1 of 71

Helm Docs

Helm help center home

Upload SBOM & match to known software

Prioritize and remediate risk

API & Administration

Get Started

Helm features

Introducing Helm by Medcrypt

What is Helm?

Key features

FDA compliance

Supports NTIA and FDA cybersecurity requirements for SBOMs.
Provides tools for Secure Product Development Framework (SPDF).

Broad ecosystem visibility

Tracks both open-source software (OSS) and commercial third-party software.
Supports real-time operating systems (RTOS) and other operating systems to give a comprehensive view of your software ecosystem.

SBOM management

Handles SBOMs from open source, commercial tools, and manual uploads.
Matches your software against the National Vulnerability Database (NVD) and package managers using advanced normalization techniques. For example, Helm will normalize values such as “windows10”, “windows_10”, and “win 10” to the official value, such as Windows 10.
Manage component licenses. Import or manually add license information. Helm can also add missing license information.

Vulnerability management

Zero in on critical vulnerabilities.
Track progress on unremediated vulnerabilities.

Regulatory reporting

Quickstart process

Ready to leverage the power of Helm to streamline your vulnerability management? Let's get you up and running!

Step 5: Patch Windows vulnerabilities with WinKB recommendations

Step 6: Remediate vulnerabilities

You can remediate with CycloneDX and/or CycloneDX VEX statuses.

Step 7: Monitor your progress on your dashboard (Optional)

Quickly prioritize and remediate threats to your most impacted products and components
Zero in on critical vulnerabilities
Track progress on vulnerabilities you still need to remediate

Step 8: Export your FDA SBOM or other FDA-ready reports

Integrate to your CI/CD process (Optional)

Check whether you are impacted by a particular vulnerability (Optional)

Check whether your products contain a particular component (Optional)

Get familiar with the Helm UI

In the top navigation bar, you can access your profile, as well as sign out of Helm. You can also search within your vulnerabilities or your SBOMs, as detailed below. This also contains the breadcrumbs, from which you can select products and product versions, as well as understand at a glance where you are in Helm. You can also click the sun/moon icon to change themes.

Breadcrumbs

Each Helm page has a breadcrumb trail so that you know exactly where you are. Your Dashboard is Home, so all other page breadcrumb trails start at Home /.

Vulnerabilities breadcrumbs

In the Vulnerabilities page, the default view is All products and All vulnerabilities. If you don't have any products yet or need to add a new one, click the All products (or selected product) drop-down > Create product. If you don't have any product versions yet or need to add new one, click the All versions (or selected version) drop-down > Create version.

If you have existing products and want to drill down to a particular product, click the All products drop-down to select one or all products. If you've selected All products, you will also see all versions of those products. If you've selected a particular product, click All versions to select the version you want to view.

Components breadcrumbs

In the Products (SBOM) page, there is no default product view. Click the Select product drop-down to select a particular product. f you don't have any products yet or need to add a new one, click the Select product (or selected product) drop-down > Create product. If you don't have any product versions yet or need to add new one, click the Select version (or selected version) drop-down > Create version. Select any product and product version to view just those components.

URLs

Share deep links to particular Helm pages with colleagues.

Sidebar

You can access any main page in the sidebar, including:

Global search discovery:
Admin: Add and manage products, then manage user permissions for each product
Help: Provides paths to get you started, no matter where you are in your cybersecurity journey.

Filter

Product/version selection bar

Filter bar

Search

Themes

Choose between our dark or light theme. To switch themes, click the sun/moon icon in the main navigation bar.

Tables

Customizable data display

Take control of how you view and interact with data. You can adjust table column visibility, perform multi-sorts, and choose your preferred display density.

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Hide or show columns: Click the Columns link to toggle on/off specific columns. If you want to hide a particular column that is already displayed, you can also hover over each column header to display a ... icon. Click this, then select Hide column.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.
Change column order: Hover over each column header to display a ... icon. Click this, then select Move right or Move left to order columns exactly how they work best for you.
Multi-column sorting: Click the Sort fields link at the top of each table to apply complex sorts across multiple columns.
Column sorting: Sort columns in alphabetic or reverse-alphabetic order. Hover over each column header to display a ... icon. Click this, then select Sort A-Z or Sort Z-A.
Flexible display density: Optimize your view by selecting a compact or expanded display mode and adjusting the number of rows per page to suit your preferences.
Advanced date picker: Gain precise control over date filtering with options for absolute/relative dates, custom ranges, and multi-month views.

Why can't I see some columns?

If you don't see particular columns, that means that they are currently hidden by default. You can customize your view to show only the data you want, nothing you don't — enabling you to stay focused on what matters most. Click the Columns link in the top of the components or vulnerabilities table to see which columns are available, then toggle on/off columns to display only the ones you need. For example, if you need CVSS v2 scores, just toggle on this column.

Contextual actions

Easily access additional information or perform actions directly from tables by clicking on cell values.

Help

Get started: Click the path that best describes your needs to get started quickly.
Documentation: Get started or get unstuck quickly right here!
Contact us: We are always here to help get you unstuck!

Understand your dashboard

Your dashboard provides an overview of your overall security posture. You can get to your dashboard by clicking the home icon on the sidebar.

Dashboard overview

This represents your total SBOMs and vulnerabilities across all time. The date range filter does not apply to these widgets.

Vulnerabilities over time

These widgets represent your vulnerabilities for a selected date range. You can view this for all versions within a product or for a particular product version.

Top 5 impacted products

Each donut chart represents the total number of vulnerabilities that have been detected in each of your products across all of their respective SBOM components, within the selected date range, products, and versions, as well as the percentage of vulnerabilities in each level of severity.

You can view these widgets across all of your products and versions, or filter down to view particular products and versions.

Get more details:

Hover over the donut chart to display a View details button. Click that button to drill down into details for that product.

Add your first product:

If you haven’t added a product yet, you’ll see an Add new product button in this section.
Click this to specify the product name, then click Save.
To view your new product, click the Products option in the sidebar. Your new product will be selected in the products drop-down.
You’ll now need to add a version for this product. In the version drop-down, select Create version.

Top 5 vulnerable dependencies

This shows your top 5 most vulnerable components within the selected date range, products and versions.

Helm terminology

Automate and integrate

Match components

manage sboms

manage vulnerabilities

Ensure FDA readiness

Terminology

Administration

what's new

Understand data sources and update frequency

Our SBOM vulnerability management product integrates data from multiple sources to ensure you have the most comprehensive and up-to-date information, including frequency of updates. By integrating these sources, our SBOM vulnerability management product ensures you are well-equipped to manage and mitigate risks effectively.

How often is data updated?

Action

Updated

Data ingestion

Daily

Continual monitoring

Every 2 hours

What data sources does Helm use?

Each vulnerability in Helm shows what data source or sources it was pulled from. Links are provided to the original CVE, as well as to exploitability and threat information.

National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the world’s most comprehensive repository of publicly available vulnerability management data. Maintained by the National Institute of Standards and Technology (NIST), the NVD is built on the foundational work of MITRE and other leading cybersecurity entities. The database catalogs vulnerabilities identified as Common Vulnerabilities and Exposures (CVE), offering detailed information on over 100k documented CVEs, reaching back to the 1990s. The NVD not only provides vital intelligence on software flaws and misconfigurations but also includes crucial metadata such as severity scores, impact and exploitability metrics, and remediation steps, making it an indispensable resource for cybersecurity professionals.

