeling is critical to helping to you understand and assess the exploitability of a vulnerability, as well as ensuring that your vulnerability remediation can reasonably control the risk of patient harm. Acceptable mitigations will vary depending on the severity of the potential patient harm.

Handling a data breach

Having a complete SBOM is critical during a data breach, enabling you to quickly detect and analyze the impacted software and to understand the impact of the data breach and which other dependency components might be affected so that you can act quickly to limit the impact to your company, your customers, and their patients. It also helps you identify what critical areas you need to address and what to prioritize first in your cybersecurity plan.

Detect and analyze

SBOMs are very useful during the detection and analysis phase, providing visibility into what is in the software for context and details that inform the analysis. This drastically reduces wasted time spent gathering information from binary files, which is especially critical during a data breach.

Commit and recover

By shifting the process of providing transparency to your entire software supply chain to the left, you can get requisite information from your vendors and third parties to determine their impact in your device’s particular environment. This also enables you to proactively identify necessary patching and communicate that to your customers before exploits occur.

If your SBOM is complete and accurate, your incident response team can more easily understand how an application or API works, enabling them to put an attack in context. It can also help them track down repositories and which people are involved in the project, shortening response time. If your SBOM contains information about services, such as backend connections to databases, queues, APIs, and directories, they can use this to calculate the impact of a breach while it is occurring. They can also seek out impacted or affected components or dependencies in areas that they haven’t begun investigating yet, enabling them to more quickly ensure that they’ve eradicated a particular attack.

Post-incident response

After dealing with an exploit, you can use your SBOM in your post-mortem analysis to identify critical areas to address and what needs to be prioritized for the near and longer-term future.

Get Started

Sign in

Here at Medcrypt, we know you take your cybersecurity seriously, and so do we. When you create your account, you’ll automatically be enrolled in multi-factor authentication (MFA), also known as two-factor authentication (2FA). This means that you’ll need to provide a code from an authentication app. If you don’t already have an authentication application installed on your smartphone, you’ll need to choose one. We use Google Authenticator ourselves.

You’ll receive a welcome email, inviting you to sign in to your Helm account.
After signing in, you’ll be prompted to enable your MFA for security. At that time, you’ll be provided with recovery codes in case your phone is lost or stolen. Make sure to copy and paste these recovery codes into a safe place.
When you first sign in and until you’ve uploaded your first SBOM, you’ll see a get started modal, prompting you to choose a path. If you already are familiar with SBOMs and have a CycloneDX .json file, you should choose the top left path to upload your SBOM and get started. If you’re not, choose the path that best matches your current state.

If you accidentally closed that get started modal, don’t worry. You can always access it from the sidebar > Help section.

Get familiar with the Helm UI

Top navigation bar

In the top navigation bar, you can access your profile, as well as sign out of Helm. You can also search within your vulnerabilities or your SBOMs, as detailed below.

Sidebar

You can access any main page in the sidebar, including Products (SBOMs), Vulnerabilities, Global search discovery, Help, and Admin. If you need help getting started at any time, click Help for some paths to get you started, whether you have an SBOM yet or not.

Filter

Product/version selection bar

You can , specifying the product and version that you want to associate this SBOM with. You can then switch between SBOMs by selecting the appropriate product and version you want to work with.

Filter bar

You can or your to quickly drill down to exactly the information you need.

Search

From any page in Helm, you can s (Vuln ID) or on (SBOM) in the global search box in the top navigation bar.

Themes

Choose between our dark or light theme. To switch themes, click the sun/moon icon in the main navigation bar.

Tables

Customizable data display

Take control of how you view and interact with data. You can adjust table column visibility, perform multi-sorts, and choose your preferred display density.

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.
Multi-column sorting: Focus on what’s important by applying complex sorts across multiple columns. Access this feature through the Sort fields link at the top of each table.
Flexible display density: Optimize your view by selecting a compact or expanded display mode and adjusting the number of rows per page to suit your preferences.
Advanced date picker: Gain precise control over date filtering with options for absolute/relative dates, custom ranges, and multi-month views.

Where did my columns go?

If you don't see your columns, that just means that they are currently hidden by default. Click the Columns link in the top of the table to show which columns are available, then toggle on/off columns to display only the ones you need. For example, if you need CVSS v2 scores, just toggle on this column.

Contextual actions

Easily access additional information or perform actions directly from tables by clicking on cell values.

Help

Get started

Click the path that best describes your needs to get started quickly.

Documentation

About

Click Help > About in the sidebar to view version information.

Contact us

We are always here to help get you unstuck!

Quickstart process

Ready to leverage the power of Helm to streamline your vulnerability management? Let's get you up and running!

Upload your Software Bill of Materials (SBOM) file:
- Got an SBOM ready? Upload your SBOM file to Helm. We support CycloneDX and SPDX SBOMs.
- Don’t have an SBOM yet? No worries! You can generate a CycloneDX SBOM or SPDX SBOM using our open-source tool suggestions or any other tool you prefer. You can also manually create your SBOM if that works better for you. If you’re unsure how to get started, we’re here to help—contact us so we can assist you.
Automatic matching to the NVD: Once you’ve uploaded your SBOM, our system will automatically attempt to match your components to the NVD (National Vulnerability Database).
- Matched status with NVD badge: For each Matched status with an NVD badge, we have identified an exact match for your component in the NVD, allowing you to see vulnerabilities associated with that component.
- Matched status with package manager badge: For each Matched status with a package manager badge, this indicates the component was matched to a specific package manager. If you don’t see an NVD badge, it means we couldn’t locate an exact match in the NVD, but your software does exist in the respective package manager. Refer to Match statuses for more details.
Resolve Select match status: For each Select match status, this indicates that we found multiple potential matches in the NVD. Click Resolve to review the match suggestions. Once you find the correct software, you can link it immediately. You must resolve this status by identifying an exact match in the NVD to see vulnerabilities for the component.
Resolve Not found status For each Not found status, this indicates we didn’t find a match in the NVD, meaning that there are no known vulnerabilities listed for that component using the name in your SBOM. You’ll need to resolve this status by identifying an exact match in the NVD to view the vulnerabilities. Remember that software can sometimes have a different name in the NVD.
Save time with reusable aliases: If you’re an Administrator, you can create an alias for a dependency to known software that you identify. This alias will save time and effort by ensuring consistent matching for future SBOM uploads.
Resolve Fix version status: For each Fix version status, this indicates that the version you provided does not match the expected version format. You'll need to resolve this status before you can view vulnerabilities for that component.
Contact Us status: If you see a Contact us status, this means we were unable to process the version. We are aware of the issue and will notify you once support has been added. At that point, we will automatically reprocess the affected component to attempt to find a match in the NVD.
Am I impacted by that vulnerability? Where? You can quickly check whether a particular vulnerability impacts your products, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.
Am I impacted by that vulnerable component? Where? You can quickly check whether your products contain a particular component, and if so, which products you'll need to assess. Just enter the component name in the global search bar at the top of any page.
Manage vulnerabilities: You can start managing vulnerabilities for any components that have a Matched status with an NVD badge.
Monitor your progress: You can track your progress on your Dashboard, accessible via the Home icon on the sidebar.

Upload your first SBOM

Ready to upload your first SBOM, or not sure what an SBOM is? We’re here to help! Helm supports both CycloneDX and SPDX SBOM formats, making it easy for you to manage your software components.

Upload a CycloneDX or SPDX SBOM

Click Add SBOM > Upload SBOM.
If you are uploading a compressed SPDX SBOM file, .

Supported SBOM versions and formats

Versions:

CycloneDX: 1.4, 1.5
SPDX: 2.2, 2.3

Formats:

CycloneDX: .json, .xml
Single SPDX files: .spdx, .json, .yaml, .xml
Compressed SPDX files: .gz, .tgz, .zip, .zst, .tzst

File size: 50MB

Where did my Add SBOM button go?

If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.

In the modal that displays, specify a product name and version.
Click the Choose file button to browse to your SBOM file.
Click Upload SBOM.
If you're not seeing your SBOM dependency components loading, check that you have Auto-refresh turned on, or manually refresh the page. Larger SBOMs will take a bit more time. If you're still not seeing your SBOM, click Manage SBOMs > View file upload status. If you see a Failed status here, click the icon next to that status for more information. If you can't resolve the issue, for help.
Once you’ve uploaded your SBOM, you will see all of the dependency components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, dependency component name/version/supplier combo, and alias matches.
If you need to aggregate and merge additional SBOMs to this SBOM, click Manage SBOMs > Upload SBOM. This will add dependency components from that SBOM to your existing SBOM.
If you see any warning or error icons next to your dependency component version, click the icon for more information. You should be able to just edit the version for a warning scenario, but will need to for an error scenario. You'll need to resolve this issue before we can match this dependency component and return any vulnerabilities.

Not ready to add your SBOM yet? No worries!

You can create each of your products and their respective versions, then add your SBOM at any time.

In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.
In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.

Upload a compressed SPDX file

If you have a compressed SPDX SBOM file, follow these steps to upload it:

Prepare your files:
- Create a directory named after what you want to name your zip file.
- Navigate into that directory and create a subdirectory named packages in this directory.
- Copy your individual SBOM files into the packages directory.
Compress your files:
- Use the following commands to compress your files into a .tar.gz or .zip format:
  - Create .tar.gz: COPYFILE_DISABLE=1 tar -zcvf yourfilename.tar.gz yourdirectory
  - Create .zip: zip -r yourfilename.zip yourdirectory -x '**/.*'
Upload your file:

What happens after upload?

Create products and versions without an SBOM

In the Select product drop-down, choose Create product, specify the product name, then click Save.
In the Select version drop-down, choose Create version, specify the version, and click Save.
When you have an SBOM ready, just click the Add SBOM drop-down button (Manage SBOM if you already have uploaded other SBOMs), then select Upload SBOM when you’re ready to add your SBOM file.

Troubleshooting and support

You may have turned off auto-refresh. You can either turn it back on from the Auto-refresh switch above the table, or you can click Refresh to manually refresh the page.

No exact match

Upload issues

Have a large SBOM file?

If you have a larger SBOM file, this could take a little longer to upload. Get a cup of coffee or tea while we process your SBOM! We'll automatically start matching to known software in the NVD as soon as your upload is completed successfully.

Don't think your SBOM uploaded successfully?

SBOM contains component hashes

Although you can't currently view masked component hashes in Helm, rest assured that the component hash information in your SBOM has been retained and will be exported intact to any SBOM report.

Have a different SBOM format

Don't know what an SBOM is or not sure where to start

Ready to upload your first SBOM, or not sure what an SBOM is? We’re here to help! Helm supports both CycloneDX and SPDX SBOM formats, as well as manual SBOM creation, making it easy for you to manage your software dependency components.

Upload a CycloneDX or SPDX SBOM

Click Add SBOM > Upload SBOM.

Supported SBOM versions and formats

Versions:

CycloneDX: 1.4, 1.5
SPDX: 2.2, 2.3

Formats:

CycloneDX: .json, .xml
Single SPDX files: .spdx, .json, .yaml, .xml
Compressed SPDX files: .gz, .tgz, .zip, .zst, .tzst

File size: 50MB

In the modal that displays, specify a product name and version.
Click the Choose file button to browse to your SBOM file.
Click Upload SBOM.
Once you’ve uploaded your SBOM, you will see all of the dependency components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, dependency component name/version/supplier combo, and alias matches.
If you need to aggregate and merge additional SBOMs to this SBOM, click Manage SBOMs > Upload SBOM. This will add dependency components from that SBOM to your existing SBOM.

Where did my Add SBOM button go?

If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.

Not ready to add your SBOM yet? No worries!

You can create each of your products and their respective versions, then add your SBOM at any time.

In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.
In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.

Upload a compressed SPDX file

If you have a compressed SPDX SBOM file, follow these steps to upload it:

Prepare your files:
- Create a directory named after what you want to name your zip file.
- Navigate into that directory and create a subdirectory named packages in this directory.
- Copy your individual SBOM files into the packages directory.
Compress your files:
- Use the following commands to compress your files into a .tar.gz or .zip format:
  - Create .tar.gz: COPYFILE_DISABLE=1 tar -zcvf yourfilename.tar.gz yourdirectory
  - Create .zip: zip -r yourfilename.zip yourdirectory -x '**/.*'
Upload your file:

What happens after upload?

Create products and versions without an SBOM

Not ready to upload your SBOM yet? No problem! You can create your products and their respective versions now and add your SBOM later.

