Match statuses

Matched

This status indicates that the component has an exact match with software listed in the National Vulnerability Database (NVD). This status confirms that the software has reported vulnerabilities, which are visible on the Vulnerabilities page for the respective product version. Components with a correct CPE or PURL identifier but incorrect supplier information are automatically corrected and matched by our system.

Select match

This status indicates that Helm found multiple potential matches using one or more match sources. Refer to Resolve match statuses to try to uniquely identify this component.

Matched to package manager

This status indicates that a dependency component is matched to a package manager but is not found in the NVD. Refer to Matched statuses and Resolve match statuses for more information.

Not found

For components that do not match any known software in the NVD or supported package managers, refer to Resolve match statuses to try to identify this component.

Create an alias to link to known software

You can use aliases to match any components in your SBOM that have multiple matches or are unmatched to known software components in the NVD. Administrators can create new aliases.

Other statuses

• Scanning: This is an interim status that indicates that Helm is processing this match. If you have been waiting and haven't seen this update, try refreshing the page.

• Fix version: The software version provided for this dependency component does not align with the expected version. If you see this, you will also see a warning icon next to the version. Refer to Resolve match statuses for more information on resolving this issue.

• Contact us: Helm was unable to process this version. We have logged this issue and will try to rectify it quickly. Refer to Resolve match statuses for more information on resolving this issue.

• Error: Some other error occurred while trying to process this component. This should be extremely rare. Contact us for help in resolving this issue.

Removing duplicates

Helm checks CPE and PURL IDs to determine if a dependency component is unique. If a duplicate is detected, it will automatically be removed, streamlining your SBOM management.

To keep track of various versions of your SBOM and to ensure that your SBOM is accurate for each product release to meet FDA requirements and protect your customers and their patients, you should create a new version of your SBOM whenever your team:

• Updates the device or application

• Adds or removes a dependency component or changes a dependency component version

• Adds one or more Windows KBs to a device version

• Adds a Windows KB to a vulnerability

• Upgrades the version of a dependency componen

This will help ensure your readiness for your pre-market FDA submission, while ensuring that customers post-market understand whether they are affected by vulnerabilities associated with a particular version of your product. Refer to for more information.

Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed.

For each dependency component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the dependency component details panel.

Supported SPDX licenses

• For active SPDX licenses, these will be automatically linked to the corresponding license URL from the .

• If you have deprecated SPDX licenses in your SBOM, Helm will retain the URL.

• Helm also handles .

Ingest licenses from CycloneDX SBOMs

Helm populates license information from the following sections in a CycloneDX SBOM:

• components > licenses: The primary source for license information. Each dependency component must include either a license ID, name, or SPDX expression.

• components > pedigree > notes: This will be populated into the License comments field. Because this notes field applies to all components in a CycloneDX SBOM, the information in this field will be applied to all licenses for a particular dependency component.

Helm does not support license information populated from other sections of a CycloneDX SBOM. Any such information will be retained in exports but ignored in the UI.

Ingest licenses from SPDX SBOMs

A SPDX SBOM contains packages, each of which could be a file or set of files, grouped by the SBOM author. These files could be one or more files of any type including but not limited to source, documents, binaries, etc. Helm processes each package as a dependency component. A SPDX SBOM can contain licensing information at the package, file, or even code snippet level. For every package that contains licensing, Helm populates that license information into the dependency component's details in the Licenses section.

Helm processes each package as a dependency component and populates license information from the following fields:

• PackageLicenseConcluded: The primary field for populating the license name. If missing, Helm will use the PackageLicenseDeclared field.

• ExtractedLicensingInfo: If present, this section provides license names and text for custom or non-SPDX licenses. When a custom license is added, you can manually enter the license name, but the URL will not display.

Identify and automatically add missing licenses

Helm has partnered with Tidelift to enrich license information for open-source components that lack licensing details:

• Component license is set to No license (NONE in SPDX): If a dependency component in your SBOM lacks a license but has a unique PURL or Helm can generate the correct PURL, Helm will check with Tidelift to determine if any licenses are associated with that component. If so, Helm will add those licenses to provide you with a comprehensive view of licensing info and identify licensing risks across your supply chain.