You can easily see which vulnerabilities come from the NVD via the NVD badge indicator in the Source column.

AI co-pilot

This system constructs CPE product and version match data to ensure rapid and continuous and continuous vulnerability enrichment.

This AI copilot pulls information from vulnerability databases like NVD, MITRE, and other external sources to stay up-to-date and continuously update vulnerability information.

AI copilot data sources and updates

This AI copilot pulls information from vulnerability databases like NVD, CISA, CVE.org, MITRE, and other external sources to stay up-to-date and continuously update vulnerability information.

CVE.org integration

We are currently adding CVE.org as a data source, and this support should be available in an upcoming release. CVE.org provides a list of publicly disclosed cybersecurity vulnerabilities, each assigned a unique CVE ID. With over 230,000 CVEs identified, defined, and catalogued, CVE.org partners with community members worldwide to grow CVE content. CVE.org has now been tasked with enriching CVEs in the NVD with CPE information to handle the backlog.

Support and integration

Supported by Helm, Medcrypt’s vulnerability management tool, this AI-driven approach uses historical data and a custom grammar parser to minimize inaccuracies and increase reliability. This AI copilot’s output mirrors the NVD data feed, allowing tools compatible with the NVD feed to seamlessly utilize enriched data.

How often is the NVD data feed updated?

This feed is updated daily and is available to MedISAO members and partners. It has thus far analyzed thousands more vulnerabilities than the NVD or CISA and integrated into Medcrypt's Helm product, enabling more enhanced vulnerability identification.

CVE.org

We are currently adding CVE.org as a data source and this support should be in an upcoming release.

Private vulnerability repository

This feature is currently being developed and is expected in an upcoming release.

You can add, track, remediate, and resolve private vulnerabilities from other sources such as penetration testing or threat modeling in Helm. These vulnerabilities are identified and reported privately by organizations and cybersecurity firms, and often include zero-day vulnerabilities and proprietary software issues.

The three primary use cases for private vulnerabilities are for organizations:

Tracking vulnerabilities in internally-developed components, whether unique to one product or that spans multiple products across the organization
Documenting security research on an issue before deciding whether to disclose it publicly
Using unmanaged data sources to identify vulnerabilities, such as change logs, commit logs, issue trackers, and social media posts, among others.

Exploit Database (ExploitDB)

Any active exploit retrieved from this database will show either an ExploitDB badge or Metasploit badge, depending on whether it is just an active exploit or whether there is a Metasploit toolkit. Additionally, you can view the impact of each vulnerability, which shows all known exploits and threats and provides links to the original source details.

Exploit Prediction Scoring System (EPSS)

Helm provides EPSS scores for any vulnerabilities that have a CVSS v3 score, as only CVSS v3 vulnerabilities have been assessed using the EPSS methodology.

Top 25 CWE (Common Weakness Enumeration)

Any vulnerability that is considered a top 25 CWE threat will show a Top CWE badge in Helm. You can also view more impact information in the vulnerability details, as well as review original sources.

CISA Known Exploited Vulnerabilities (KEV)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

Any vulnerability that is in the CISA KEV list will show a CISA KEV badge in Helm. You can also view more impact information in the vulnerability details, as well as review original sources.

Microsoft Knowledge Base (KB) catalog

Important updates provide significant benefits, such as improved security and reliability. Optional updates might include, for example, new or updated driver software for devices that you have added to your computer.

Any vulnerability that has a recommended patch update will show an available patch indicator. You will soon be able to view patch recommendations in the vulnerability details as well.

Tidelift

We have partnered with Tidelift and are in the process of integrating relevant open-source component data into Helm.

Tidelift also partners with open-source maintainers to implement industry-leading secure software development practices and commit to these practices so that organization can feel confident in the security of their open source components in their ecosystems both now and in the future.

Data source routing

Components often belong to one or more ecosystems. These ecosystems typically have one or more sources of truth that provide additional data about the components. For example, Maven Central and the NPM repository provide information about Java and Node components respectively.

Vulnerabilities can be identified through the use of three fields: CPE, PURL, and SWID. Helm supports PURL and CPE.

Package URL (PURL)

Helm uses PURL in several ways:

Match components to identify vulnerabilities
Reduce false positives and false negatives
Identify outdated components across ecosystems

Supported package manager ecosystems

Language

Package manager

Package repository

NuGet

JavaScript

NPM

Python

PyPI

Rust

Cargo

When does a PURL match get made?

For any vulnerability that was matched using a package manager, it will show the corresponding package manager name in its badge. If a component is matched with a package manager badge, but does not have an NVD badge, this means that Helm has identified your software in the package manager, but that no vulnerabilities have been reported in the NVD.

What is PURL used for?

PURL is recommended for use in identifying a container, library or framework (package), or operating system package.

PURL syntax

Package URL (PURL) standardizes how software package metadata is represented so that packages can universally be located regardless of what vendor, project, or ecosystem the packages belongs to. A PURL is an attempt to standardize existing approaches to reliably identify and locate software packages. It is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.

As mentioned above, we currently support the following PURL package managers: Cargo, NPM, NuGet, and PyPI.

PURL format

A PURL is composed of 7 components:

scheme:type/namespace/name@version?qualifiers#subpath

The definition for each component is:

scheme: this is the URL scheme with the constant value of "pkg". One of the primary reason for this single scheme is to facilitate the future official registration of the "pkg" scheme for package URLs. Required.
type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.
namespace: some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific.
name: the name of the package. Required.
version: the version of the package. Optional.
qualifiers: extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific.
subpath: extra subpath within a package, relative to the package root. Optional.

Examples:

pkg:pypi/django@1.11.1
pkg:nuget/EnterpriseLibrary.Common@6.0.1304
pkg:npm/foobar@12.3.1

Common Platform Enumeration (CPE)

NIST defines CPE as a structured naming scheme for IT systems, software, and packages. It is based on the generic syntax for Uniform Resource Identifiers (URI) and includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The CPE specification was designed for operating systems, applications, and hardware devices. It is maintained by the NVD.

When does a CPE match get made?

For any vulnerability that was matched using a CPE match, it will show a CPE badge. If a component is matched with a CPE badge, that means that it has at least one vulnerability that has been reported in the NVD. A CPE is only assigned to software when a vulnerability has been reported in the NVD.

CPE syntax

CPE follows this format: cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

cpe_version: This is the version of the CPE definition. As of this writing, the latest CPE definition version is 2.3.
part: This can be one of three values: a for Applications, h for Hardware, o for Operating systems. It is sometimes referred to as type.
vendor: This identifies the person or organization that manufactured or created this component.
product: This is the name of the system/package/component.
version: This is the version of the system/package/component.
update: This shows any update or service pack information, also known as minor versions.
edition: This describes the build of the system/package/component beyond version.
sw_edition (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_sw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_hw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
other (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.

CPE string examples

Application: If the URI is cpe:/a:microsoft:office:2007:sp2:professional then the CPE string is: cpe:2.3:a:microsoft:office:2007:sp2:-:*:professional:*:*:*

Operating system: If the URI is cpe:/o:microsoft:windows_7:-:sp1:x64 then the CPE string is: cpe:2.3:o:microsoft:windows_7:-:sp1:-:*:*:*:x64:*

Hardware (not supported in an SBOM): If the URI is cpe:/h:3com:3c13612 then the CPE string is: cpe:2.3:h:3com:3c13612:-:*:*:*:*:*:*:*

What does a wildcard in a CPE string indicate? Anything that is a wildcard (*) means that no particular value was provided for that section, so it will encompass any applicable value in that section.