In the Select product drop-down, choose Create product, specify the product name, then click Save.
In the Select version drop-down, choose Create version, specify the version, then click Save.
When you have an SBOM ready, just click the Add SBOM drop-down button, then select Upload SBOM.

Troubleshooting and support

Not seeing your SBOM dependency components?

You may have turned off auto-refresh. You can either turn it back on from the Auto-refresh switch above the table, or you can click Refresh to manually refresh the page.

No exact match

Upload issues

Have a large SBOM file?

Don't think your SBOM uploaded successfully?

Need help getting started?

Have a different SBOM format

Need to generate an SBOM

Don't know what an SBOM is or not sure where to start

Upload or convert .zst SBOM files from Yocto on Linux

You can upload .zst SBOM files generated by Yocto on Linux. If you still prefer to convert your .zst files to a zipped format, follow the steps below.

Generate your .zst file using Yocto on Linux

Although we try to ensure that 3rd-party information is still accurate, you should check Yocto's SBOM documentation to make sure there haven't been any changes since we last checked this.

Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:
```
INHERIT += "create-spdx"
```
Build the image: Proceed with building the image using the standard Yocto build process.
Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.

SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.
This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes
The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.

Convert your .zst file to a zipped format (.tar.gz or .zip)

Please note this step is now optional, Helm natively supports the .zst file format.

Navigate to the directory that has the .zst file.
Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).

tar --zstd -xvf filename.zst

Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory, packages, in this directory.
Copy the individual SBOM files into this directory.
Run this command to zip the parent directory. In this example, we've used zst_sbom as the file name.

Create .tar.gz

COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x

Create .zip

zip -r zst_sbom.zip zst_sbom -x '**/.*'

When creating a .zip for Mac, use: -x '**/__MACOSX' in the command. This does not work for creating a .tar.gz.

Once you've converted the file to either .tar.gz or .zip, you can upload your SBOM to Helm.

Understand data sources and update frequency

Our SBOM vulnerability management product integrates data from multiple sources to ensure you have the most comprehensive and up-to-date information, including frequency of updates. By integrating these sources, our SBOM vulnerability management product ensures you are well-equipped to manage and mitigate risks effectively.

How often is data updated?

Action

Updated

What data sources does Helm use?

Each vulnerability in Helm shows what data source or sources it was pulled from. Links are provided to the original CVE, as well as to exploitability and threat information.

National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the world’s most comprehensive repository of publicly available vulnerability management data. Maintained by the National Institute of Standards and Technology (NIST), the NVD is built on the foundational work of MITRE and other leading cybersecurity entities. The database catalogs vulnerabilities identified as Common Vulnerabilities and Exposures (CVE), offering detailed information on over 100k documented CVEs, reaching back to the 1990s. The NVD not only provides vital intelligence on software flaws and misconfigurations but also includes crucial metadata such as severity scores, impact and exploitability metrics, and remediation steps, making it an indispensable resource for cybersecurity professionals.

You can easily see which vulnerabilities come from the NVD via the NVD badge indicator in the Source column.

AI co-pilot

In response to the NVD backlog, MedISAO, in collaboration with Medcrypt, has experimented with an AI copilot that leverages. This strategy aims to bridge the gap until NVD and CISA resolve their backlogs.

This system constructs CPE product and version match data to ensure rapid and continuous and continuous vulnerability enrichment.

This AI copilot pulls information from vulnerability databases like NVD, MITRE, and other external sources to stay up-to-date and continuously update vulnerability information.

AI copilot data sources and updates

This AI copilot pulls information from vulnerability databases like NVD, CISA, CVE.org, MITRE, and other external sources to stay up-to-date and continuously update vulnerability information.

CVE.org integration

We are currently adding CVE.org as a data source, and this support should be available in an upcoming release. CVE.org provides a list of publicly disclosed cybersecurity vulnerabilities, each assigned a unique CVE ID. With over 230,000 CVEs identified, defined, and catalogued, CVE.org partners with community members worldwide to grow CVE content. CVE.org has now been tasked with enriching CVEs in the NVD with CPE information to handle the backlog.

Support and integration

Supported by Helm, Medcrypt’s vulnerability management tool, this AI-driven approach uses historical data and a custom grammar parser to minimize inaccuracies and increase reliability. This AI copilot’s output mirrors the NVD data feed, allowing tools compatible with the NVD feed to seamlessly utilize enriched data.

How often is the NVD data feed updated?

This feed is updated daily and is available to MedISAO members and partners. It has thus far analyzed thousands more vulnerabilities than the NVD or CISA and integrated into Medcrypt's Helm product, enabling more enhanced vulnerability identification.

CVE.org

We are currently adding CVE.org as a data source and this support should be in an upcoming release.

Private vulnerability repository

This feature is currently being developed and is expected in an upcoming release.

You can add, track, remediate, and resolve private vulnerabilities from other sources such as penetration testing or threat modeling in Helm. These vulnerabilities are identified and reported privately by organizations and cybersecurity firms, and often include zero-day vulnerabilities and proprietary software issues.

The three primary use cases for private vulnerabilities are for organizations:

Tracking vulnerabilities in internally-developed components, whether unique to one product or that spans multiple products across the organization
Documenting security research on an issue before deciding whether to disclose it publicly
Using unmanaged data sources to identify vulnerabilities, such as change logs, commit logs, issue trackers, and social media posts, among others.

Exploit Database (ExploitDB)

Any active exploit retrieved from this database will show either an ExploitDB badge or Metasploit badge, depending on whether it is just an active exploit or whether there is a Metasploit toolkit. Additionally, you can view the impact of each vulnerability, which shows all known exploits and threats and provides links to the original source details.

Exploit Prediction Scoring System (EPSS)

Helm provides EPSS scores for any vulnerabilities that have a CVSS v3 score, as only CVSS v3 vulnerabilities have been assessed using the EPSS methodology.

Top 25 CWE (Common Weakness Enumeration)

Any vulnerability that is considered a top 25 CWE threat will show a Top CWE badge in Helm. You can also view more impact information in the vulnerability details, as well as review original sources.

CISA Known Exploited Vulnerabilities (KEV)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

Any vulnerability that is in the CISA KEV list will show a CISA KEV badge in Helm. You can also view more impact information in the vulnerability details, as well as review original sources.

Microsoft Knowledge Base (KB) catalog

Important updates provide significant benefits, such as improved security and reliability. Optional updates might include, for example, new or updated driver software for devices that you have added to your computer.

Any vulnerability that has a recommended patch update will show an available patch indicator. You will soon be able to view patch recommendations in the vulnerability details as well.

Tidelift

We have partnered with Tidelift and are in the process of integrating relevant open-source component data into Helm.

Tidelift also partners with open-source maintainers to implement industry-leading secure software development practices and commit to these practices so that organization can feel confident in the security of their open source components in their ecosystems both now and in the future.

Data source routing

Components often belong to one or more ecosystems. These ecosystems typically have one or more sources of truth that provide additional data about the components. For example, Maven Central and the NPM repository provide information about Java and Node components respectively.

Vulnerabilities can be identified through the use of three fields: CPE, PURL, and SWID. Helm supports PURL and CPE.

Package URL (PURL)

Helm uses PURL in several ways:

Match components to identify vulnerabilities
Reduce false positives and false negatives
Identify outdated components across ecosystems

Supported package manager ecosystems

When does a PURL match get made?

For any vulnerability that was matched using a package manager, it will show the corresponding package manager name in its badge. If a dependency component is matched with a package manager badge, but also has a NOT IN NVD badge this means that Helm has identified your software in the package manager, but that no vulnerabilities have been reported in the NVD.

What is PURL used for?

PURL is recommended for use in identifying a container, library or framework (package), or operating system package.

PURL syntax

Package URL (PURL) standardizes how software package metadata is represented so that packages can universally be located regardless of what vendor, project, or ecosystem the packages belongs to. A PURL is an attempt to standardize existing approaches to reliably identify and locate software packages. It is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.

As mentioned above, we currently support the following PURL package managers: Cargo, NPM, NuGet, and PyPI.

PURL format

A PURL is composed of 7 components:

scheme:type/namespace/name@version?qualifiers#subpath

The definition for each component is:

scheme: this is the URL scheme with the constant value of "pkg". One of the primary reason for this single scheme is to facilitate the future official registration of the "pkg" scheme for package URLs. Required.
type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.
namespace: some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific.
name: the name of the package. Required.
version: the version of the package. Optional.
qualifiers: extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific.
subpath: extra subpath within a package, relative to the package root. Optional.

Examples:

pkg:pypi/django@1.11.1
pkg:nuget/EnterpriseLibrary.Common@6.0.1304
pkg:npm/foobar@12.3.1

Common Platform Enumeration (CPE)

NIST defines CPE as a structured naming scheme for IT systems, software, and packages. It is based on the generic syntax for Uniform Resource Identifiers (URI) and includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The CPE specification was designed for operating systems, applications, and hardware devices. It is maintained by the NVD.

When does a CPE match get made?

For any vulnerability that was matched using a CPE match, it will show a CPE badge. If a dependency component is matched with a CPE badge, that means that it has at least one vulnerability that has been reported in the NVD. A CPE is only assigned to software when a vulnerability has been reported in the NVD.

CPE syntax

CPE follows this format: cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

cpe_version: This is the version of the CPE definition. As of this writing, the latest CPE definition version is 2.3.
part: This can be one of three values: a for Applications, h for Hardware, o for Operating systems. It is sometimes referred to as type.
vendor: This identifies the person or organization that manufactured or created this dependency component.
product: This is the name of the system/package/component.
version: This is the version of the system/package/component.
update: This shows any update or service pack information, also known as minor versions.
edition: This describes the build of the system/package/component beyond version.
sw_edition (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_sw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_hw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
other (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.

CPE string examples

Application: If the URI is cpe:/a:microsoft:office:2007:sp2:professional then the CPE string is: cpe:2.3:a:microsoft:office:2007:sp2:-:*:professional:*:*:*

Operating system: If the URI is cpe:/o:microsoft:windows_7:-:sp1:x64 then the CPE string is: cpe:2.3:o:microsoft:windows_7:-:sp1:-:*:*:*:x64:*

Hardware (not supported in an SBOM): If the URI is cpe:/h:3com:3c13612 then the CPE string is: cpe:2.3:h:3com:3c13612:-:*:*:*:*:*:*:*

What does a wildcard in a CPE string indicate? Anything that is a wildcard (*) means that no particular value was provided for that section, so it will encompass any applicable value in that section.

Automate SBOM management into your CI/CD process with GitHub action

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Save time and effort manually maintaining SBOMs

Once configured, Helm will automatically add or update SBOMs for the appropriate product versions based on your event trigger when new or updated SBOMs are added to your connected GitHub repository.

Efficiency: Automates the labor-intensive process of maintaining SBOMs, freeing up your team to focus on development.
Accuracy and consistency: Ensures that every change in your codebase is reflected in your SBOMs.
Integration: Fits naturally into your existing GitHub workflows, enhancing your DevOps practices without disrupting them.
Compliance and transparency: Facilitates compliance with regulatory requirements and enhances transparency with stakeholders by providing detailed and up-to-date SBOMs.

What formats are supported? Currently, we only support CycloneDX JSON. If you need SPDX support, .

Automate SBOM upload from GitHub repository

Our GitHub Action simplifies the management of SBOMs by automating the creation and uploading of product versions and their corresponding SBOM files from your GitHub repository.

To get started, you'll need Helm API access and the API credentials, as well as our Helm API URL (api-base-url).
In your GitHub repository, create a /workflows directory: .github/workflows
Create a new workflow .yml file under .github/workflows/ if you don’t already have one. If you already have one, just incorporate our step under jobs: > steps.
Create a step to upload your SBOM in the jobs section.
In the step, you can refer to the parameters in the table below or to the Readme for each of the parameters you'll need to add.
Provide the product-name and product-version-name.
If the product and version don't exist and you want us to create it for you, set create-product-and-version-if-missing to true.
Pass in your client-id and client-secret. These are your Helm API credentials. client-id is your email address (for the user that generated the API key) and client-secret is that user's API key.
Provide your sbom-file-path.
In our action, we currently set on to workflow_dispatch, which enables you to run it manually from the GitHub UI, but you can set it to whatever trigger you want, such as push, pull_request, or to run on a schedule.

Using Visual Studio Code editor?

You can install their GitHub actions plug-in, which will enable you to hover over the parameters to get the information in the table below or in the Readme file.