• Component license is set to Unknown (NOASSERTION in SPDX): If your SBOM component license is set to Unknown (NOASSERTION in SPDX), but Tidelift indicates that there is one or more licenses associated with that component, we will add those licenses for you.

Automatically generate a license for an existing component

For existing components, you can have Helm automatically add license information. In the Components table, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

View license information

The Licenses section of the component details panel displays the following fields:

License type: This field is populated from the license information in your SBOM.

• License expression:

  • For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception.

  • Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses, choose this option.

  • No license (NONE in SPDX): If you are certain that your SBOM component does not have an associated license, choose this option. In a SPDX SBOM, this is indicated with the NONE value.

  • Unknown (NOASSERTION in SPDX): If you are not sure whether your SBOM has an associated license, choose this option. In a SPDX SBOM, this is indicated with the NOASSERTION value. In a CycloneDX SBOM, if your SBOM does not contain licensing information or licensing info is empty, it will display as Unknown

• Individual licenses: For components with multiple SPDX licenses not combined, or for custom licenses.

• No license (NONE in SPDX): The component has no associated license. In a SPDX SBOM, this is indicated with the NONE value.

  • CycloneDX SBOM: There is no corresponding value for this in CycloneDX 1.4 or 1.5 specs. If you manually add this for a license, then export your CycloneDX SBOM, the licensing information for this component will have this value in the components > licenses > license name field.

  • SPDX SBOM: Indicates that the SPDX SBOM author provided NONE as the package-level license information. The SPDX spec requires that when the info is not provided, it be set to NOASSERTION.

  • For open-source dependency components, Helm will attempt to identify if there actually is an associated license for you.

• Unknown (NOASSERTION in SPDX):

  • Use this if you are unsure whether the component has an associated license. For open-source dependency components, Helm will attempt to identify this license for you.

  • SPDX SBOM: Indicates that the SPDX SBOM author provided NOASSERTION or did not provide package-level license information.

  • CycloneDX SBOM: Indicates that the CycloneDX SBOM did not contain any licensing information or the licensing information was empty.

License name:

SPDX SBOMs

For SPDX SBOMs, this field is populated from the SBOM’s PackageLicenseConcluded, PackageLicenseDeclared, or ExtractedLicensingInfo sections. PackageLicenseDeclared will only be used if PackageLicenseConcluded field in the SBOM is blank or omitted.

• If the package-level licensing has a LicenseRef[idstring] and that LicenseRef[idstring] matches one in the ExtractedLicensingInfo section, the license name and full license text will be populated from that section into License name and License text, respectively. If the license name is missing, the term Custom license will be used as the license name.

• Non-SPDX license in your SPDX SBOM: If your SPDX SBOM contained the ExtractedLicensingInfo section, the License name field will be populated with the corresponding license name from ExtractedLicensingInfo > name field.

• SPDX SBOM has NONE or NOASSERTION in the package: If the PackageLicenseConcluded field contains NONE or NOASSERTION, that value will be populated here. If the component is open-source and has a unique PURL, then we will check whether there is license information for that component and if so, enrich it with the missing information.

• SPDX SBOM contains no package-level licensing information: NOASSERTION will be populated into the License name field.

• SPDX license exceptions: If you need to add a SPDX license exception, type WITH after your first SPDX license, such as GPL-2.0-or-later WITH Bison-exception-2.2. Make sure to observe spacing. After you type WITH, followed by a space, then you can either click the drop-down to view only valid SPDX license exceptions or start typing to filter the exceptions.

CycloneDX SBOMs

• This field is populated from the components > licenses > license > id field if the id field in used in the SBOM, or the components > licenses > license > name field if it exists.

• CycloneDX SBOM does not contain licensing info or licensing info is empty: Since there is no corresponding defined term for missing CycloneDX licensing information, this will show as Not set.

License URL:

• For SPDX licenses, this field is automatically populated from the SPDX license list and is uneditable.

• CycloneDX SBOM: This is populated from the components > licenses > license url field.