Automate SBOM and vulnerability management via Helm API SDK

Overview

The Helm API allows users to efficiently manage SBOMs, assess vulnerabilities, and generate detailed reports. Currently available as a Python SDK (built on protobuf), the Helm API provides bindings and helper scripts to facilitate interactions with the API.

Key features

Upload single or multiple SBOMs.
Retrieve all vulnerabilities or filter to focus on CISA KEV vulnerabilities.
Generate FDA SBOM reports or CycloneDX VEX reports.
Identify unmatched SBOM components in your data.

Getting started

Request API access

Download Helm API SDK

Once you have received an email granting you access to the Helm API, click the Developers item in the sidebar.
Download the file below.

Because our API documentation is hosted on Gitbook, you will see an interim page that Gitbook is verifying the safety of this file -- this page unfortunately does not go away, but your file will complete downloading successfully.

Authentication and setup

Once you have been granted access to the Helm API, you'll need to download our API SDK, then generate your API key to make calls to the API.

Step 1: Download the API SDK above

Download the file from the section above. There are four scripts for the Helm API:

run_upload_sbom.sh
run_unmatched_sbom_entries.sh
run_vuln_list.sh
run_product_version_report.sh

Step 2: Install SDK prerequisites

Install python3: pip3 install -r requirements.txt. This installs the required Python modules.
Check that all Python dependencies listed in the requirements.txt file are installed in your environment.

Step 3: Authenticate in Helm UI

Click the Developers option on the sidebar. This will display the Developers page.
In the Helm UI, you'll see an Email field which is the Helm email address that you have API access for. This will be your client_id that you will update in the scripts in the next steps.
In the Helm UI, click Generate API key. This will be your client_secret that you will update in the scripts in the next steps.

Step 4: Configure SDK scripts

After uncompressing this file, you will find a readme.txt document that contains the rest of the steps to execute the API.

From the command line, cd to the directory api/run.
Update the client_id and client_secret in these scripts: run_upload_sbom.sh, run_unmatched_sbom_entries.sh, run_vuln_list.sh, and run_product_version_report.sh.
Refer to the respective script section below, then update the corresponding parameters respectively.

Run scripts to automate SBOM and vulnerability management

Step 1: Run script to upload one or multiple SBOMs

You can upload one or multiple SBOMs using the run_upload_sbom.sh script. The following command-line parameters are available:

--client_id: This is your API account username. In the Helm UI, this is the API user name.
--client_secret: This is your API key that you will generate from the Helm UI.
--sbom_files: This is the path to the SBOM file on your system.
--product_name: This is the name of the product that you want to create a version for.
--version: This is the product version that you want to create and upload an SBOM for.
--createProdVers: If your product version doesn't already exist, you can create a new product version for a given SBOM product.
--api_url: This is the API URL provided by Medcrypt.
--file_type: This is the file type you'll be uploading. It only needs to be set if you are uploading a SPDX SBOM. If so, set to SPDX.

When you've set your parameters, run ./run_upload_sbom.sh.

Step 2: Run script to get all unmatched SBOM entries for product version

You can return all unmatched SBOM entries for a given product and version using the run_unmatched_sbom_entries.sh script. The following command-line parameters are available:

--client_id: This is your API account username. In the Helm UI, this is the API user name.
--client_secret: This is your API key that you will generate from the Helm UI.
--product_name: This is the name of the product that you want to create a version for.
--version: This is the product version that you want to create and upload an SBOM for.
--api-url: This is the API URL provided by Medcrypt.

When you've set your parameters, run ./run_unmatched_sbom_entries.sh.

Step 3: Run script to get all vulnerabilities or CISA KEV vulnerabilities for product version

You can return all vulnerabilities or just CISA KEV vulnerabilities for a given product and version using the run_vuln_list.sh script. The following command-line parameters are available:

--client_id: This is your API account username. In the Helm UI, this is the API user name.
--client_secret: This is your API key that you will generate from the Helm UI.
--product_name: This is the name of the product that you want to create a version for.
--version: This is the product version that you want to create and upload an SBOM for.
--api-url: This is the API URL provided by Medcrypt.
--start_date: This is the start date at which to begin filtering vulnerabilities.
--end_date: This is the end date at which to begin filtering vulnerabilities.
--exploit_source: You can specify CISA_KEV to get just vulnerabilities on the CISA KEV list. If you don't specify this, you will get all of your vulnerabilities. The default value is UNDEFINED.

When you've set your parameters, run ./run_vuln_list.sh.

Step 4: Run script to generate product version report script

You can create and download an FDA SBOM or CycloneDX VEX report for a given product and version using the run_product_version_report.sh script. The following command-line parameters are available:

--client_id: This is your API account username. In the Helm UI, this is the API user name.
--client_secret: This is your API key that you will generate from the Helm UI.
--product_name: This is the name of the product that you want to create a version for.
--version: This is the product version that you want to create and upload an SBOM for.
--api-url: This is the API URL provided by Medcrypt.
--file_path: This is the path where you would like a generated report to be saved to.
--report_type: Specify either FDA_EXCEL or CDX_VEX to generate your FDA SBOM in Excel format or CycloneDX VEX report.

When you've set your parameters, run ./run_product_version_report.sh.

API methods

The Helm API provides the following methods:

listorganizations: Retrieves the organizations that the user has access to.
listorganizationproducts: Retrieves the products a given organization has.
listorganizationproductversions: Retrieves the product versions of a particular product for that organization.
createorganizationproduct: Creates a new product under that organization with the provided product name. The user will have access to this product.
createorganizationproductversions: Creates a new product version under a selected product with the provided version name.
submitsbom:
- Uploads an SBOM provided in the --sbom_files parameter.
- Allows the user to upload an SBOM under an existing product and product version.
- Users can create a new product, product version, and upload an SBOM under this new version.
listunmatchedsbomentries: This lists all of your unmatched SBOM entries for a given SBOM product and version.
listvulnerabilities: This lists all vulnerabilities for a given SBOM product and version. You can also filter this down via --exploit_source to CISA KEV vulnerabilities only, as detailed below.
requestreport: This issues a request to generate a product version report. The report generation process is asynchronous, so this may take a moment.
getreportrequeststate: This checks on the status of a requested report.
getreportfile: Once a report request is completed (report_request_state=4), the report file will be available for download.

Upload your first SBOM

Ready to upload your first SBOM, or not sure what an SBOM is? We’re here to help! Helm supports both CycloneDX and SPDX SBOM formats, making it easy for you to manage your software components.

Upload a CycloneDX or SPDX SBOM

Click Add SBOM > Upload SBOM.

Supported SBOM versions and formats

Versions:

CycloneDX: 1.3 (import only), 1.4 (import and export), 1.5 (import only)
SPDX: 2.2, 2.3

Formats:

CycloneDX: .json, .xml
Single SPDX files: .spdx, .json, .yaml, .xml
Compressed SPDX files: .gz, .tgz, .zip, .zst, .tzst

File size: 50MB

Where did my Add SBOM button go?