Parameters to include in the YAML file

In the uses: parameter, this is set to /medcrypt/action-helm-sbom-upload@your_version_branch

In the with: parameter, specify the following information:

Ingest SBOMS for multiple products from same repository

Wrap our action up in your own workflow file, then write a reusable workflow using on: workflow_call to call your workflow.

Ingest SBOMS for different products from different repositories

Just copy and paste the step into that repo's yml file. If desired, you can create your own reusable action to store client-id and client-secret, anything that will be the same across your organization.

What happens if there is an error during SBOM upload?

If there is an error, you can check the action to see where errors occurred.

What if I accidentally add the wrong product or version?

What if I need to change the configuration or disconnect a repository?

You can stop using this or modify your action settings at any time, including changing or disconnecting repositories, changing event triggers, and more.

Helm terminology

Term

Description

Dependency

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). In this help center, it is referred to as a dependency component.

Version

This is the dependency component’s version (e.g., 10.1 for Windows).

Supplier

This is the dependency component’s supplier’s name (e.g., Microsoft for Windows).

Chip

Chips are used like tags. In the editable state, they include an x to remove them.

Depending on the use case, some chip states can only be removed by unchecking the drop-down options.

Badge

Badges are used for elements to indicate things like matching sources or that a dependency was not found in the NVD.

Panel

Panels refer to panels that slide-out from the right of the main page. You can close a panel to return to the main (or parent) page from which it was launched.

Don't have an SBOM yet?

Don't have an SBOM?

Use Medcrypt's SBOM generation tool

You can now use Medcrypt's SBOM generation tool! Contact us to get access.

Use an open-source SBOM generation tool

Generate CycloneDX SBOM with open-source tools
Generate SPDX SBOM with open-source tools

Generate CycloneDX SBOM with open-source tools

You can use many different open-source tools to generate your SBOM in CycloneDX format. We support CycloneDX 1.4 and JSON and XML formats.

Note: We have not used all of these, so have appended an * to the ones we've used or have seen our clients use successfully.

Java *

Core

Generate an SBOM for Java Core projects with the CycloneDX Java Core plugin.

Maven

Generate an SBOM for Java Maven projects with the CycloneDX Maven plugin.

Gradle *

Generate an SBOM for Java Gradle projects with th CycloneDX Gradle plugin or Gradle's own CycloneDX plugin.

JavaScript *

Generate an SBOM for JavaScript projects with the CycloneDX JavaScript library.

Node.js

NPM *

Generate an SBOM for Node.js NPM projects with the CycloneDX Node module.
Generate an SBOM for Node.js NPM projects with the CycloneDX-npm tool.

Yarn

Generate an SBOM for Node.js Yarn projects with the CycloneDX Node module.

Objective-C/Swift

CocoaPods *

Generate SBOM for CocoaPods projects with the CycloneDX Cocoapod plugin.

.NET

NuGet *

Generate SBOM for .NET NuGet projects with the CycloneDX .NET module.

Python *

Generate SBOM for Python projects with the GitHub Python SBOM generation tool.

Pip

Generate SBOM for Python Pip projects with the CycloneDX Python SBOM generation tool.

Poetry

Generate SBOM for Python Poetry projects with the CycloneDX Python SBOM generation tool.

PHP

Composer

Generate SBOM for PHP Composer projects with the CycloneDX PHP Composer plugin.

Go

Gomod

Generate SBOM for Golang projects with gomod using the CycloneDX-gomod tool.

Elixir

Mix *

Generate SBOM for Elixir Mix projects using the CycloneDX SBOM generation Mix task

Erlang

Rebar3

Generate SBOM for Erlang Rebar3 projects with the CycloneDX Rebar3 SBOM generation tool.

Multi-Language

Microsoft's SBOM generation tool (microsoft.sbom.tool) apparently can detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repos, and more. It uses Component Detection to generate your SBOM.
Generate SBOM using Syft's CLI tool and Go library.

Linux kernel source code

Download Microsoft's SBOM tool the tool to your local environment, then give execute permission to the downloaded executable file:
chmod +x ./sbom-tool
Download, then extract the Linux kernel source code from The Linux Kernel Archives. For example, this uses version 5.15.88:
tar xvfJ linux-5.15.88.tar.xz
Run the SBOM generation tool:
./sbom-tool generate -b ./linux-5.15.88 -bc ./linux-5.15.88 -pn kernel -pv 5.15.88 -ps linux.org -nsb https://kernel.org
Locate the generated SPDX file in ./linux-5.15.88/_manifest/spdx_2.2/ folder. It is named manifest.spdx.json. You will now need to convert the SPDX file to CycloneDX.

Ruby *

Generate SBOM for Ruby projects with the CycloneDX-ruby gem.

More tools

Generate SPDX SBOM with open-source tools

You can use several different open-source tools to generate your SBOM in SPDX format. We support SPDX 2.2 and 2.3 with JSON format.

SPDX Software Bill of Materials (SBOM) generator

spdx-sbom-generator tool enables generation of SPDX SBOMs with current package managers. It automatically determines which package managers or build systems are actually being used by your software dependency components.
Works with Linux, Mac, and Windows.
Comes with a Dockerfile for you to maintain your own image.
has CLI (command-line interface) to generate SBOMs info, including dependency components, licenses, copyrights, and security references of your software supply chain using SPDX v2.2 spec and aligning with NTIA known minimum elements.

Yocto on Linux

Refer to Generate SBOM with Yocto on Linux.

Kubernetes SBOM tool

bom is a utility to create, view, and transform your Software Bills of Materials (SBOMs). It can generate SPDX packages from directories, container images, single files, and other sources. It also has a built-in license classifier that recognizes over 400 licenses in the SPDX catalog.
Supports Golang dependency analysis and full .gitignore support when scanning git repositories.

Multi-Language (Microsoft and Syft SBOM tools)

Microsoft's SBOM generation tool (microsoft.sbom.tool) apparently can detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repos, and more. It uses Component Detection to generate your SBOM.
Generate your SBOM using Syft's CLI tool and Go library.

Generate SBOM with Yocto on Linux

Generate your .zst file using Yocto on Linux

Although we try to ensure that 3rd-party information is still accurate, you should check Yocto's SBOM documentation to make sure there haven't been any changes since we last checked this.

Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:
```
INHERIT += "create-spdx"
```
Build the image: Proceed with building the image using the standard Yocto build process.
Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.

SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.
This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes
The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.

Convert your .zst file to a zipped format (.tar.gz or .zip)

Navigate to the directory that has the .zst file.
Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).

tar --zstd -xvf filename.zst

Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory, packages, in this directory.
Copy the individual SBOM files into this directory.
Run this command to zip the parent directory. In this example, we've used zst_sbom as the file name.

Create .tar.gz

COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x

Create .zip

zip -r zst_sbom.zip zst_sbom -x '**/.*'

When creating a .zip for Mac, add: -x '**/__MACOSX' after the command. This does not work for creating a .tar.gz.

Once you've converted the file to either .tar.gz or .zip, you can upload your SBOM to Helm.

Convert your SBOM from CSV to CycloneDX

If you have an SBOM that is already in a CSV file, you have a few options that you can use to convert it to a CycloneDX file, including using an open-source tool, writing a custom script, or adding each dependency manually. If you run into issues or aren’t comfortable doing this, .

Use an open-source tool

The one that we’ve used is . You will have to install and run this locally, so if this is outside your realm of expertise, so we can get your SBOM converted.

Install CycloneDX-CLI.
Add these metadata columns shown in this into your CSV file: Supplier, Type, Name, Version. You may already have these columns. They are required in order for Helm to be able to successfully identify matches for your dependency components.
Add the metadata field to your CSV file. See the for more information.
Run the tool, using the “--output-format json” option. This will output the file as a JSON file format. For example, from your directory (ours is ./bin/linux-x64/cyclonedx), you would enter the following in the command line (in our example, we used source_sbom_cyclonedx.csv as our source CSV file, then destination_sbom_cyclonedx.json as the output JSON file that we were creating from the CSV file): convert --input-file source_sbom_cyclonedx.csv -–output-format json > destination_sbom_cyclonedx.json

Write a custom script

You can write a custom script in Python or your favorite language to convert the file from CSV to CycloneDX JSON.

Get expert Services help

Our expert Services team of former FDA reviewers and analysts can provide expert assessment, guidance, and design of anything from building cybersecurity and continuous improvement into your product development lifecycle to your Public Key Infrastructure cryptography to FDA letters and most anything in between. to see how we can help!

Manage SBOMs

Automate risk prioritization and management

Helm provides many ways to ensure you have a comprehensive and accurate view of your overall risk that is tailored to your product's particular security posture, enabling you to spend your limited time on the vulnerabilities that matter most:

to automatically update component Level of support and EOS/EOL information across all products, ensuring consistency and regulatory compliance.
to automatically add missing licenses (only for components that do not have any associated licensing information), ensuring you're not missing valuable license risk that could even impact your IP.
Automatically according to your product's security posture, ensuring you're focusing on the most exploitable vulnerabilities. Helm can also automatically update exploitability and fixability changes if you so choose.
If we identify inaccurate CPEs or PURLs in your SBOM, Helm will attempt to provide an that matches to the correct software
For components we're unable to match, you can to automatically match these to known software for future SBOMs.
to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.
your CI/CD process to automate product version creation and SBOM uploads
to ensure you have everything you need for FDA submission.

Manage your SBOM

Add your SBOM

Before you've added your first SBOM for a product version, you'll see an Add SBOM drop-down button. If you've already added an SBOM, this will change to Manage SBOMs and will have additional options, including checking SBOM file upload status.

To access these options, click the Add SBOM or Manage SBOMs drop-down button:

View upload status: This displays the SBOMs that have been uploaded for your products and versions. You can view the file name, file ID, when it was uploaded and by whom, the number of entries processed, and the status. If a file has uploaded successfully, you can see the number of dependency components processed from the SBOM. If a file has not uploaded successfully, you will see a red x icon next to the Failed to upload status. For these files, you will see an info icon to get more information on resolving the error.

Manage your SBOM

After or , you can manage your SBOM for each product and version in your software supply chain. Once you've uploaded your SBOM, Helm will match your software against the National Vulnerability Database (NVD), supported Package URLs (PURL) package managers, and CPE strings.

View dependency components in your SBOM

To view your SBOM, ensure you've selected a product and version so that you can .

In the Components table, you can quickly see where you need to complete matching, as well as understand exploitability risk and end-of-support/end-of-life risk, enabling you to prioritize upgrades. You can easily see what needs to be reviewed and catch up on reviews your team has made, as well as understand and manage license risk.

Click to drill-down for more information

Most things in Helm tables are clickable, enabling you to quickly drill down for more information, such as component details, match suggestions, fixing a version, contact us, reviewing a dependency component, and more.

Click the next step for each dependency component

For each dependency component, if there is a clear next step you need to take, that will be in the Actions column. If not, you'll just see the actions overflow ... button.

Dependency components columns

To view your SBOM, ensure you've selected a product and version so that you can see that version's dependency components.

Name: This is what may be referred to as a component in other systems. It is the firmware, software, framework, library, file, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version: This is the version for this dependency component name (e.g., 10.1 for Windows).
Supplier: This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Level of support: Indicates whether the component is supported. Can be date or text value.
EOS/EOL: Indicates whether the component has a known end-of-support or end-of-life date or other information. Like Level of support, this can also be a date or text value. If there is a date, this indicates that the component will no longer be supported or maintained after this time, thus it will potentially become more vulnerable and less reliable over time. You should either upgrade to a supported version or replace it with an alternate component to reduce risk.
Review status: Indicates whether the dependency component has been reviewed or needs to be reviewed.
Licenses: Displays the dependency component's licenses.

Manage dependency components

Manage component: This will display all details for this dependency component in view mode. This will also show how Helm matched the dependency component, as well as any review information from your team. If you edit the dependency component, you'll be prompted to confirm this change. This is because Helm will reload the dependency component and rematch it, which will discard any review information you may have added.
Add review note: Add a review note, then change the review status to Reviewed. You'll see this updated status in the Review status column, along with a note icon.
Review history: This will show any analysis notes or review status changes your team has made. You can also add a review note from here.
Reload component: If a dependency component is in an error state that is not caused by an inaccurate or unsupported version, you can reload it, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state. Helm will discard any previous information for the dependency component, and attempt to match it to known software.
Delete component: If you have appropriate permissions, you can remove a particular dependency component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.

Filter components

Click the Filters drop-down on the Components page to filter quickly to what you need.