License text:

• SPDX SBOM: For custom licenses, this will be populated from the ExtractedLicensingInfo > text section of SPDX SBOMs.

• You can add or modify license text for both SPDX and custom licenses.

License comments:

• SPDX SBOM: This is only populated from the package-level PackageLicenseComment field.

• CycloneDX SBOM: There is at least one SPDX license ID in the components > pedigree > notes field. Some automatic scanning tools will automatically populate either the SPDX license full name or an AND/OR SPDX expression here. If the notes field exists in your SBOM file, it will be added as License comments for all of the licenses for that particular SBOM component.

• You can add or modify license comments for both SPDX and custom licenses.

• Comments are applied to all licenses associated with a dependency component.

License source:

• SBOM: The license information was populated directly from your SBOM.

• User: License was added or modified by a user.

Add component license

1. Click Add dependency component from the Add SBOM (Manage SBOMs) drop-down button.

2. Specify the required fields.

3. In the License details section, select a License type. Choose License expression if you have one or more SPDX licenses in an expression (e.g., connected with AND, OR, or WITH) or Individual licenses if you have one or more SPDX or custom licenses (not in an expression) that you want to add to a component. You can also select Unknown or No license.

5. If you want to add a nested expression, such as MIT AND (LGPL-2.1-or-later OR BSD-3-Clause), type ( to display the SPDX license list or start typing to filter the list. Note that the expression in the parentheses will be processed first.

6. If you want to add a SPDX license exception, type WITH after the license, then select the exception from the drop-down (e.g., GPL-2.0-or-later WITH Bison-exception-2.2). Make sure to observe spacing.

7. If you're adding one or more individual licenses, click the License name drop-down to show the SPDX license list, start typing to filter the list, or keep typing to enter a custom license.

8. If you need to clear a license value, click the x icon in the field.

9. If you need to remove a license before you've saved, click Remove in the license section.

10. For individual custom licenses, specify any license text. You cannot add text for a SPDX license.

11. Add any license comments in the License comments field. License comments will be associated with all licenses for that component.

12. For individual licenses, click Add another license to add a new license. You cannot add individual licenses to a License expression. You can add as many licenses as you want. Your first license will show License 1, then your second will show License 2. When you save, these section names will change to the license name or expression itself.

13. Click Add component. You'll see a success message. If you don't see your component, you may have a sort applied.

Edit component license

1. Click Actions > Edit details to open the component details.

2. In the License details section, click Edit in the license section you want to edit.

3. If you just want to edit license type, license text or license comments, click the edit icon next to that field. Any edits you make to the license comments will be applied to all other licenses for this component.

4. Make any changes, then click Save changes. You'll see a success message. If you don't see your component, you may have a sort applied.

Delete component license

1. Click Actions > Edit details to open the component details.

2. In the License details section, click Edit in the license section you want to edit. This will display a Delete action.

3. Click Delete, then confirm the deletion. You cannot recover a deleted license or its related data. If you are deleting the only license associated with this component, this will also delete any license comments.

4. Click Close. The deletion has already been performed and cannot be cancelled. You'll see a success message. If you don't see your component, you may have a sort applied.

Deprecated licenses:

You can ingest or manually add or edit deprecated SPDX licenses. Deprecated SPDX licenses are available in the Deprecated licenses section of the License type drop-down.

Filter component icenses

You can filter licenses on the SBOM page to narrow down your view:

• SPDX license ID

• No license (NONE for SPDX)

• Unknown (NOASSERTION for SPDX)

Export SBOM with license information

You can export your SBOM with enriched license information in the following formats. Click Reports in the sidebar, then select your preferred format.

• FDA SBOM: Excel format.

• Vulnerability Disclosure Report (VDR): JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.

• CycloneDX SBOM: JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.

• SPDX SBOM: JSON or XML format. Any file-level licensing details will also be included in the export, though they will not display in the Helm UI.

• CSV format: Export your SBOM data, including CPE/PURL and license information, as a CSV file.

Create, edit, or merge SBOMs

You can add components to an existing SBOM or you can create an SBOM from scratch by adding each one manually. You can also merge SBOMs to combine all dependency components for multiple systems into one.