If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.

In the modal that displays, specify a product name and version.
Click the Choose file button to browse to your SBOM file.
Click Upload SBOM.
Once you’ve uploaded your SBOM, you will see all of the components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, component name/version/supplier combo, and alias matches.
If you need to aggregate and merge additional SBOMs to this SBOM, click Manage SBOMs > Upload SBOM. This will add components from that SBOM to your existing SBOM.

Not ready to add your SBOM yet? No worries!

You can create each of your products and their respective versions, then add your SBOM at any time.

In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.
In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.

Upload a compressed SPDX file

If you have a compressed SPDX SBOM file, follow these steps to upload it:

Prepare your files:
- Create a directory named after what you want to name your zip file.
- Navigate into that directory and create a subdirectory named packages in this directory.
- Copy your individual SBOM files into the packages directory.
Compress your files:
- Use the following commands to compress your files into a .tar.gz or .zip format:
  - Create .tar.gz: COPYFILE_DISABLE=1 tar -zcvf yourfilename.tar.gz yourdirectory
  - Create .zip: zip -r yourfilename.zip yourdirectory -x '**/.*'
Upload your file:

To include lifecycle information, these are the supported properties you can use in your CycloneDX SBOM. This information will be populated into the respective columns in the Products table, as well as in the component details. Note that if your SBOM contains duplicate properties for the same component, Helm will take the first property and discard the rest. For each field, you can only include either date or text value - if you include both, only date will be populated in the Helm UI.

To use any of these properties, you will need to include the whole namespace value (e.g., cdx:lifecyle:milestone.endOfSupport or medcrypt:lifecycle:milestone:endOfLifeText) in the name field and the corresponding value in the value of the property. We will import and export from thecomponent and/or metadata > components array of your CycloneDX SBOM.

Level of support (date): Import will support cdx:lifecycle:milestone:endOfSupport name property or eos_date (Medcrypt-specific name property). Export will be the CycloneDX native property.
EOS/EOL (date): Import will support cdx:lifecycle:milestone:endOfLife name property or eol_date (Medcrypt-specific name property). Export will be the CycloneDX native property.
Level of support (text): Import will support medcrypt:lifecycle:milestone:endOfLifeText or eol_text name property. Export will be `medcrypt:lifecycle:milestone:endOfLifeText.
EOS/EOL (text): Import will support medcrypt:lifecycle:milestone:levelOfSupportText or eos_text name property. Export will be `medcrypt:lifecycle:milestone:levelOfSupportText.

Including lifecycle information?

Level of support (date): Import will support cdx:lifecycle:milestone:endOfSupport name property or eos_date (Medcrypt-specific name property). Export will be the CycloneDX native property.
EOS/EOL (date): Import will support cdx:lifecycle:milestone:endOfLife name property or eol_date (Medcrypt-specific name property). Export will be the CycloneDX native property.
Level of support (text): Import will support medcrypt:lifecycle:milestone:endOfLifeText or eol_text name property. Export will be `medcrypt:lifecycle:milestone:endOfLifeText.
EOS/EOL (text): Import will support medcrypt:lifecycle:milestone:levelOfSupportText or eos_text name property. Export will be `medcrypt:lifecycle:milestone:levelOfSupportText.

End of support example with component array

Including Windows KB patch information?

CycloneDX does not support Windows KB information natively, so to include Windows KB patch information, this is the Medcrypt-specific property you can use in your CycloneDX SBOM.

To use this property, you will need to include the whole namespace value (e.g., medcrypt:vulnerability:remediation:mskb in the name field and the corresponding value in the value of the property. of the component or metadata > components array of your CycloneDX SBOM. We will import and export from thecomponent and/or metadata > components array of your CycloneDX SBOM.

Import and export will support the medcrypt:vulnerability:remediation:mskb name property, but regardless of where the KBs appeared in the original SBOM, they will be exported to metadata > component only.

Windows KB example with component array

What happens after upload?

Including lifecycle information?

To include lifecycle information, these are the supported properties. This information will be populated into the respective columns in the Products table, as well as in the component details. Note that if your SBOM contains duplicate properties for the same component, Helm will take the first property and discard the rest. For each field, you can only include either date or text value - if you include both, only one will be uploaded.

Level of support (date): Import will support cdx:lifecycle:milestone:endOfSupport property or eos_date (Medcrypt-specific property). Export will be the CycloneDX native property.
EOS/EOL (date): Import will support cdx:lifecycle:milestone:endOfLife property or eol_date (Medcrypt-specific property). Export will be the CycloneDX native property.
Level of support (text): Import will support medcrypt:lifecycle:milestone:endOfLifeText or eol_text. Export will be `medcrypt:lifecycle:milestone:endOfLifeText.
EOS/EOL (text): Import will support medcrypt:lifecycle:milestone:levelOfSupportText or eos_text. Export will be `medcrypt:lifecycle:milestone:levelOfSupportText.

What happens after upload?

Create products and versions without an SBOM

In the Select product drop-down, choose Create product, specify the product name, then click Save.
In the Select version drop-down, choose Create version, specify the version, and click Save.
When you have an SBOM ready, just click the Add SBOM drop-down button (Manage SBOM if you already have uploaded other SBOMs), then select Upload SBOM when you’re ready to add your SBOM file.

Troubleshooting and support

You may have turned off auto-refresh. You can either turn it back on from the Auto-refresh switch above the table, or you can click Refresh to manually refresh the page.

Not seeing your SBOM components?

You may have turned off auto-refresh. You can either turn it back on from the Auto-refresh switch above the table, or you can click Refresh to manually refresh the page.

No exact match

Upload issues

Have a large SBOM file?

If you have a larger SBOM file, this could take a little longer to upload. Get a cup of coffee or tea while we process your SBOM! We'll automatically start matching to known software in the NVD as soon as your upload is completed successfully.

Don't think your SBOM uploaded successfully?

SBOM contains component hashes

Need help getting started?

Have a different SBOM format

Need to generate an SBOM

Don't know what an SBOM is or not sure where to start

Match unmatched components

Overview

After uploading your SBOM (Software Bill of Materials) or manually adding a component, you may encounter different statuses that your software component, version, and supplier combination was not automatically matched to an existing unique entry in the NVD (National Vulnerability Database).

To view vulnerabilities for your components, you'll need to resolve any statuses other than Matched NVD. By following these steps to resolve these statuses, you can ensure accurate matching of your software components to

Resolve Select match, Matched to package manager, and Not found statuses

A Select match status means that your software component, version, and supplier combination has multiple potential matches, making it unclear which one is the correct match.
A Matched status with a package manager badge (but no NVD badge) indicates that there either are no known vulnerabilities for that component, or that the component has a different name in the NVD.
A Not found status means that your software component, version, and supplier combination could not be automatically matched to an existing entry in the NVD. This could mean there are no vulnerabilities for this component, or it could mean the component is named differently in the NVD.