Component details: Search by component name or component review status
Match details: Search by component match status
License details: Search by SPDX license ID or custom license name
Lifecycle details: Search for components with upcoming or expired end-of-support/end-of-life (EOS/EOL) dates, or search for components that will expire within a particular date range.

Recommended filters to reduce risk

Follow these steps to ensure you've completed your dependency component matching and identified all possible vulnerabilities across your SBOM.

Match status

The match status of each of your dependency components is indicated in the Match status column of the dependency components table. You can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column.

To ensure that you complete matching, filter on Select match first. Helm has provided strong match suggestions for these, so you should be able to match these relatively quickly. Click Select match on any of these statuses to start matching.
For users with Admin role, we highly recommend that you create an alias for each dependency component you match. This will ensure that these are automatically matched for future SBOMs. If you're not sure whether to create an alias during the match, you (or your Admin) can always create one later.
If you want to complete matching, filter on Not found next. This indicates that Helm was unable to find an exact match in the NVD. Click the Not found badge to view the match suggestions Helm has identified. If you don't see the correct match, make sure you create an alias so that this will be automatically matched for future SBOMs.

Match source

Lifecycle details

Be confident that you're using actively maintained and supported components when building a new product or updating an existing one. Filter quickly on the support status of your components, as well as the timeframe for components that are nearing their end-of-support or end-of-life dates, enabling you to prioritize updates effectively, thereby ensuring the stability and security of your device throughout its lifecycle.

License details

Filter your dependency components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

You can filter on GPL licenses and other restrictive licenses to quickly evaluate legal risk, enabling you to quickly prioritize updating or changing components that have licensing that could impact your IP and legal compliance. You can also filter on which components have at least one license, those that don't currently have any license information, as well as those that are specifically set to No license or NONE or Unknown or NOASSERTION (the values in caps are SPDX values), ensuring you understand your legal risk for every component in your product.

Create rules to auto-update EOS/EOL across all products

To ensure that changes you make to a component in one product version is persisted throughout your product portfolio, users with privileges can create specific rules for each component directly in the Rules manager, or can automatically create rules when updating the component details.

For each rule, you can set conditions around the supplier name, component name, and component version. You can then set effects that will be applied when all of the conditions are true to persist the specified Level of support and EOS/EOL (End-of-Support and End-of-Life) information across all of your products.

Add rule

If you haven't created any rules yet, you'll see a Create rule button. Click this to switch to the Edit rules mode to begin creating your rule. If you need to add more rules later, you'll need to be in this edit mode.
If you already have rules, click the Add another rule button to create a new rule at the top of the list. You can rearrange the rule's priority by dragging it lower in the list.
For each condition, make sure that the Enabled switch is turned on (is blue).
Set each condition by selecting the corresponding field and comparator, then specifying the expected matching value. As you add conditions, the rule name will be automatically updated in the following format, provided that particular condition is set: [Supplier name]/[Component name]/[Version]. For version ranges, the name will reflect the conditions specified in the following format: [Supplier name]/[Component name] [less than 10.1], such as Google Chrome less than 10.1. You cannot currently edit rule names. If this is important to you, !
Click Add version condition to add additional version conditions. Each condition uses the AND logic, so everything must be true in order to apply the effects. You can set the version as either an exact match or set conditions for a version range. For an exact match, set the version as is equal to. For version ranges, you can set the following conditions: is less than and/or is greater than. You can specify either a version exact match or up to two version conditions for a version range.
Set each effect below the conditions by selecting the corresponding field, comparator, then specifying the expected matching value. For Level of support and EOS/EOL (end-of-support and end-of-life) information, you can specify either is equal to date, then select a specific date, or set it as is equal to text, then provide the respective text value.
When you're finished adding rules, updating rules, and/or changing rule priority, click Save & apply. Note that unsaved changes will only persist during your Helm session, so make sure to save and apply anything you don't want to be discarded.
After you confirm these changes, Helm will begin applying them to your existing SBOMs, and will apply them to any future SBOMs.

Manage rule

Click the Edit rules toggle button to edit rules.
Make any modifications to conditions and/or effects.
To change rule priority, click the drag icon next to the rule name to drag it to a different position in the list. Rule priority is determined by the order of the rules in the Rules manager. If multiple rules impact a component, the one highest in the list takes precedence.
To delete a rule, click the Delete action. You will be prompted to confirm, but this deletion will not take effect before you click Save & apply. Deleted rules will be unapplied from existing SBOMs, and will no longer be applied to future SBOMs. You cannot recover a deleted rule. Note that if you decide to delete the only rule you have, any unsaved changes that you have made will be automatically applied and the rule will be deleted. In that case, you'll now see a blank rule, so that you can add more rules in the future.
When you're finished making changes, click Save & apply. Note that unsaved changes will only persist during your Helm session, so make sure to save and apply anything you don't want to be discarded.
After you confirm these changes, Helm will begin applying them to your existing SBOMs, and will apply them to any future SBOMs.

Create, edit, or merge SBOMs

You can add components to an existing SBOM or you can create an SBOM from scratch by adding each one manually. You can also merge SBOMs to combine all dependency components for multiple systems into one.

Create components (dependencies) manually

If you're just starting your SBOM, click the Add SBOM drop-down button > Add dependency. Note that if you've already created or uploaded any SBOMs, this button will change to Manage SBOM and will have additional options, including checking file status.
In the panel that displays, specify the product and version in the first section.
In the next section, provide any information you have for your component. The only required field is the name, so if you don't have information (e.g., version), you can always add this later. However, Helm will need the version to attempt to accurately identify the matching known software.
Click Add component. Helm will analyze your component for matches in supported package managers and the NVD, so this will take a few seconds. If you've provided a PURL or CPE, Helm will analyze our package managers and other data sources to ensure that you have the correct string. If not, Helm will automatically fix this for you. If you don't see your component display, you can refresh it. If Auto-refresh is on, we will automatically be updating this, but if you're not seeing anything, turn Auto-refresh off, then click the manual Refresh button.

Edit component

On the component you want to edit, click Actions ... > Manage component.
Click Edit on the section you would like to edit. Note that you cannot edit the Match details section.
If you edit the component details, then save your changes, you will be prompted to reload this component. Note that this will assess the component anew, which will lose any previous metadata, including matching, EOS/EOL, licensing, or review information that you have manually added.
If you edit the lifecycleIn the panel that displays, make any necessary changes, then save. This will automatically reload your component, which will no longer retain any review information you've already added for this dependency component. If you don't see your updated dependency component display, make sure Auto-refresh is on or click Refresh to manually update the page.

Merge another SBOM into your existing SBOM

To combine SBOMs from various systems into one SBOM, you can simply upload another SBOM to Helm. This will automatically merge that SBOM into your existing one, de-duping any dependency components that are on both SBOMs.

You can add dependency components to an existing SBOM or you can create an SBOM from scratch by adding each one manually. You can also merge SBOMs to combine all dependency components for multiple systems into one.

Create dependency components manually

If you're just starting your SBOM, click the Add SBOM drop-down button > Add dependency component. Note that if you've already created or uploaded any SBOMs, this button will change to Manage SBOM and will have additional options, including checking file status. This will display the Add dependency component modal.
In the panel that displays, specify the product and version in the first section. If you haven't created any products or product versions yet, click the create button in this drop-down. If you've already added products and versions, select the appropriate ones.
In the next section, provide any information you have for your dependency component. The only required field is the name, so if you don't have information (e.g., version), you can always add this later. However, Helm will need the version to attempt to accurately identify the matching known software.
Click Add dependency component. Helm will analyze your dependency component for matches in supported package managers and the NVD, so this will take a few seconds. If you've provided a PURL or CPE, Helm will analyze our package managers and other data sources to ensure that you have the correct string. If not, Helm will automatically fix this for you. If you don't see your dependency component display, try refreshing your browser.

Edit dependency component

On the dependency component you want to edit, click Actions ... > Manage dependency component.
In the panel that displays, make any necessary changes, then click Save changes. This will automatically reload your dependency component, which will no longer retain any review information you've already added for this dependency component. If you don't see your updated dependency component display, make sure Auto-refresh is on or click Refresh to manually update the page.

Merge another SBOM into your existing SBOM

Upload new version of SBOM with each release

To keep track of various versions of your SBOM and to ensure that your SBOM is accurate for each product release to meet FDA requirements and protect your customers and their patients, you should create a new version of your SBOM whenever your team:

Updates the device or application
Adds or removes a dependency component or changes a dependency component version
Adds one or more Windows KBs to a device version
Adds a Windows KB to a vulnerability
Upgrades the version of a dependency componen

This will help ensure your readiness for your pre-market FDA submission, while ensuring that customers post-market understand whether they are affected by vulnerabilities associated with a particular version of your product. Refer to for more information.

Manage component

You can view details about a dependency components, including its licenses, how it was matched, and any review information. In the Software Bill of Materials (Products) page, select Actions ... > Manage component to modify dependency component details.

Product details

Product name: This is your product name.
Product version: This is your product version.

Component details

Name: This is the firmware, software, framework, library, file, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Version: This is the version for this dependency component name (e.g., 10.1 for Windows).
Supplier: This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).
Original CPE: This is the original PURL assigned to this component in your SBOM file. Example format: (e.g., cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other)
Enriched CPE: This is the PURL that was added or enriched from the respective package manager during the component matching process. This will only display if populated. You cannot edit this.
Original PURL: This is the original CPE assigned to this component in your SBOM file. Example format: (e.g., scheme:type/namespace/name@version?qualifiers#subpath)
Enriched PURL: This is the CPE that was added or enriched by our AI copilot during the component matching process. This will only display if populated. You cannot edit this.

Match details

This is how Helm matched or attempted to match your dependency component.

Match status: This shows the current , as well as what were matched on.
Vuln source: This is the source where we located this dependency component. This is currently always NVD. If it was not in the NVD, it will show a badge.
Matched by:
- System: Helm automatically matched this dependency component based on an exact match in the NVD, which could be from a CPE, PURL package manager, name/version/supplier, or alias.
- User name: This user manually matched this dependency component to a suggested match or created a new alias to link it to known software.

Review details

This shows the last review added for this dependency component. You can also add your own review or view all review information.

Review status: Shows whether the dependency component has been reviewed or needs to be reviewed. You can click this badge to set a new status.
Last reviewed: Shows who last reviewed this dependency component and when.
Last review: This is the last review note made on this dependency component to inform the team or progress, final status, or critical risk.

Edit component

On the component you want to edit, click Actions ... > Manage component.
Click Edit on the section you would like to edit. Note that you cannot edit the Match details section.
If you edit fields in the Component details section, then save your changes, you will be prompted to reload this component. Note that this will assess the component anew, which will lose any previous metadata, including matching, EOS/EOL, licensing, or review information that you have manually added.
f you don't see your updated dependency component display, make sure Auto-refresh is on or click Refresh to manually update the page.

Delete component

Click Actions > Remove (Delete) component. You will be prompted to confirm, as you cannot recover deleted components. This will only delete this component from this product version.

Automate risk prioritization and management

Set rules to automatically update component Level of support and EOS/EOL information across all products, ensuring consistency
Reload components to automatically add missing licenses (only for components that do not have any associated licensing information), ensuring you're not missing valuable license risk that could even impact your IP.
Automatically rescore all vulnerabilities according to your product's security posture, ensuring you're focusing on the most exploitable vulnerabilities. Helm can also automatically update exploitability and fixability changes if you so choose.
If we identify inaccurate CPEs or PURLs in your SBOM, Helm will attempt to provide an enriched CPE or PURL that matches to the correct software
For components we're unable to match, you can create aliases to automatically match these to known software for future SBOMs.
Use our Helm API to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.
Integrate our GitHub action your CI/CD process to automate product version creation and SBOM uploads
Export your FDA-ready SBOM to ensure you have everything you need for FDA submission

Overall security posture

Find known vulnerabilities

Prioritize vulnerabilities

Rescore vulnerabilities

Resolve Windows vulnerabilities

Remediate vulnerabilities

Ensure FDA readiness

Terminology

API SDK and docs

Administration

what's new

Understand the CVSS vulnerability scoring system

Helm returns the Common Vulnerability Scoring System (CVSS) to provide numerical ratings corresponding to critical, high, medium, and low scores to ensure you understand your current vulnerability risk. Because older devices may only have a CVSS v2 score, while newer devices may only have a v3 score, Helm provides both CVSS v2 and v3 scores, enabling you to assess risk across the spectrum of your legacy and new devices.