Create components (dependencies) manually

1. If you're just starting your SBOM, click the Add SBOM drop-down button > Add dependency. Note that if you've already created or uploaded any SBOMs, this button will change to Manage SBOM and will have additional options, including checking file status.

2. In the panel that displays, specify the product and version in the first section.

3. In the next section, provide any information you have for your component. The only required field is the name, so if you don't have information (e.g., version), you can always add this later. However, Helm will need the version to attempt to accurately identify the matching known software.

4. Click Add component. Helm will analyze your component for matches in supported package managers and the NVD, so this will take a few seconds. If you've provided a PURL or CPE, Helm will analyze our package managers and other data sources to ensure that you have the correct string. If not, Helm will automatically fix this for you. If you don't see your component display, you can refresh it. If Auto-refresh is on, we will automatically be updating this, but if you're not seeing anything, turn Auto-refresh off, then click the manual Refresh button.

Edit component

1. On the component you want to edit, click Actions ... > Manage component.

2. Click Edit on the section you would like to edit. Note that you cannot edit the Match details section.

3. If you edit the component details, then save your changes, you will be prompted to reload this component. Note that this will assess the component anew, which will lose any previous metadata, including matching, EOS/EOL, licensing, or review information that you have manually added.

4. If you edit the lifecycleIn the panel that displays, make any necessary changes, then save. This will automatically reload your component, which will no longer retain any review information you've already added for this dependency component. If you don't see your updated dependency component display, make sure Auto-refresh is on or click Refresh to manually update the page.

Merge another SBOM into your existing SBOM

To combine SBOMs from various systems into one SBOM, you can simply upload another SBOM to Helm. This will automatically merge that SBOM into your existing one, de-duping any dependency components that are on both SBOMs.

You can add dependency components to an existing SBOM or you can create an SBOM from scratch by adding each one manually. You can also merge SBOMs to combine all dependency components for multiple systems into one.

Create dependency components manually

1. If you're just starting your SBOM, click the Add SBOM drop-down button > Add dependency component. Note that if you've already created or uploaded any SBOMs, this button will change to Manage SBOM and will have additional options, including checking file status. This will display the Add dependency component modal.

2. In the panel that displays, specify the product and version in the first section. If you haven't created any products or product versions yet, click the create button in this drop-down. If you've already added products and versions, select the appropriate ones.

3. In the next section, provide any information you have for your dependency component. The only required field is the name, so if you don't have information (e.g., version), you can always add this later. However, Helm will need the version to attempt to accurately identify the matching known software.

4. Click Add dependency component. Helm will analyze your dependency component for matches in supported package managers and the NVD, so this will take a few seconds. If you've provided a PURL or CPE, Helm will analyze our package managers and other data sources to ensure that you have the correct string. If not, Helm will automatically fix this for you. If you don't see your dependency component display, try refreshing your browser.

Edit dependency component

1. On the dependency component you want to edit, click Actions ... > Manage dependency component.

2. In the panel that displays, make any necessary changes, then click Save changes. This will automatically reload your dependency component, which will no longer retain any review information you've already added for this dependency component. If you don't see your updated dependency component display, make sure Auto-refresh is on or click Refresh to manually update the page.

Merge another SBOM into your existing SBOM

To combine SBOMs from various systems into one SBOM, you can simply upload another SBOM to Helm. This will automatically merge that SBOM into your existing one, de-duping any dependency components that are on both SBOMs.

You can archive and unarchive products, as well as remove product versions.

Archive and unarchive a product:

1. In the Software Bill of Materials product drop-down list , hover over the product you want to archive, then click the trash icon. This will archive the product.

2. To unarchive a product, simply add the product again with the exact same name. This will automatically unarchive the product, its associated versions, and all dependency components. If you don't want to unarchive the product, add the product with a slightly different name.

Delete a product version:

1. In the Software Bill of Materials version drop-down list, hover over the version you want to delete, then click the trash icon. This will display a confirmation dialog. If you need to re-add the version and SBOM, just create the same version again.

To ensure that changes you make to a component in one product version is persisted throughout your product portfolio, users with Admin privileges can create specific rules for each component directly in the Rules manager, or can automatically create rules when updating the component details.