Review potential matches (Select match or Not found statuses only)

Click the Match status badge to open the Resolution options modal, then click the View suggestions button in the Select match box. This will display the Multiple matches modal, where you can evaluate the option based on the following details:
- Supplier: The name of the supplier associated with the potential match.
- Name: The name of the software component.
- Sample versions: Versions that were extracted from the CVE vulnerability data.
- Type of match: This shows sources used to determine a possible match, such as Alias, Name, CPE (Common Platform Enumeration), PURL (Package URL), or a particular package manager match.
If you need more information to make a decision, click the details icon. This will open the Match details modal, where you can view more versions of the component and see reported vulnerabilities over time. A trend of reported vulnerabilities that aligns with your component versions suggests a strong match.
Create an alias: Once you determine the correct match, you can create an alias that links this match to your component. This alias ensures that future uploads of an SBOM containing this software component, version, and supplier combination will automatically use this alias.
Add a review note: Click Actions > Add review note to keep your team informed about the status of the assessment, suggest further review, or highlight any critical risks associated with the software component.

Match suggestions fields

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Name

Description

Supplier

This is the organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

Details icon

Click this icon to view more details about this possible match, including reported vulnerabilities over time, as well as known versions from the CVE. If these versions match those of your component and there are vulnerabilities that have been reported, this is likely the correct match.

Product name

This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

Matched on

This shows the strength of the match. Refer to Match sources for more information.

Type

This shows the reliability of the match.

Exact match: This has an exact match in the NVD, which could include a PURL string (Cargo, NPM, Nuget, or Pypi package manager), CPE string, or name match.
Alias match: This component matches an existing alias.
Possible match: This component has a match in one or more sources. Check the Matched on column, then hover over those matching tokens for more information.

You can assess the likelihood that this is the correct match by viewing the trend of reported vulnerabilities over time and the known versions for this match suggestion. Multiple matches that have a trend of reported vulnerabilities and that match your component's versions (or at least version formats) are considered stronger matches.

Match details fields

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Name

Description

Reported vulnerabilities over time

Multiple matches that have a trend of reported vulnerabilities indicate that this is a frequently-used component. If you don’t see many reported vulnerabilities over time, it is likely that this is not the correct match. Check that the component’s versions (or at least version formats) are considered strong matches.

Known versions

These are the known versions for this suggested match that are coming from the CVE vulnerability ID. Check that your component’s versions (or at least version formats) match these.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format doesn’t match the expected supplier version format.

Click the Fix version status badge for the component with the warning icon. Alternately, select Actions > Fix version for the component with the warning icon.
Check the version format to ensure it matches the known version number, make any necessary modifications, then save.

Resolve Contact us status

After uploading your SBOM or manually adding a component, you might see an error icon next to the component version, along with a Contact us match status. This indicates that we do not have a version parser for this specific version format.

If you see this icon, we're aware of the issue. However, if you need this resolved more quickly, please contact us for expedited assistance.

What happens when we add this version parser?

When we add support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt to match them to known software in the NVD. You will be notified once the issue has been resolved.

How does this impact you?

Exact match: Any known vulnerabilities from the NVD will be brought forward.
Vulnerability discrepancy: If you notice a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.
Multiple matches: Review these suggestions to determine the correct match.
No match: If an exact match cannot be found in the NVD, it may indicate that the component does not exist in the NVD (implying no known vulnerabilities) or that it is listed under a different name. In these cases, you should:
- Check the NVD to find the correct match.
- Create an alias to link your software component correctly going forward.

Resolve Fix version status

After uploading your SBOM or manually adding a component, you might see a warning icon next to the component version, as well as a Fix version match status. This indicates that the version format or PURL value doesn’t match the expected values.

Click the Fix version match status badge or click Actions > ... > Fix version for the component with the warning icon. This will open the Manage component panel.
Version warnings are generally caused by an incorrect PURL or version format. Check the component's PURL and version to see whether this solves the problem. Make sure that the version format matches the known version number and PURL.

Resolve Contact us status

What happens when we add this version parser?

Upon adding support for a new version parser format, we will automatically reload any impacted SBOMs and their components to attempt matching them to known software in the NVD. You will be notified once the issue is resolved.

How does this impact you?

Exact match found: Any known vulnerabilities from the NVD will be associated with the component. If there's a discrepancy in the number of vulnerabilities, don’t be alarmed—this process is part of ensuring accurate tracking and reporting.
Select match: You'll need to review these suggestions to determine the correct match.

Add review for component

After matching or assessing a potential match or doing some other research, you can add a note for your team to reduce parallel efforts.

Click Actions > ... > Add review. This will display the Review component panel.
If the component does not already have a Reviewed status, this will automatically update it to Reviewed.

Create and manage alias rules to match and rematch components across all products

Overview

To view vulnerabilities for a particular component, each component must be matched to known software in the NVD. Administrators can create alias rules to find known software matches for components that are unmatched, mismatched, or have multiple matches. Alias rules will not override components that were manually matched by users.

The alias rules manager enables you to set robust matching conditions for aliases, simplifying the known software search process and bringing forward more information to help you select the correct known software match.

Benefits of alias rules manager

Centralized rule management: Manage both alias rules and EOS/EOL lifecycle rules from a single location
Enhanced matching capabilities: Create conditions using Component name, Supplier, CPE, PURL, and Version information
Improved transparency: View detailed information about potential matches including vulnerability counts, known versions, CPEs, PURLs, and references
Impact visibility: See the number of affected products, versions, and components before making changes
Conflict handling: System detects potential rule conflicts
Automatic application: Rules are automatically applied to both existing and future SBOMs

Understanding the impact of alias rules

When alias rules are applied, they affect:

Existing SBOMs: All matching components in previously uploaded SBOMs will have the alias rule applied
Future SBOMs: Any new uploads with matching components will automatically have the rule applied
Match status: Components will change from unmatched statuses to "Matched" with an "ALIAS" badge
Vulnerability data: If the known software has vulnerabilities in the NVD, these will now be associated with your components
Reporting: Components matched via alias rules will appear in vulnerability reports with their assigned matches
Override hierarchy: Manual matches always take precedence over alias rules

When you edit or delete an alias rule:

Components previously matched by that rule will return to their previous unmatched status
Any vulnerability data associated through that match will no longer be linked to the component
You'll need to create a new alias rule or manually match affected components to restore vulnerability data

View aliased matches

For all components that have been matched with an alias, you'll see a Matched status with an ALIAS badge in the Match status column of the Products page.

Add an alias rule

Create an alias rule from Rules manager

When creating an alias rule from the Rules manager, you’ll need to specify the component matching conditions under which the alias rule will be applied.

Click the Rules item in the sidebar. This will display the Rules page, where you can manage alias and lifecycle rules.
Click the Add alias rule button in the Alias rules tab. This will display the Create alias rule wizard.
In the first step, specify the conditions for which you want this alias rule to be automatically applied. You can add one condition for each metadata field. The exception is version, for which you can specify either an exact match with one condition, or can create a version range limiting versions by using an is less than and an is more than condition.
- If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the criteria.
In the second step, specify the known component name and/or supplier, then click Search known software.
- If you know which software you are looking for, click the option button next to that software, then click Create alias rule.
- If you're not certain which software is the best match, click the option button to review the details for that known software component, including any vulnerability information, associated CPEs and PURLs, and references. Once you've identified and selected the correct match, click Create alias rule.
The new alias rule will display at the bottom of your rule list. If you want this rule to have higher priority, you can drag-and-drop it higher in the rules list.
The Match status for components that match this criteria will be updated to Matched with an ALIAS badge. This may take a while, since Helm is running this new alias rule against all of your SBOMs and evaluating it against all existing alias rules. If the known software is in the NVD or is in a package manager that has known vulnerabilities, it will be updated with these associated vulnerabilities.