This score incorporates a number of factors assessing the exploitability of a vulnerability.

Base score

For CVSS v3 scores, you can use a number of calculators to understand how the CVSS score for a particular vulnerability was calculated:

Hover over each metric classification value to get more information on how to determine which value applies to your situation. For your convenience, we've also provided those metric and value definitions below.

Rescore CVSS 3.x vulnerabilities

You can rescore all vulnerabilities associated with a particular product version or rescore individual vulnerabilities.

Base CVSS score

Every vulnerability in the NVD starts with a base CVSS score. You cannot modify this base score, but you can modify the temporal and environmental scores by assessing your particular device's situation. Every metric in these two sections is set to Not defined (X) by default, which has the highest impact on the CVSS score.

All definitions are extracted from first.org's CVSS 3.1 calculator.

How do I read a CVSS 3.1 vector string?

For CVSS 3.1, each section separated by a / in a vector string corresponds to one of the subcategories in the Base and Temporal categories. Thus, a string such as this:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:X

indicates that the Attack Vector is Network, Attack Complexity is High, Privileges Required is None, User Interaction is Required, Scope is Unchanged, and that the Confidentiality Impact is Low, Integrity Impact is Low, and Availability Impact is Low. It also indicates that Exploit Code Maturity is Not Defined, Remediation Level is Official fix, and Report Confidence is Not defined.

Exploitability metrics

Attack vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Network (AV:N): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Adjacent (AV:A): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone).
Local (AV:L): The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).
Physical (AV:P): The attack requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief or persistent.

Attack complexity (AC)

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target or computational exceptions. The assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability. If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration.

Low (AC:L): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
High (AC:H): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Privileges required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None (PR:N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (PR:L): The attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
High (PR:H): The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable component that could affect component-wide settings and files.

User interaction (UI)

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

None (UI:N): The vulnerable system can be exploited without any interaction from any user.
Required (UI:R): Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

Scope (S)

Does a successful attack impact a component other than the vulnerable component? If so, the Base Score increases and the Confidentiality, Integrity and Authentication metrics should be scored relative to the impacted component.

Unchanged (S:U): An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (S:C): An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact metrics

Confidentiality (C)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

None (C:N): There is no loss of confidentiality within the impacted component.
Low (C:L): There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
High (C:H): There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.

Integrity (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None (I:N): There is no loss of integrity within the impacted component.
Low (I:L): Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
High (I:H): There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

None (A:N): There is no impact to availability within the impacted component.
Low (A:L): Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
High (A:H): There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

CVSS 3.1: Temporal score

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Exploit code maturity (E)

This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation.

Not defined (E:X): This is the default setting. Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning High.
Unproven that exploit exists (E:U): No exploit code is available, or an exploit is theoretical.
Proof of concept code (E:P): Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
Functional exploit exists (E:F): Functional exploit code is available. The code works in most situations where the vulnerability exists.
High (E:H): Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools.

Remediation level (RL)

This metric is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final.

Not defined (RL:X): This is the default setting. Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Unavailable.
Official fix (RL:O): A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Temporary fix (RL:T): There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.
Workaround (RL:W): There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.
Unavailable (RL:U): There is either no solution available or it is impossible to apply.

Report confidence (RC)

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers.

Not defined (RC:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Confirmed.
Unknown (RC:U): There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result.
Reasonable (RC:R): Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (Proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results.
Confirmed (RC:C): Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability.

CVSS 3.1: Environmental score

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of base metrics and are assigned metric values based on the component placement in organization infrastructure.

Exploitability metrics

Attack vector (MAV)

This metric reflects the context by which vulnerability exploitation is possible. The Environmental Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Not defined (MAV:X): The value assigned to the corresponding Base metric is used.
Network (MAV:N): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable at the protocol level one or more network hops away.
Adjacent network (MAV:A): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN).
Local (MAV:L): The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).
Physical (MAV:P): The attack requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief or persistent.

Attack complexity (MAC)

Not defined (MAC:X): The value assigned to the corresponding Base metric is used.
Low (MAC:L): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
High (MAC:H): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Privileges required (MPR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Not defined (MPR:X): The value assigned to the corresponding Base metric is used.
None (MPR:N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (MPR:L): The attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
High (MPR:H): The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable component that could affect component-wide settings and files.

User interaction (MUI)

Not defined (MUI:X): The value assigned to the corresponding Base metric is used.
None (MUI:N): The vulnerable system can be exploited without any interaction from any user.
Required (MUI:R): Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

Scope (MS)

Not defined (MS:X): The value assigned to the corresponding Base metric is used.
Unchanged (MS:U): An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (MS:C): An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact metrics

Confidentiality impact (MC)

Not defined (MC:X): The value assigned to the corresponding Base metric is used.
None (MC:N): There is no loss of confidentiality within the impacted component.
Low (MC:L): There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
High (MC:H): There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.

Integrity impact (MI)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

Not defined (X): The value assigned to the corresponding Base metric is used.
None: There is no loss of integrity within the impacted component.
Low: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
High: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability impact (MA)

Not defined (MA:X): The value assigned to the corresponding Base metric is used.
None (MA:N): There is no impact to availability within the impacted component.
Low (MA:L): Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
High (MA:H): There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Impact subscore modifiers

Confidentiality requirement (CR)

Not defined (CR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (CR:L): Loss of Confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (CR:M): Assigning this value to the metric will not influence the score.
High (CR:H): Loss of Confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Integrity requirement (IR)

These metrics enable the analyst to customize the CVSS score depending on the importance of the Integrity of the affected IT asset to a user’s organization, relative to other impacts. This metric modifies the environmental score by reweighting the Modified Integrity impact metric versus the other modified impacts.

Not defined (IR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (IR:L): Loss of Integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (IR:M): Assigning this value to the metric will not influence the score.
High (IR:H): Loss of Integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Availability requirement (AR)

These metrics enable the analyst to customize the CVSS score depending on the importance of the Availability of the affected IT asset to a user’s organization, relative to other impacts. This metric modifies the environmental score by reweighting the Modified Availability impact metric versus the other modified impacts.

Not defined (AR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (AR:L): Loss of Availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (AR:M): Assigning this value to the metric will not influence the score.
High (AR:H): Loss of Availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

CVSS 2.1

Base CVSS score

Every vulnerability in the NVD starts with a base CVSS score. The base metric group captures the characteristics of a vulnerability that are constant with time and across user environments. The Access Vector, Access Complexity, and Authentication metrics capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it. The three impact metrics measure how a vulnerability, if exploited, will directly affect an IT asset, where the impacts are independently defined as the degree of loss of confidentiality, integrity, and availability. For example, a vulnerability could cause a partial loss of integrity and availability, but no loss of confidentiality.

You cannot modify this base score, but you can modify the temporal and environmental scores by assessing your particular device's situation. Every metric in these two sections is set to Not defined (X) by default, which has the highest impact on the CVSS score.

All definitions are extracted from first.org's CVSS v2 calculator.

CVSS base score is divided into Exploitability and Impact metrics. Exploitability metrics include Attack vector, Access complexity, and Authentication, while Impact metrics include Confidentiality impact, Integrity impact, and Availability impact.

Read a CVSS 2 vector string

For CVSS 2, each section separated by a / in a vector string corresponds to one of the subcategories in the Base, Supplemental, Environmental, and Threat categories. Thus, a string such as this:

AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:UC

indicates that the Access Vector is Network, Access Complexity is High, Authentication is None, and that the Confidentiality Impact is Partial, Integrity Impact is Partial, and Availability Impact is Partial. It also indicates that Exploitability is Proof of concept code, Remediation Level is Official fix, and Report Confidence is Unconfirmed.

Note that since CVSS 2 was the first CVSS severity scoring standard, it is not appended with a version.

Exploitability metrics

Access vector (AV)

Local (AV:L): A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo).
Adjacent network (AV:A): A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software. Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment.
Network (AV:N): A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed “remotely exploitable”. An example of a network attack is an RPC buffer overflow.

Access complexity (AC)

High (AC:H): Specialized access conditions exist. For example, in most configurations, the attacking party must already have elevated privileges or spoof additional systems in addition to the attacking system (e.g., DNS hijacking). The attack depends on social engineering methods that would be easily detected by knowledgeable people. For example, the victim must perform several suspicious or atypical actions. The vulnerable configuration is seen very rarely in practice. If a race condition exists, the window is very narrow.
Medium (AC:M): The access conditions are somewhat specialized; the following are examples: The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted. Some information must be gathered before a successful attack can be launched. The affected configuration is non-default, and is not commonly configured (e.g., a vulnerability present when a server performs user account authentication via a specific scheme, but not present for another authentication scheme). The attack requires a small amount of social engineering that might occasionally fool cautious users (e.g., phishing attacks that modify a web browser’s status bar to show a false link, having to be on someone’s “buddy” list before sending an IM exploit).
Low (AC:L): Specialized access conditions or extenuating circumstances do not exist. The following are examples: The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g., Internet-facing web or mail server). The affected configuration is default or ubiquitous. The attack can be performed manually and requires little skill or additional information gathering. The 'race condition' is a lazy one (i.e., it is technically a race but easily winnable).

Authentication (Au)

Multiple (Au:M): Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. An example is an attacker authenticating to an operating system in addition to providing credentials to access an application hosted on that system.
Single (Au:S): One instance of authentication is required to access and exploit the vulnerability.
None (Au:N): Authentication is not required to access and exploit the vulnerability.

Impact metrics

Confidentiality impact (C)

None (C:N): There is no impact to the confidentiality of the system.
Partial (C:P): There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database.
Complete (C:C): There is total information disclosure, resulting in all system files being revealed. The attacker is able to read all of the system's data (memory, files, etc.).

Integrity impact (I)

None (I:N): There is no impact to the integrity of the system.
Partial (I:P): Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. For example, system or application files may be overwritten or modified, but either the attacker has no control over which files are affected or the attacker can modify files within only a limited context or scope.
Complete (I:C): There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. The attacker is able to modify any files on the target system.

Availability impact (A)

None (A:N): There is no impact to the availability of the system.
Partial (A:P): There is reduced performance or interruptions in resource availability. An example is a network-based flood attack that permits a limited number of successful connections to an Internet service.
Complete (A:C): There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.

CVSS 2: Temporal score

The threat posed by a vulnerability may change over time. Three such factors that CVSS captures are: confirmation of the technical details of a vulnerability, the remediation status of the vulnerability, and the availability of exploit code or techniques. Since temporal metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to "skip over" it.

Exploitability (E)

Not defined (E:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Unproven that exploit exists (E:U): No exploit code is available, or an exploit is entirely theoretical.
Proof-of-Concept code (E:POC): Proof-of-concept exploit code or an attack demonstration that is not practical for most systems is available. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
Functional exploit exists (E:F): Functional exploit code is available. The code works in most situations where the vulnerability exists.
High (E:H): Either the vulnerability is exploitable by functional mobile autonomous code, or no exploit is required (manual trigger) and details are widely available. The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus).

Remediation level (RL)

Not defined (RL:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Official fix (RL:OF): A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Temporary fix (RL:TF): There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.
Workaround (RL:W): There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.
Unavailable (RL:U): There is either no solution available or it is impossible to apply.

Report confidence (RC)

Not defined (RC:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Unconfirmed (RC:UC): There is a single unconfirmed source or possibly multiple conflicting reports. There is little confidence in the validity of the reports. An example is a rumor that surfaces from the hacker underground.
Uncorroborated (RC:UR): There are multiple non-official sources, possibly including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity.
Confirmed (RC:C): The vulnerability has been acknowledged by the vendor or author of the affected technology. The vulnerability may also be "Confirmed: when its existence is confirmed from an external event such as publication of functional or proof-of-concept exploit code or widespread exploitation.

CVSS 2: Environmental score

Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user's IT environment. Since environmental metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to 'skip over' it.

CVSS environmental score is divided into General modifiers and Impact subscore modifiers. General modifers include Collateral damage potential and Target distribution, while Impact subscore modifiers include Confidentiality requirement, Integrity requirement, and Availability requirement.

General modifiers

Collateral damage potential (CDP)

Not defined (CDP:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
None (CDP:N): There is no potential for loss of life, physical assets, productivity or revenue.
Low (light loss) (CPD:L): A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may be a slight loss of revenue or productivity to the organization.
Low-Medium (CDP:LM): A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there may be a moderate loss of revenue or productivity to the organization.
Medium-High (CDP:MH): A successful exploit of this vulnerability may result in significant physical or property damage or loss. Or, there may be a significant loss of revenue or productivity.
High (catastrophic loss) (CDP:H): A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. Or, there may be a catastrophic loss of revenue or productivity.