For each rule, you can set conditions around the supplier name, component name, and component version. You can then set effects that will be applied when all of the conditions are true to persist the specified Level of support and EOS/EOL (End-of-Support and End-of-Life) information across all of your products.

Add rule

1. If you haven't created any rules yet, you'll see a Create rule button. Click this to switch to the Edit rules mode to begin creating your rule. If you need to add more rules later, you'll need to be in this edit mode.

2. If you already have rules, click the Add another rule button to create a new rule at the top of the list. You can rearrange the rule's priority by dragging it lower in the list.

3. For each condition, make sure that the Enabled switch is turned on (is blue).

4. Set each condition by selecting the corresponding field and comparator, then specifying the expected matching value. As you add conditions, the rule name will be automatically updated in the following format, provided that particular condition is set: [Supplier name]/[Component name]/[Version]. For version ranges, the name will reflect the conditions specified in the following format: [Supplier name]/[Component name] [less than 10.1], such as Google Chrome less than 10.1. You cannot currently edit rule names. If this is important to you, let us know!

5. Click Add version condition to add additional version conditions. Each condition uses the AND logic, so everything must be true in order to apply the effects. You can set the version as either an exact match or set conditions for a version range. For an exact match, set the version as is equal to. For version ranges, you can set the following conditions: is less than and/or is greater than. You can specify either a version exact match or up to two version conditions for a version range.

6. Set each effect below the conditions by selecting the corresponding field, comparator, then specifying the expected matching value. For Level of support and EOS/EOL (end-of-support and end-of-life) information, you can specify either is equal to date, then select a specific date, or set it as is equal to text, then provide the respective text value.

7. When you're finished adding rules, updating rules, and/or changing rule priority, click Save & apply. Note that unsaved changes will only persist during your Helm session, so make sure to save and apply anything you don't want to be discarded.

8. After you confirm these changes, Helm will begin applying them to your existing SBOMs, and will apply them to any future SBOMs.

Manage rule

1. Click the Edit rules toggle button to edit rules.

2. Make any modifications to conditions and/or effects.

3. To change rule priority, click the drag icon next to the rule name to drag it to a different position in the list. Rule priority is determined by the order of the rules in the Rules manager. If multiple rules impact a component, the one highest in the list takes precedence.

4. To delete a rule, click the Delete action. You will be prompted to confirm, but this deletion will not take effect before you click Save & apply. Deleted rules will be unapplied from existing SBOMs, and will no longer be applied to future SBOMs. You cannot recover a deleted rule. Note that if you decide to delete the only rule you have, any unsaved changes that you have made will be automatically applied and the rule will be deleted. In that case, you'll now see a blank rule, so that you can add more rules in the future.

5. When you're finished making changes, click Save & apply. Note that unsaved changes will only persist during your Helm session, so make sure to save and apply anything you don't want to be discarded.

6. After you confirm these changes, Helm will begin applying them to your existing SBOMs, and will apply them to any future SBOMs.

Add your SBOM

Before you've added your first SBOM for a product version, you'll see an Add SBOM drop-down button. If you've already added an SBOM, this will change to Manage SBOMs and will have additional options, including checking SBOM file upload status.

To access these options, click the Add SBOM or Manage SBOMs drop-down button:

• View upload status: This displays the SBOMs that have been uploaded for your products and versions. You can view the file name, file ID, when it was uploaded and by whom, the number of entries processed, and the status. If a file has uploaded successfully, you can see the number of dependency components processed from the SBOM. If a file has not uploaded successfully, you will see a red x icon next to the Failed to upload status. For these files, you will see an info icon to get more information on resolving the error.

Manage your SBOM

After or , you can manage your SBOM for each product and version in your software supply chain. Once you've uploaded your SBOM, Helm will match your software against the National Vulnerability Database (NVD), supported Package URLs (PURL) package managers, and CPE strings.

View dependency components in your SBOM

To view your SBOM, ensure you've selected a product and version so that you can .