Create an alias rule from component

When creating an alias rule from a component on the Products page, the component matching conditions will be automatically populated, which you can modify as necessary.

Click Products in the sidebar. This will display the Products page, which is a list of all components in this SBOM.
For any non-matched component status, click the badge in the Match status column or the primary button in the Actions column. Alternately, you can select View match suggestions from the ... actions overflow button. This will display the Select match suggestions panel.
If you want to change the component matching conditions, you can do so in step 1, then click Continue to update the possible matches in step 2. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the criteria.
In the Component name field, enter at least three characters to start filtering down the list. All condition rules must be alphanumeric. Enter any other information you have for the component, then click Continue. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to keep the existing rule or replace it with the new rule.
In the next section, enter the known software component name and/or supplier, then click Search known software to return potential matches.
- If you know which software you are looking for, click the option button next to that software, then click Create alias rule.
- If you're not certain which software is the best match, click the option button to review the details for that known software component, including any vulnerability information, associated CPEs and PURLs, and references. Once you've identified and selected the correct match, click Create alias rule.
The new alias rule will display at the bottom of your rule list. If you want this rule to have higher priority, you can drag-and-drop it higher in the rules list.
The Match status for this component and all components that match this criteria will be updated to Matched with an ALIAS badge. Updating all of the components may take awhile, since Helm is running this new alias rule against all of your SBOMs and evaluating it against all existing alias rules. If the known software is in the NVD or is in a package manager that has known vulnerabilities, it will be updated with these associated vulnerabilities.

Rule naming conventions

Edit alias rule

If you need to edit an alias rule, note that any changes will be applied to both existing and future SBOMs.

Click the Rules item in the sidebar.
Click the Alias rules tab.
In the Alias rules tab, click Edit on any rule you want to modify. This will display the Manage alias rule wizard. This will display the current component matching conditions and the selected known software match.
If you want to change the component matching conditions, you can do so in step 1, then click Continue to update the possible matches in step 2. If there is an existing alias rule that exactly matches your criteria, you'll be prompted to discard this pending edit or change the crtieria.
In the second step, you will see the currently selected match, as well as other possible matches based on that search criteria. In the details section for the selected match, you'll see several tabs to help you understand the impact of the existing rule across your portfolio, known vulnerabilities, known CPEs and PURLs, as well as additional references.
If you want to change the match criteria, enter part or all of the known software you are looking for, then click Search known software.
If you change matching conditions or the selected known match, you will not be able to see the impact of this change until you apply it, then go back in to edit the rule.
Click Save & apply changes. You'll see a success notification when the change has been applied. Editing a rule will not change its current position in the list, so drag-and-drop it higher or lower to change its priority.

Set priority order of alias rules

Alias rules are applied according to their position on the rules list.

Drag-and-drop them higher to increase their priority or lower to decrease their priority.
If you have only reprioritized rule order, but haven't marked any rules for deletion, click Save & apply changes. This will apply the reprioritizations.
If you've marked rules for deletion in addition to reprioritizing rules, this button will be Review changes to give you an opportunity to view the impact of these pending deletions before confirming these changes.

Delete alias rule

If you find that your team has added an incorrect alias rule, you can easily remove it if you are an Administrator.

Click the Rules item in the sidebar.
Click the Alias rules tab.
Click Mark for deletion on the alias rules you want to delete.
If you need to change priority of any rules as a result of these impending deletions, drag-and-drop the respective rules higher or lower in the list.
Click Review changes button.
After making your changes, click the global Save & apply changes button at the bottom of the aliases rule list. The rule will no longer be associated to existing SBOMs and will not be applied to future ones.

Troubleshooting and best practices

Rule naming: You cannot currently edit rule names. They are automatically generated based on conditions.
Rule conflicts: When creating rules with similar conditions, ensure they don't unintentionally overlap. The system will warn about exact duplicates.
Session persistence: Always save your changes before navigating away, as unsaved changes will be lost.
Rule prioritization: Place more specific rules higher in the list, as they take precedence over more general rules.
Performance considerations:
- Creating many rules with complex conditions may increase processing time
- Large-scale rule changes may take time to propagate across all SBOMs
Verification: After applying rules, check a sample of components to verify the rules are working as expected.
Maintenance: Periodically review your alias rules to ensure they still reflect your current software matching needs.

Alias permissions

Administrator: Users with an Administrator role can view and edit all products, as well as create aliases and use existing aliases to link software in their SBOMs to known software in the NVD.
User with edit permissions for a product: Users who have edit permissions for a particular product, but are not Administrators, will be able to view and use existing aliases for that product to link software in their SBOM to known software in the NVD, but will not be able to create aliases unless they have an Administrator role.
User with read-only permissions for a product: These users will be able to view aliases for that product, but will not be able to use these aliases to link software.

Manage licenses

Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed.

For each component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the component details panel.

Supported SPDX licenses

Ingest licenses from CycloneDX SBOMs

Helm populates license information from the following sections in a CycloneDX SBOM:

components > licenses: The primary source for license information. Each component must include either a license ID, name, or SPDX expression.
components > pedigree > notes: This will be populated into the License comments field. Because this notes field applies to all components in a CycloneDX SBOM, the information in this field will be applied to all licenses for a particular component.

Helm does not support license information populated from other sections of a CycloneDX SBOM. Any such information will be retained in exports but ignored in the UI.

Ingest licenses from SPDX SBOMs

A SPDX SBOM contains packages, each of which could be a file or set of files, grouped by the SBOM author. These files could be one or more files of any type including but not limited to source, documents, binaries, etc. Helm processes each package as a component. A SPDX SBOM can contain licensing information at the package, file, or even code snippet level. For every package that contains licensing, Helm populates that license information into the dependency component's details in the Licenses section.

Helm processes each package as a component and populates license information from the following fields:

PackageLicenseConcluded: The primary field for populating the license name. If missing, Helm will use the PackageLicenseDeclared field.
ExtractedLicensingInfo: If present, this section provides license names and text for custom or non-SPDX licenses. When a custom license is added, you can manually enter the license name, but the URL will not display.

SPDX spec version

If your SPDX version or license list version is different, SBOM section names or field names may differ, you should check your particular SPDX spec version.

Identify and automatically add missing licenses

Helm has partnered with Tidelift to enrich license information for open-source components that lack licensing details:

Component license is set to No license (NONE in SPDX): If a component in your SBOM lacks a license but has a unique PURL or Helm can generate the correct PURL, Helm will check with Tidelift to determine if any licenses are associated with that component. If so, Helm will add those licenses to provide you with a comprehensive view of licensing info and identify licensing risks across your supply chain.
Component license is set to Unknown (NOASSERTION in SPDX): If your SBOM component license is set to Unknown (NOASSERTION in SPDX), but Tidelift indicates that there is one or more licenses associated with that component, we will add those licenses for you.

Automatically generate a license for an existing component

For existing components, you can have Helm automatically add license information. In the Components table, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

View license information

The Licenses section of the component details panel displays the following fields:

License type: This field is populated from the license information in your SBOM.