Target distribution (TD)

Not defined (CDP:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
None [0%] (TD:N): No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.
Low [0-25%] (TD:L): Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk.
Medium [26-75%] (TD:M): Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk.
High [76-100%] (TD:H): Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk.

Impact subscore modifiers

Confidentiality requirement (CR)

Not defined (CR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (CR:L): Loss of Confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (CR:M): Loss of Confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (CR:H): Loss of Confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Integrity requirement (IR)

Not defined (IR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (IR:L): Loss of Integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (IR:M): Loss of Integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (IR:H): Loss of Integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Availability requirement (AR)

Not defined (AR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (AR:L): Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (AR:M): Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (AR:H): Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Changelog

Versioning schema

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and a core infrastructure version. Versions are depicted with web UI version first, followed by core infrastructure version, e.g., v3.2.0 | 2.71.1

How can I see my Helm versioning?

Click Help > About in the sidebar to view version information.

v4.2.16 | 2.86.0

Dec 13, 2024

Summary

View and manage level of support and EOS/EOL data for all components
Specify lifecycle details for each component
Set component rules to consistently apply lifecycle information across all components in your portfolio
Enhanced component filtering
Export lifecycle information to FDA SBOM or CycloneDX SBOM
Bug fixes and UI improvements

Identify and prioritize components nearing EOS/EOL

We’ve added columns for Level of support and EOS/EOL to the components table, as well as providing color-coded badges to let you know what’s currently actively supported and what’s nearing or has passed its support or maintenance date. We’ve also begun ingesting lifecycle information from our partner, Tidelift, as well as the endoflife.date site, and will likely provide some automation for this in an upcoming release.

Specify lifecycle details for each component

You can specify Level of support and EOS/EOL information in a date or text format for each component in the new Lifecycle details section of the component details panel. You can then set component rules to apply this information across all products, so you only have to do this once!

Set rules to apply component lifecycle information across all products

You can now create rules to set conditions for supplier name, component name, and version, then automatically apply the Level of support and EOS/EOL information across all of your products when conditions are met. With consistent EOS/EOL data, you minimize discrepancies across your portfolio, ensuring accurate reporting and compliance. Stay tuned for more rules-based workflow enhancements!

Export lifecycle information to FDA SBOM or CycloneDX SBOM

After applying your Level of support and EOS/EOL information across your components, quickly export your FDA SBOM to ensure you have everything you need for FDA submission! You can also export it to a CycloneDX SBOM.

Enhanced component filtering

To enable you to quickly find what you need, we’ve enhanced our filtering mechanism and added lifecycle management filters. You can now filter components on Level of support and EOS/EOL information to ensure you understand which are supported and which are nearing end-of-life, enabling you to prioritize upgrades in critical areas. Stay tuned for more filtering updates soon!

Bug fixes and other improvements:

All CycloneDX remediation justification values should now be accurately exported in your FDA SBOM report.
All products should now display accurately on the components page.
Global search improvements
- Fixed issue wherein components from archived products were being returned in the global search.
- Global search results table display now extends to the bottom of the page.

Thank you!

A huge thank you to all of our customers who take the time to provide feedback on how we can continue to improve your SBOM vulnerability management experience! We’d love to hear your feedback on these features, as well as other features you’d like to see in the future!

v4.2.4 | 2.85.0

November 21, 2024

Summary

Automatically generate component license information
Encode pURLs with spaces during exports
Import and export component hashes
Filter on CISA KEV and remediation through our API
Updated terminology from Vendor to Supplier in SBOM CSV export

Automatically generate component license information

You can now have Helm automatically add license information for your components. For any component that you want to enrich with license information, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Encode pURLs with spaces during exports

If your SBOM has a Package URL (pURL) that contains spaces, we'll now automatically encode those when exporting. This ensures compatibility with third-party tools and eliminates issues caused by improperly formatted pURLs.

Import and export component hashes

You can now import and export component hashes in your SBOMs, and can export them in any SBOM format, as well as our FDA SBOM, improving validation and tracking of SBOM component integrity across products.

Filter on CISA KEV and remediation through our API

You can now filter vulnerabilities that are the CISA KEV list or based on their remediation via our Helm API, making it easier than ever for you to identify and prioritize high-impact vulnerabilities.

Updated terminology from Vendor to Supplier in SBOM CSV export

To align with industry standards, the SBOM CSV export now labels the Vendor column as Supplier. This terminology update improves consistency and clarity.

v4.2.4 | 2.83.0

November 7, 2024

Summary

Export EOS/EOL data to FDA SBOM report
Enhanced CPE parsing and matching
Added ability to filter dependency components by licenses
Re-added match and review information to dependency component details
Bug fixes and performance enhancements

Export EOS/EOL data to FDA SBOM report

If you have uploaded an SBOM that contains end-of-support (EOS) or end-of-life (EOL) data, this information will be automatically populated in your FDA SBOM report. We're in the process of adding the ability to manually add EOS/EOL info, so stay tuned!

Enhanced CPE parsing and matching

We've enhanced CPE parsing to enable the matching of incomplete CPEs to dependency components. Although a CPE has 13 segments, not all CPEs contain all of those segments, thus Helm will now interpret CPEs that have at least 5 of the expected segments, filling in missing segments with a wildcard (*).
We've enhanced CPE enrichment to enable dependency component matching even in scenarios where the dependency components have the scenario wherein CPEs have multiple vendors.

Added ability to filter dependency components by licenses

You can now filter your dependency components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

Re-added match and review information to dependency component details

The match and review details have been re-added to the dependency component details panel to help you quickly access key information.

Bug fixes and performance enhancements

Resolved intermittent failure of large CycloneDX and SPDX SBOMs due to timeouts.
Improved load time of vulnerability and dependency component pages.
Fixed display issue with rescored CVSS vector strings, ensuring accurate low, high, and none values.

v4.1.4 | 2.82.0

October 4, 2024

Summary

Enhanced dependency component panel
License management is now available!
Customize your FDA SBOM export
Bug fixes, UX enhancements, and help updates

Enhanced dependency component panel

Manage your dependency components more easily with our unified details panel, providing a comprehensive view of each dependency component. You can now quickly scan information in view mode, then switch to edit mode if you need to make any modifications.

License management is now available!

Helm now supports the ingestion of licensing information from CycloneDX and SPDX SBOMs. Via our partnership integration with Tidelift, Helm will analyze your dependency components to determine if you are missing license information, then will automatically fix that for you, ensuring you have a comprehensive view of your legal risk. We support both SPDX and custom licenses. You can also manually enter or modify license details as needed. Check out Manage licenses for complete information on our new licensing feature!

Customize your FDA SBOM export

We've just made our expert FDA SBOM even better! When exporting your FDA SBOM, you can now include CycloneDX and VEX vulnerability remediation analysis, as well as review information for dependency components. These enhancements will help ensure you're ready for your FDA submission. Thank you to our customers for highlighting their need to include review statuses and notes! We very much appreciate your insights and expertise in continuing to enhance your SBOM vulnerability management and streamline your FDA submission process!

Bug fixes, UI enhancements, and help updates

Bug fixes:

Fixed the date filter on the Vulnerabilities page such that the start date is now midnight and end date is 11:59:59 pm. This fixes both the date range presets as well as the timeframes covered in the new vulnerability emails.

UI enhancements

Improved dependency component matching to handle dependency component names prepended with special characters, such as "@".
Updated dependency component lists to show all dependency components, even when they match the same NVD product and version. Your SBOM export will also include this higher level of specificity.

Help updates: To quickly get you up to speed on these new updates, we've added or extensively revised the following topics:

Manage licenses
Upload your first SBOM
Manage your SBOM
Create, edit, or merge SBOMs
Manage dependency component

v4.1.3 | 2.81.1

September 24, 2024

Summary

Implemented human-readable URL parameters
Bug fixes and performance enhancements

Implemented human-readable URL parameters

We've implemented human-readable URL parameters across the entire UI, which now reference unique IDs of products, product versions, components, and vulnerabilities, as well as applied filters and searches, and more. You'll also see this improvement when you sign in to Helm from new vulnerability emails you receive. This deep linking enables you to more easily share information. These enhancements prepare Helm for upcoming features like breadcrumb navigation and expanded bulk actions, beginning with bulk remediation.

Bug fixes and performance enhancements

Resolved a performance issue to enable Helm to handle large volumes of vulnerabilities, minimizing timeouts and unexpected errors.
Fixed issue wherein some SPDX exports were failing under specific conditions, particularly with larger SBOMs.
Enhanced SBOM dependency component rescanning and matching, improving reliability when the initial scanning process fails during an SBOM upload or when the dependency component is manually added.

v4.0.46 | 2.80.4

September 9, 2024

Summary

Enhanced matching for Linux packages

Enhanced matching for Linux packages

We’re excited to announce a major improvement to our Linux package matching process, increasing efficiency by reducing manual work for users.

Previously, some Linux packages without identifiers in SBOMs were challenging to match. After collaborating with customers to address this issue, we’ve just released a solution that delivers a 29% improvement in matching accuracy.

As shown in the graph below, you can see a significant reduction in unmatched components and a clear increase in matched components after applying this enhancement. This means fewer manual interventions and more streamlined package management.

v4.0.46 | 2.79.2

August 30, 2024

Summary

Helm's new design system is live: Work smarter and stay focused
Multi-task and remediate risk faster across multiple Helm tabs
Help updates

Helm’s new design system is live: work smarter & stay focused

We’re thrilled to announce that Helm’s new design system is now live! 🎉

When you next sign in to Helm, you’ll notice a refreshed look-and-feel to enhance your experience and streamline your workflow. Here’s a quick overview of what you’ll see:

Light and dark themes: Choose between our newly updated dark theme or our brand-new light theme. To switch themes, click the sun/moon icon in the main navigation bar.
More intuitive badges and colors: We’ve standardized and enhanced our badges and color schemes for quicker component matching and vulnerability prioritization.
Enhanced UI elements: Enjoy a cleaner and more intuitive interface with refined controls, error handling, and new icons to improve navigation and usability.
Customizable data display: Take control of how you view and interact with data. You can now adjust table column visibility, perform multi-sorts, and choose your preferred display density.
Contextual actions: Easily access additional information or perform actions directly from tables by clicking on cell values.

Customizable data display

Our new design offers even more flexibility in how you view and manage your data:

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.
Multi-column sorting: Focus on what’s important by applying complex sorts across multiple columns. Access this feature through the Sort fields link at the top of each table.
Flexible display density: Optimize your view by selecting a compact or expanded display mode and adjusting the number of rows per page to suit your preferences.
Advanced date picker: Gain precise control over date filtering with options for absolute/relative dates, custom ranges, and multi-month views.

Multi-task and remediate risk faster across multiple Helm tabs

If you’ve tried to have multiple Helm tabs open, you may have found yourself signed out. Great news! You can now work in Helm across multiple browser tabs.

Help updates

As part of our new design system, we've completely revised several related topics to help you match dependency components and remediate vulnerabilities faster:

How do I know when software has been successfully matched?
Match statuses
Resolve match statuses
Match sources
Assess match suggestions
Create an alias to link unmatched software to known software
Quickstart process
Get familiar with the Helm UI

v3.6.34 | 2.79.2

August 13, 2024

Summary

Automated enrichment of missing CPEs and PURLs
Automated enrichment of missing licenses for open-source components

Automated enrichment of missing CPEs and PURLs

During the component matching process, if a component in your SBOM does not have a CPE or PURL (not ingested or manually added), Helm's AI copilot will now automatically generate and assign the appropriate enriched CPE or PURL to that component. You can view any Enriched CPE or Enriched PURL in the component details. This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Auto-enrich open-source components with missing licenses

For your open-source SBOM components that have PURLs, but do not have licenses identified yet, Helm will check whether those components have licenses. If so, Helm will automatically enrich those components with that license information. Helm will not change the license information for any components that already have one or more licenses identified. This information will be included in any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report. As mentioned in our last release, we are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

v3.6.34 | 2.78.0

July 15, 2024

Summary

Export license information in SBOM
Bug fixes

Export license information in FDA reports

You can now export license information for any FDA reports that include SBOM components, including your original or enriched SBOM, your FDA SBOM, or your VDR report. We are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

Bug fixes

Fixed issue where CPE or PURL information would not display in some instances

v3.6.34 | 2.77.0

June 21, 2024

Summary

Added remediation evidence to vuln export
Enhanced severity filtering
Ingest CycloneDX SBOM entries that have an empty or omitted Type field
Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux
Bug fixes and UX improvements

Added remediation evidence to vulnerability export

We've enhanced our vulnerability export functionality to include remediation evidence for each vulnerability. This provides a clearer picture of the actions taken to address vulnerabilities, enabling you to more easily demonstrate compliance and the remediation steps taken or planned to secure your products.