In the Components table, you can quickly see where you need to complete matching, as well as understand exploitability risk and end-of-support/end-of-life risk, enabling you to prioritize upgrades. You can easily see what needs to be reviewed and catch up on reviews your team has made, as well as understand and manage license risk.

Click to drill-down for more information

Most things in Helm tables are clickable, enabling you to quickly drill down for more information, such as component details, match suggestions, fixing a version, contact us, reviewing a dependency component, and more.

Click the next step for each dependency component

For each dependency component, if there is a clear next step you need to take, that will be in the Actions column. If not, you'll just see the actions overflow ... button.

Dependency components columns

To view your SBOM, ensure you've selected a product and version so that you can see that version's dependency components.

• Name: This is what may be referred to as a component in other systems. It is the firmware, software, framework, library, file, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

• Version: This is the version for this dependency component name (e.g., 10.1 for Windows).

• Supplier: This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

• Level of support: Indicates whether the component is supported. Can be date or text value.

• EOS/EOL: Indicates whether the component has a known end-of-support or end-of-life date or other information. Like Level of support, this can also be a date or text value. If there is a date, this indicates that the component will no longer be supported or maintained after this time, thus it will potentially become more vulnerable and less reliable over time. You should either upgrade to a supported version or replace it with an alternate component to reduce risk.

• Review status: Indicates whether the dependency component has been reviewed or needs to be reviewed.

• Licenses: Displays the dependency component's licenses.

Manage dependency components

• Manage component: This will display all details for this dependency component in view mode. This will also show how Helm matched the dependency component, as well as any review information from your team. If you edit the dependency component, you'll be prompted to confirm this change. This is because Helm will reload the dependency component and rematch it, which will discard any review information you may have added.

• Add review note: Add a review note, then change the review status to Reviewed. You'll see this updated status in the Review status column, along with a note icon.

• Review history: This will show any analysis notes or review status changes your team has made. You can also add a review note from here.

• Reload component: If a dependency component is in an error state that is not caused by an inaccurate or unsupported version, you can reload it, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state. Helm will discard any previous information for the dependency component, and attempt to match it to known software.

• Delete component: If you have appropriate permissions, you can remove a particular dependency component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.

Filter components

Click the Filters drop-down on the Components page to filter quickly to what you need.

• Component details: Search by component name or component review status

• Match details: Search by component match status

• License details: Search by SPDX license ID or custom license name

• Lifecycle details: Search for components with upcoming or expired end-of-support/end-of-life (EOS/EOL) dates, or search for components that will expire within a particular date range.

Recommended filters to reduce risk

Follow these steps to ensure you've completed your dependency component matching and identified all possible vulnerabilities across your SBOM.

Match status

The match status of each of your dependency components is indicated in the Match status column of the dependency components table. You can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column.

1. To ensure that you complete matching, filter on Select match first. Helm has provided strong match suggestions for these, so you should be able to match these relatively quickly. Click Select match on any of these statuses to start matching.

2. For users with Admin role, we highly recommend that you create an alias for each dependency component you match. This will ensure that these are automatically matched for future SBOMs. If you're not sure whether to create an alias during the match, you (or your Admin) can always create one later.

3. If you want to complete matching, filter on Not found next. This indicates that Helm was unable to find an exact match in the NVD. Click the Not found badge to view the match suggestions Helm has identified. If you don't see the correct match, make sure you create an alias so that this will be automatically matched for future SBOMs.

Match source

Lifecycle details

Be confident that you're using actively maintained and supported components when building a new product or updating an existing one. Filter quickly on the support status of your components, as well as the timeframe for components that are nearing their end-of-support or end-of-life dates, enabling you to prioritize updates effectively, thereby ensuring the stability and security of your device throughout its lifecycle.

License details

Filter your dependency components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

You can filter on GPL licenses and other restrictive licenses to quickly evaluate legal risk, enabling you to quickly prioritize updating or changing components that have licensing that could impact your IP and legal compliance. You can also filter on which components have at least one license, those that don't currently have any license information, as well as those that are specifically set to No license or NONE or Unknown or NOASSERTION (the values in caps are SPDX values), ensuring you understand your legal risk for every component in your product.