License expression:
- For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception.
- Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses, choose this option.
- No license (NONE in SPDX): If you are certain that your SBOM component does not have an associated license, choose this option. In a SPDX SBOM, this is indicated with the NONE value.
- Unknown (NOASSERTION in SPDX): If you are not sure whether your SBOM has an associated license, choose this option. In a SPDX SBOM, this is indicated with the NOASSERTION value. In a CycloneDX SBOM, if your SBOM does not contain licensing information or licensing info is empty, it will display as Unknown
Individual licenses: For components with multiple SPDX licenses not combined, or for custom licenses.
No license (NONE in SPDX): The component has no associated license. In a SPDX SBOM, this is indicated with the NONE value.
- CycloneDX SBOM: There is no corresponding value for this in CycloneDX 1.4 or 1.5 specs. If you manually add this for a license, then export your CycloneDX SBOM, the licensing information for this component will have this value in the components > licenses > license name field.
- SPDX SBOM: Indicates that the SPDX SBOM author provided NONE as the package-level license information. The SPDX spec requires that when the info is not provided, it be set to NOASSERTION.
- For open-source dependency components, Helm will attempt to identify if there actually is an associated license for you.
Unknown (NOASSERTION in SPDX):
- Use this if you are unsure whether the component has an associated license. For open-source dependency components, Helm will attempt to identify this license for you.
- SPDX SBOM: Indicates that the SPDX SBOM author provided NOASSERTION or did not provide package-level license information.
- CycloneDX SBOM: Indicates that the CycloneDX SBOM did not contain any licensing information or the licensing information was empty.

License name:

SPDX SBOMs

For SPDX SBOMs, this field is populated from the SBOM’s PackageLicenseConcluded, PackageLicenseDeclared, or ExtractedLicensingInfo sections. PackageLicenseDeclared will only be used if PackageLicenseConcluded field in the SBOM is blank or omitted.

If the package-level licensing has a LicenseRef[idstring] and that LicenseRef[idstring] matches one in the ExtractedLicensingInfo section, the license name and full license text will be populated from that section into License name and License text, respectively. If the license name is missing, the term Custom license will be used as the license name.
Non-SPDX license in your SPDX SBOM: If your SPDX SBOM contained the ExtractedLicensingInfo section, the License name field will be populated with the corresponding license name from ExtractedLicensingInfo > name field.
SPDX SBOM has NONE or NOASSERTION in the package: If the PackageLicenseConcluded field contains NONE or NOASSERTION, that value will be populated here. If the component is open-source and has a unique PURL, then we will check whether there is license information for that component and if so, enrich it with the missing information.
SPDX SBOM contains no package-level licensing information: NOASSERTION will be populated into the License name field.
SPDX license exceptions: If you need to add a SPDX license exception, type WITH after your first SPDX license, such as GPL-2.0-or-later WITH Bison-exception-2.2. Make sure to observe spacing. After you type WITH, followed by a space, then you can either click the drop-down to view only valid SPDX license exceptions or start typing to filter the exceptions.

CycloneDX SBOMs

This field is populated from the components > licenses > license > id field if the id field in used in the SBOM, or the components > licenses > license > name field if it exists.
CycloneDX SBOM does not contain licensing info or licensing info is empty: Since there is no corresponding defined term for missing CycloneDX licensing information, this will show as Not set.

License URL:

For SPDX licenses, this field is automatically populated from the SPDX license list and is uneditable.
CycloneDX SBOM: This is populated from the components > licenses > license url field.

License text:

SPDX SBOM: For custom licenses, this will be populated from the ExtractedLicensingInfo > text section of SPDX SBOMs.
You can add or modify license text for both SPDX and custom licenses.

License comments:

SPDX SBOM: This is only populated from the package-level PackageLicenseComment field.
CycloneDX SBOM: There is at least one SPDX license ID in the components > pedigree > notes field. Some automatic scanning tools will automatically populate either the SPDX license full name or an AND/OR SPDX expression here. If the notes field exists in your SBOM file, it will be added as License comments for all of the licenses for that particular SBOM component.
You can add or modify license comments for both SPDX and custom licenses.
Comments are applied to all licenses associated with a dependency component.

License source:

SBOM: The license information was populated directly from your SBOM.
User: License was added or modified by a user.

What does it mean to have a unique PURL?

A component's unique PURL could be either the original PURL for that component that was in your SBOM file, or a PURL that Helm added or enriched during the component matching process.

Add component license

Click Add dependency component from the Add SBOM (Manage SBOMs) drop-down button.
Specify the required fields.
In the License details section, select a License type. Choose License expression if you have one or more SPDX licenses in an expression (e.g., connected with AND, OR, or WITH) or Individual licenses if you have one or more SPDX or custom licenses (not in an expression) that you want to add to a component. You can also select Unknown or No license.
If you want to add a nested expression, such as MIT AND (LGPL-2.1-or-later OR BSD-3-Clause), type ( to display the SPDX license list or start typing to filter the list. Note that the expression in the parentheses will be processed first.
If you want to add a SPDX license exception, type WITH after the license, then select the exception from the drop-down (e.g., GPL-2.0-or-later WITH Bison-exception-2.2). Make sure to observe spacing.
If you're adding one or more individual licenses, click the License name drop-down to show the SPDX license list, start typing to filter the list, or keep typing to enter a custom license.
If you need to clear a license value, click the x icon in the field.
If you need to remove a license before you've saved, click Remove in the license section.
For individual custom licenses, specify any license text. You cannot add text for a SPDX license.
Add any license comments in the License comments field. License comments will be associated with all licenses for that component.
For individual licenses, click Add another license to add a new license. You cannot add individual licenses to a License expression. You can add as many licenses as you want. Your first license will show License 1, then your second will show License 2. When you save, these section names will change to the license name or expression itself.
Click Add component. You'll see a success message. If you don't see your component, you may have a sort applied.

Edit component license

Click Actions > Edit details to open the component details.
In the License details section, click Edit in the license section you want to edit.
If you just want to edit license type, license text or license comments, click the edit icon next to that field. Any edits you make to the license comments will be applied to all other licenses for this component.
Make any changes, then click Save changes. You'll see a success message. If you don't see your component, you may have a sort applied.

Delete component license

Click Actions > Edit details to open the component details.
In the License details section, click Edit in the license section you want to edit. This will display a Delete action.
Click Delete, then confirm the deletion. You cannot recover a deleted license or its related data. If you are deleting the only license associated with this component, this will also delete any license comments.
Click Close. The deletion has already been performed and cannot be cancelled. You'll see a success message. If you don't see your component, you may have a sort applied.

Deprecated licenses:

You can ingest or manually add or edit deprecated SPDX licenses. Deprecated SPDX licenses are available in the Deprecated licenses section of the License type drop-down.

Filter component icenses

You can filter licenses on the SBOM page to narrow down your view:

SPDX license ID
No license (NONE for SPDX)
Unknown (NOASSERTION for SPDX)

Export SBOM with license information

You can export your SBOM with enriched license information in the following formats. Click Reports in the sidebar, then select your preferred format.

FDA SBOM: Excel format.
Vulnerability Disclosure Report (VDR): JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.
CycloneDX SBOM: JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.
SPDX SBOM: JSON or XML format. Any file-level licensing details will also be included in the export, though they will not display in the Helm UI.
CSV format: Export your SBOM data, including CPE/PURL and license information, as a CSV file.