Enhanced severity filtering

We've refined vulnerability severity filtering to prioritize rescores over base scores. This ensures that you can better prioritize vulnerabilities based on their actual risk, helping you focus on the most exploitable issues first.

Ingest CycloneDX SBOM entries that have an empty or omitted Type field

We now support the ingestion of CycloneDX SBOM entries that have an empty or omitted Type field.

Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux

If you are generating your SPDX SBOM using Yocto on Linux, it will often generate OpenEmbedded() as a vendor, which is not helpful for matching purposes. We will now ignore this value, maintaining a cleaner and more relevant database.

Bug fixes and UX improvements

Fixed exporting CVSS scores in VEX and VDR reports for SBOM entries that do not have a CVSS score. Our exports now reflect a blank score field instead of the previous default of -1.0 when a CVSS score is not available.
Enhanced new vulnerability email subject to handle edge cases, including ensuring that vulnerability emails are sent on the expected day, regardless of time zone.

v3.6.32 | 2.76.0

June 6, 2024

Summary

Automatic enrichment of CVE vulnerabilities with CPEs
Automatically create product versions and upload SBOMs with our GitHub action
Enhanced information in vulnerability emails
Fixes for SPDX SBOM upload failures
Support for SPDX SBOMs with NOASSERTION in supplier field
Added CycloneDX and VEX remediation status filters
Added Source column for vulnerabilities
Support for .zst SBOMs generated by Yocto on Linux
Bug fixes and UX improvements

Automatic enrichment of CVE vulnerabilities with CPEs

Our advanced Large Language Model (LLM) now enriches vulnerability data from the National Vulnerability Database (NVD), which has not kept pace with CPE and other data enrichment for the past six months, leaving those of us in the cybersecurity space in a bit of a quandary.

To remedy this issue, we have fine-tuned an LLM to replicate and possibly enhance the data processing traditionally performed by the NVD. Below you can see how this interim approach can help you to deal with this gap. Refer to our blog for more details.

Our approach identifies vulnerabilities impacting your products and automatically enriches the information retrieved from the NVD with CPE data, aiding in more precise identification of vulnerabilities. This provides you with a more complete view of your overall risk, and ensures that you're focusing your time and effort on the most exploitable vulnerabilities that are affecting your product. Vulnerabilities that came from the NVD, and through our CPE enrichment, were identified as impacting your products will have an AI badge in the new Source column on the Vulnerabilities page.

Automatically create product versions and upload SBOMs with our GitHub action

Enhanced information in vulnerability emails

If you're one of the cybersecurity experts who doesn't have any new vulnerabilities for the day/week/month cycle, congratulations! These updates include handling the scenario of zero new vulnerabilities and providing clearer details on the period covered by each email.

Fixes for SPDX SBOM upload failures

We've made a number of back-end improvements to help ensure that your SPDX SBOMs upload successfully.

Support for SPDX SBOM files with supplier set to NOASSERTION

We now treat suppliers set to NOASSERTION in SPDX SBOM files as undefined when importing this information into Helm, thus the Supplier column for that vulnerability will show as a blank.

Added CycloneDX and VEX remediation status filters

You can now filter vulnerabilities based on their CycloneDX and CycloneDX VEX remediation statuses, enabling more precise vulnerability management.

Added Source column for vulnerabilities

We've added a Source column to the Vulnerabilities page. This allows you to identify whether a vulnerability originated from an external data source (currently only NVD) or came from the NVD, but was enriched via our LLM AI. Vulnerabilities enriched with CPE data and identified as impacting your products will display an AI badge in this column on the Vulnerabilities page.

Support for .zst SBOMs

Helm now supports SPDX SBOMs that are in .zst compressed files, which are automatically created when using Yocto Linux native SBOM generation capabilities."

Bug fixes & UX/docs improvements

Fixed issues with multiple toast notifications for some SBOM uploads
New topic: Automate SBOM management into your CI/CD process with GitHub action

v3.6.17 | 2.75.2

May 13, 2024

Summary

Auto-update vulnerability temporal metrics across product version
Enhanced dependency component matching for fewer unmatched components
Purl and cpe id’s now considered in sbom entry uniqueness
Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components
Performance improvements on SBOM page loading
Enhanced CycloneDX VEX and VDR reports with vulnerability rescores
New sign in page
Bug fixes and UX improvements

Auto-update vulnerability temporal metrics across product version

Let us take some of the load of managing vulnerabilities off of you! When you create or modify a rescoring profile for product version, you can set all V3 vulnerabilities for that version to automatically rescore with any changes to their temporal score metrics coming from the NVD. This enhancement streamlines your vulnerability management process, ensuring that temporal scores reflect the most up-to-date information, saving you time spent manually monitoring and updating this information, thereby reducing the risk of missing critical updates, so you can ensure you're focusing on the vulnerabilities that matter most.

Auto-update vulnerability temporal scores

You can also set individual vulnerabilities to automatically update their temporal scores based on NVD data refreshes. This timesaving feature ensures your vulnerability information stays current with minimal manual effort.

Enhanced dependency component matching for fewer unmatched components

We've improved our dependency component matching algorithm to better handle scenarios where a vendor of an unknown dependency component doesn't directly match known software. We will now automatically match unknown dependency components that have CPE and PURL matches, but have an incorrect supplier. Previously, these dependency components were initially marked with a Not found in NVD status, but could actually be resolved to the correct component via our match suggestions. Helm now identifies the corresponding known software, which will either be uniquely identified or will have a Multiple matches status (if there are still multiple possibilities). Our enhanced matching process should result in fewer unmatched components, thus ensuring more accurate and efficient component resolution.

Enhanced determination of dependency component uniqueness

We have added CPE and PURL IDs when determining if an SBOM dependency component is unique or is a duplicate.

Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

In response to feedback, we've added the CycloneDX bom-ref parameter to all dependency components in your SBOM export, enabling you to point each vulnerability back to a dependency component, regardless of whether it is matched to known software. Initially, the bom-ref only displayed for matched dependency components. For any unknown (unmatched or not uniquely matched) software, this will be the unique ID that was generated for that SBOM dependency component when it was added to Helm. This will now be in your SBOM or VDR report.

Performance improvements on SBOM page loading

We've made a number of coding and query improvements to load SBOMs more quickly, which may also improve load time for your vulnerabilities.

Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

If you've rescored your vulnerabilities either across a product version or individually, your CycloneDX VEX and VDR reports will now include vulnerability rescore information. This will now align with the Vulnerabilities report. You will now see a ratings section in your JSON file that will include a rating for any rescore on that vulnerability. For vulnerabilities rescored both at the product version level and individually, all associated scores will be included. While CVSS v2 scores remain static, they are also included in the ratings section to provide a comprehensive view. The source for all score data is set to Medcrypt Helm.

We've replaced our initial sign in page with a new look-and-feel. After clicking Sign in, you'll be prompted to enter your username and password on our authentication page.

v3.6.10 | 2.74.2

April 30, 2024

Summary

Rename products and versions
Enhanced granularity for CVSS score filtering
UX improvements

Rename products and versions

In response to customer feedback, we've added the ability for you to rename products and versions right from the product and version drop-downs on each page of Helm. Simply hover over the product or version in the respective drop-down to display the edit icon, then edit the product name or version.

Enhanced granularity for CVSS score filtering

We've improved the CVSS score filtering functionality to support floating-point values, allowing you to pinpoint vulnerabilities with greater precision. Now you can filter vulnerabilities using specific scores like 7.9, which will return everything from 7.9 to 10. This will enable you to precisely target and remediate vulnerabilities that fall within a more granular threshold.

UX improvements

Enhanced API key generation from the UI
Improved loading performance

v3.6.8 | 2.73.0

April 11, 2024

Summary

Enhanced support for large SBOMs
CycloneDX 1.5 support
Daily and monthly digests for new vulnerabilities
Bug fixes, UX and doc improvements

Enhanced support for large SBOMs

Our platform now let you upload SBOMs of up to 50MB in size. This significant enhancement enables organizations with larger software inventories to efficiently manage and analyze their software bill of materials within our platform.

CycloneDX 1.5 support

You can now upload your CycloneDX 1.5 SBOM to Helm. Any information in your file that is not currently supported in Helm will still be retained if you want to export either your original or enhanced SBOM.

Daily and monthly digests for new vulnerabilities

In response to customer feedback on our new weekly email digests that keep you informed of the latest new vulnerabilities impacting your products, we've expanded this offering to include daily and monthly digests. You can choose one or more email frequencies based on your needs, and can manage your email preferences in your user profile.

Bug fixes, UX, and doc improvements

Fixed issue where loading page status displayed on the Vulnerabilities table after sorting columns. The Vulnerabilities Detected/Updated field now sorts only by date detected and not by date updated.
Resolved caching issue where some dependency components would not display when the SBOM page was filtered.
Adjusted permissions to allow non-admin users with SBOM and Vulnerability modification access to create rescore profiles for product versions.
Numerous UI improvements
Updated doc: Get email updates on new vulnerabilities

v3.3.0 | 2.71.1

March 22, 2024

Summary

Processing modals
Bug fixes and UI improvements
New & updated docs

Processing modals

For larger SBOMs that can take longer to load, we've added a processing modal so you'll know when your upload is completed and whether it was successful. Similarly, we've added a processing modal for other operations that could take longer, including when you're rescoring a lot of vulnerabilities across an entire product version or if you've just added a dependency component manually and we're attempting to automatically match it to known software in the NVD or package manager.

Bug fixes and UI improvements

We've improved performance when filtering your SBOM. We also fixed a bug where filters were not persisting if you copied a Helm URL that included a match status to another tab, or if you navigated from a filtered item from the global search results (Discover) page.

We've added and enhanced "empty state" pages to help you get started quickly, improved visibility of system status, enhanced our RBAC permissions, and made other UI improvements.

New & updated help docs

Since we're continually adding and enhancing great new features, we want to make sure you can take advantage of all the new functionality, so we'll let you know any important doc updates in this section.

Enhanced docs:

Manage users: Added user roles to help you manage user permissions
Link unmatched software to known software: Added new info on aliasing and removing an alias.

v3.2.0 | 2.71.1

March 14, 2024

Summary

Added VDR (Vulnerability Disclosure Report) report
Email notifications for new vulnerabilities
Support for CycloneDX XML SBOMs
Enhanced API documentation
Bug fixes and other improvements

VDR reports

As part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we've added VDR (Vulnerability Disclosure Reports) to our suite of reports. Offering comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats.

Stay on top of new vulnerabilities

Never miss a beat with our new vulnerability email notification system. Stay ahead of the curve by receiving timely alerts for any new vulnerabilities impacting your software supply chain. Manage your preferences effortlessly through your user avatar > My profile in the top navigation area of Helm.

Support for CycloneDX XML SBOMs

You can now upload your CycloneDX in XML format for improved compatibility and versatility.

Enhanced API documentation

Automate your calls to our Helm application using our robust API. You can upload an SBOM for a new or existing product and version, get a list of all unmatched entries, and a list of all vulnerabilities.

Bug fixes and other improvements

We've made numerous enhancements to improve the UI and SBOM loading performance.

We'd love to hear your feedback!

Thank you for your continued support and feedback as we strive to deliver top-notch solutions to meet your evolving cybersecurity needs! Let us know if you have suggestions on how to improve your experience!

v3.0.1 | 2.70.0

February 15, 2024

Summary

VEX reports
Improved vulnerability query performance

VEX reports

Introducing VEX (Vulnerability Exploitability eXchange) reports – the latest addition to your cybersecurity arsenal! These reports focus on vulnerability exploitability, ease of exploitation, and potential impact. Now, effortlessly communicate vulnerabilities with a VEX remediation status, empowering your customers to focus on fixing the vulnerabilities that matter most.

Stay tuned! As a part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will be adding VDR (Vulnerability Disclosure Reports) to our suite of reports soon. Offering detailed insights into identified vulnerabilities, VDR reports equip you with comprehensive understanding and proactive mitigation strategies, ensuring robust security posture against emerging threats.

v2.68.0 | 2.69.1

January 29, 2024

Summary

FDA-ready reports
Export SDPX SBOM
New About modal

FDA-ready reports

Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements! In addition, you'll now get a suite of reports to make meeting FDA cybersecurity requirements a breeze, including your enhanced SBOM in CycloneDX or CSV format, as well as your vulnerabilities in CSV format.

In our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will also be adding VDR (Vulnerability Disclosure Reports) and VEX (Vulnerability Exploitability eXchange) reports to our suite of reports soon. VDR reports provide detailed insights into identified vulnerabilities, providing a comprehensive understanding of vulnerability details, impact, and mitigation strategies to proactively respond to potential security threats. VEX reports focus on the exploitability of vulnerabilities, how easily they can be exploited, and their potential impact.

Export SPDX SBOM

You can now export your original or enhanced SPDX SBOM in JSON. For an enhanced SBOM, you can also include PURL and CPE info for any matches, as well as include all associated vulnerabilities.

You may have noticed that the bottom bar where your Helm version displays has been removed. Don’t worry, you can still get to your version from the sidebar > Help > About. This will launch an About modal, where you can see your current Helm version.

v2.66.1 | 2.66.1

January 4, 2024

Summary

Added ability to remediate vulnerabilities
Bug fixes, UI, and performance improvements

Remediate vulnerabilities

You can now remediate vulnerabilities to add granular status information, including tracking remediation changes and providing evidence for why changes were made. For each vulnerability, you can now set a CycloneDX 1.4 and/or CycloneDX 1.4 VEX status, or both. We're adding a more robust audit trail, and you can see the next step toward this in the Vulnerability details modal. You can see any interim statuses and notes you provided manually, as well as automatic tracking of any new remediation changes. If you set any interim statuses, the last one you set will now be reflected in that vulnerability's VEX status.

Bug fixes and other improvements

Fixed issue where a rescore profile would fail when rescoring large numbers of vulnerabilities
Several UI and experience improvements

v2.65.2 | 2.65.13

December 7, 2023

Summary

Rescore all vulnerabilities in a product version via rescore profiles
Rescore individual vulnerabilities
Support for SPDX SBOMs
Enhanced SBOM export now includes CPE and PURL data
New exploits and threats info, including EPSS and CISA KEV
Bug fixes and other improvements

Rescore all vulnerabilities in a product version via rescore profiles

You can create and apply rescore profiles to a product version based on your product's particular environment and usage, ensuring you're focusing on the most exploitable and impactful vulnerabilities. Any newly detected vulnerabilities for that product version will be automatically rescored with that profile.

Rescore individual vulnerabilities

You can now rescore the CVSS v3 score of any individual vulnerability associated with a particular product version so that it reflects your product's particular environment and usage. This will override any rescore profile already applied to the associated product version.

Support for SPDX SBOM format

You can now upload SPDX SBOM files, including those generated using Yocto on Linux. You can take all of your generated SPDX files, zip them using WinZip or gzip, then upload that zipped file to Helm. We'll do the rest!

Enhanced SBOM export now includes CPE and PURL data

When you upload your SBOM, we'll attempt to find exact matches in the NVD, as well as in supported package managers. If we find an exact CPE or PURL match in a package manager or if you manually specify the CPE and/or PURL for a dependency component, you'll now be able to export an enhanced SBOM that includes CPE and PURL data.

Focus on the most exploitable vulnerabilities

You can now benefit from robust exploit and threat information from a variety of sources, including CISA KEV, ExploitDB, Metasploit, and Top 25 CWEs. You can also ensure that you're focusing on the most impactful and exploitable vulnerabilities via EPSS scores.

Bug fixes and other improvements

Improved performance when loading SBOM and vulnerability information
Improved onboarding to get you started or unstuck quickly. We now provide in-page guidance to help you upload an SBOM, view dependency components for a particular product version, or expand your search criteria when there are no results. You'll see these in our SBOM, Vulnerabilities and Discover (Global search) pages.
Numerous user interface improvements

v2.62.6 | 2.62.6

November 2, 2023

Summary

Windows KB patch support
In-app status notifications
Performance and user experience improvements

Native support for Microsoft Windows KBs

Although a lot of medical devices run on Microsoft Windows operating systems, the NVD does not account for vulnerabilities having been patched by Windows KBs, making it very difficult to understand what vulnerabilities might still be impacting your device. You can now add KBs to your devices running a Windows OS, aligning your digital product version with your physical test device and thus ensuring that you have an accurate list of vulnerabilities that impact your Windows device.

In-app status notifications

You’ll now see in-app status notifications in the top-right corner to let you know that an action has been completed, such as uploading an SBOM or applying KBs to a product version.

Performance improvements and bug fixes

We’ve made significant performance improvements, as well as several enhancements to improve your user experience.

Let us know how we’re doing!

We welcome your feedback on these new features, and would love to hear about other feature suggestions that would further enhance your experience.

Get a V&V report

If you would like a V&V report for your QMS, contact support.

v2.60.1

November 2023

Summary

Allowing SBOMs that pass NTIA minimum requirements
Performance improvements and bug fixes

Allowing SBOMs that pass NTIA minimum requirements

We improved our capabilities to handle SBOMs that pass NTIA minimum requirements. If the SBOM you are uploading is an invalid CycloneDX SBOM, Helm will still accept it and process it for vulnerabilities.

Performance improvements and bug fixes

This release has improvements to performance and a few bug fixes on the dashboard page.

v2.59.2

November 2023

Summary

Performance improvements and bug fixes
Online help documentation added

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Online help documentation added

We’ve added a lot of great information to ensure you can get started, get your SBOM dependency components matched quickly, and begin (or continue) to assess and mitigate your vulnerability risk across your software supply chain. Check it out on helm.docs.medcrypt.com!

v2.57.3

November 2023

Summary

New Get started modal
Export SBOM with vulnerabilities
Combined Upload SBOM modal
Improved feedback when SBOM fails to upload
Other usability improvements and bug fixes

If you haven’t uploaded any SBOM yet or created one manually, you will see a new Get started modal pop up when you sign in to Helm. You’ll have four different options:

You need help with your FDA submission: You can request help from our expert Services team and leverage our best practices, templates, and checklists in improving your FDA submission.
You have a CycloneDX format. You can upload your SBOM file all in one step.
You have an SBOM in another format. You can contact us and we’ll get right back to you to get you moving.
You don’t know what an SBOM is or don’t have one yet. We’re here to help. Our expert Services team will help you create your SBOM, assess your current state, and help you identify and mitigate cybersecurity risks.

Export your SBOM with vulnerabilities

You can now choose to export your original SBOM or your enhanced SBOM with identified vulnerabilities. This will include the source name (currently always the NVD), a link to the vulnerability, both its v2 and v3 CVSS scores and vector strings, when the vulnerability was first detected, when it was updated, and more. Refer to Export your SBOM for more information.

We’ve simplified your upload experience. If you’re uploading your first SBOM, you’ll see an Add SBOM drop-down button, from which you can select Upload SBOM. You can now browse to your SBOM file and specify your product name and product version in one step. Once you’ve uploaded at least one SBOM, this drop-down button changes to Manage SBOMs. In that case, you’ll be able to either select an existing product name and version, or create a new product name/version pair.

Improved feedback when an SBOM file fails to upload

If you upload an SBOM file, you can hover over the FAIL status to get more information on why the file failed to upload, including scenarios such as: missing required fields, additional fields present that are not defined in the JSON schema when the schema does not allow additional properties, and field values not matching expected data types.

v2.56.6

October 2023

Summary

Added match status tokens and enhanced status indicators
Added CPE and PURL package manager support
Enhanced details for dependency components
Enhanced filters for SBOMs
In-product help added

Added NVD and NOT IN NVD tokens and enhanced status indicators

In response to customer feedback on the importance of knowing whether a dependency component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:

Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.
Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.

A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.

Added CPE and PURL package manager support

Our valued customers asked for this and we delivered! We now support CPE and PURL (Package URL) matching. We support the following PURL package managers: Cargo, NPM, NuGet, and PyPI. If you upload an SBOM, you'll automatically find any matches in these package managers. You'll see a token, such as NPM, next to each dependency component that matches a package manager. See Match sources for more information.

Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.

Enhanced details for dependency components

We’ve added a lot of information to your dependency component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token

Enhanced filters for SBOMs

You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.

In-product help added

We’ve added help icons to many columns and fields throughout the UI to get you started and unstuck. If you need more clarification on the help or if you have a question on something that doesn’t currently have help, let us know so that we can get it clarified or added.

Let us know if you see other areas we could improve!

If you run into issues or would like to request new features or feature enhancements, we'd love to hear from you! Thank you so much for taking the time to help us improve your experience!

Interested in providing feedback on upcoming features?

We are working on adding some great new functionality, including:

Windows KB patching,
a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,
the ability to copy/paste from a CSV or other file to create an SBOM,
more human-readable information,
complete CycloneDX ingestion and export,
SPDX support,
and other cool new things.

We'd love to get your feedback on these to make sure what we're creating will improve your management and mitigation of your software supply chain risk. It will also give you a great opportunity to let us know features and feature enhancements you'd like us to consider adding! Note that this link will create a support ticket that will let us know you're interested, then we'll contact you directly to set up some time to do some feature walkthroughs. Thank you so much for your insights and expertise!

v2.55.5

September 2023

Summary

Enhanced global search
Changed date first detected time
Added date dashboard was last updated
Removed character restrictions on input fields
Added SSO support for PingID

New global search

Global search is now expanded to include searching across all your Product SBOMs for a particular dependency component. You can still search for a specific CVE via CVE-ID, now you get a summary of the vulnerability as well as a list of any products that might be potentially impacted.

Changes to first detected time

The first detected date in Helm on the Vulnerabilities page now reflects the date when Helm detected the vulnerability for your dependency component.

Last update timestamp

On the Metrics dashboard you can now see when the dashboard was last updated.

Character restrictions in input fields

Helm had strict character restrictions in input fields that have now been removed.

SSO support for PingID

Helm supports SSO for organizations on the enterprise plan. We now have a working integration with PingID.

v2.54.7

September 2023

Summary

Enhanced look-and-feel with new page layouts
Performance improvements and bug fixes

New page layouts

Both the Products page and the Vulnerabilities page now have a new look and feel as well as some new functionality for vulnerability filters.

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Helm Docs

Helm help center

Upload SBOM and match to known software

Prioritize and remediate risk

API & Administration

Helm overview

Introducing Helm

What is Helm?

Specifically designed to address FDA cybersecurity guidelines

Get started with Helm

How do we identify matches in your SBOM to known software in the NVD?

What matching sources do we use?

Understand your current vulnerability risk

Monitoring new vulnerabilities

Rescore vulnerabilities individually or in bulk

Monitor your overall security posture

Stay on top of new vulnerabilities

Search vulnerabilities and dependency components across your products

Search vulnerabilities for a particular CVSS score range across your products

Patch Windows operating systems

Manage licenses

Export FDA-ready reports

Export vulnerabilities

Why SBOMs are critical to your present and future

What is an SBOM?

SBOMs are critical to secure your present and future

Recent cybersecurity attacks and changing economic conditions

SolarWinds

Log4Shell (Log4j)

WannaCry

Meet government requirements

Secure your company's present and future

Meet hospital requirements

Recent cybersecurity attacks and changing economic conditions

SolarWinds

Log4Shell (Log4j)

Meet government requirements

Meet hospital requirements

What can I use SBOMs for?

Pre-market dependency and vulnerability tracking

Post-market dependency and vulnerability tracking

Participation in an ISAO to share vulnerability and threat information

Threat modeling

Handling a data breach

Detect and analyze

Commit and recover

Post-incident response

Get Started

Sign in

Get familiar with the Helm UI

Navigation

Filter

Search

Themes

Tables

Customizable data display

Where did my columns go?

Contextual actions

Help

Get started

Documentation

About

Contact us

Quickstart process

Upload your first SBOM

Upload a CycloneDX or SPDX SBOM

Upload a compressed SPDX file

What happens after upload?

Create products and versions without an SBOM

Troubleshooting and support

No exact match

Upload issues

Upload a CycloneDX or SPDX SBOM

Upload a compressed SPDX file

What happens after upload?

Create products and versions without an SBOM

Troubleshooting and support

Not seeing your SBOM dependency components?

No exact match

Upload issues