Understand the CVSS vulnerability scoring system

This score incorporates a number of factors assessing the exploitability of a vulnerability.

Base score

For CVSS v3 scores, you can use a number of calculators to understand how the CVSS score for a particular vulnerability was calculated:

Hover over each metric classification value to get more information on how to determine which value applies to your situation. For your convenience, we've also provided those metric and value definitions below.

Rescore CVSS 3.x vulnerabilities

Base CVSS score

Every vulnerability in the NVD starts with a base CVSS score. You cannot modify this base score, but you can modify the temporal and environmental scores by assessing your particular device's situation. Every metric in these two sections is set to Not defined (X) by default, which has the highest impact on the CVSS score.

How do I read a CVSS 3.1 vector string?

For CVSS 3.1, each section separated by a / in a vector string corresponds to one of the subcategories in the Base and Temporal categories. Thus, a string such as this:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:X

indicates that the Attack Vector is Network, Attack Complexity is High, Privileges Required is None, User Interaction is Required, Scope is Unchanged, and that the Confidentiality Impact is Low, Integrity Impact is Low, and Availability Impact is Low. It also indicates that Exploit Code Maturity is Not Defined, Remediation Level is Official fix, and Report Confidence is Not defined.

Exploitability metrics

Attack vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Network (AV:N): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Adjacent (AV:A): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone).
Local (AV:L): The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).
Physical (AV:P): The attack requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief or persistent.

Attack complexity (AC)

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target or computational exceptions. The assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability. If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration.

Low (AC:L): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
High (AC:H): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Privileges required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None (PR:N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (PR:L): The attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
High (PR:H): The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable component that could affect component-wide settings and files.

User interaction (UI)

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

None (UI:N): The vulnerable system can be exploited without any interaction from any user.
Required (UI:R): Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

Scope (S)

Does a successful attack impact a component other than the vulnerable component? If so, the Base Score increases and the Confidentiality, Integrity and Authentication metrics should be scored relative to the impacted component.

Unchanged (S:U): An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (S:C): An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact metrics

Confidentiality (C)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

None (C:N): There is no loss of confidentiality within the impacted component.
Low (C:L): There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
High (C:H): There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.

Integrity (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None (I:N): There is no loss of integrity within the impacted component.
Low (I:L): Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
High (I:H): There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

None (A:N): There is no impact to availability within the impacted component.
Low (A:L): Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
High (A:H): There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

CVSS 3.1: Temporal score

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Exploit code maturity (E)

This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation.

Not defined (E:X): This is the default setting. Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning High.
Unproven that exploit exists (E:U): No exploit code is available, or an exploit is theoretical.
Proof of concept code (E:P): Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
Functional exploit exists (E:F): Functional exploit code is available. The code works in most situations where the vulnerability exists.
High (E:H): Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools.

Remediation level (RL)

This metric is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final.

Not defined (RL:X): This is the default setting. Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Unavailable.
Official fix (RL:O): A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Temporary fix (RL:T): There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.
Workaround (RL:W): There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.
Unavailable (RL:U): There is either no solution available or it is impossible to apply.

Report confidence (RC)

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers.

Not defined (RC:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Confirmed.
Unknown (RC:U): There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result.
Reasonable (RC:R): Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (Proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results.
Confirmed (RC:C): Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability.

CVSS 3.1: Environmental score

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of base metrics and are assigned metric values based on the component placement in organization infrastructure.

Exploitability metrics

Attack vector (MAV)

This metric reflects the context by which vulnerability exploitation is possible. The Environmental Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Not defined (MAV:X): The value assigned to the corresponding Base metric is used.
Network (MAV:N): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable at the protocol level one or more network hops away.
Adjacent network (MAV:A): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN).
Local (MAV:L): The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).
Physical (MAV:P): The attack requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief or persistent.

Attack complexity (MAC)

Not defined (MAC:X): The value assigned to the corresponding Base metric is used.
Low (MAC:L): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
High (MAC:H): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Privileges required (MPR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Not defined (MPR:X): The value assigned to the corresponding Base metric is used.
None (MPR:N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (MPR:L): The attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
High (MPR:H): The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable component that could affect component-wide settings and files.

User interaction (MUI)

Not defined (MUI:X): The value assigned to the corresponding Base metric is used.
None (MUI:N): The vulnerable system can be exploited without any interaction from any user.
Required (MUI:R): Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

Scope (MS)

Not defined (MS:X): The value assigned to the corresponding Base metric is used.
Unchanged (MS:U): An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (MS:C): An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact metrics

Confidentiality impact (MC)

Not defined (MC:X): The value assigned to the corresponding Base metric is used.
None (MC:N): There is no loss of confidentiality within the impacted component.
Low (MC:L): There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
High (MC:H): There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.

Integrity impact (MI)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

Not defined (X): The value assigned to the corresponding Base metric is used.
None: There is no loss of integrity within the impacted component.
Low: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
High: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability impact (MA)

Not defined (MA:X): The value assigned to the corresponding Base metric is used.
None (MA:N): There is no impact to availability within the impacted component.
Low (MA:L): Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
High (MA:H): There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Impact subscore modifiers

Confidentiality requirement (CR)

Not defined (CR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (CR:L): Loss of Confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (CR:M): Assigning this value to the metric will not influence the score.
High (CR:H): Loss of Confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Integrity requirement (IR)

These metrics enable the analyst to customize the CVSS score depending on the importance of the Integrity of the affected IT asset to a user’s organization, relative to other impacts. This metric modifies the environmental score by reweighting the Modified Integrity impact metric versus the other modified impacts.

Not defined (IR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (IR:L): Loss of Integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (IR:M): Assigning this value to the metric will not influence the score.
High (IR:H): Loss of Integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Availability requirement (AR)

These metrics enable the analyst to customize the CVSS score depending on the importance of the Availability of the affected IT asset to a user’s organization, relative to other impacts. This metric modifies the environmental score by reweighting the Modified Availability impact metric versus the other modified impacts.

Not defined (AR:X): Assigning this value indicates there is insufficient information to choose one of the other values, and has no impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.
Low (AR:L): Loss of Availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (AR:M): Assigning this value to the metric will not influence the score.
High (AR:H): Loss of Availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

CVSS 2.1

Base CVSS score

Every vulnerability in the NVD starts with a base CVSS score. The base metric group captures the characteristics of a vulnerability that are constant with time and across user environments. The Access Vector, Access Complexity, and Authentication metrics capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it. The three impact metrics measure how a vulnerability, if exploited, will directly affect an IT asset, where the impacts are independently defined as the degree of loss of confidentiality, integrity, and availability. For example, a vulnerability could cause a partial loss of integrity and availability, but no loss of confidentiality.

You cannot modify this base score, but you can modify the temporal and environmental scores by assessing your particular device's situation. Every metric in these two sections is set to Not defined (X) by default, which has the highest impact on the CVSS score.

CVSS base score is divided into Exploitability and Impact metrics. Exploitability metrics include Attack vector, Access complexity, and Authentication, while Impact metrics include Confidentiality impact, Integrity impact, and Availability impact.

Read a CVSS 2 vector string

For CVSS 2, each section separated by a / in a vector string corresponds to one of the subcategories in the Base, Supplemental, Environmental, and Threat categories. Thus, a string such as this:

AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:UC

indicates that the Access Vector is Network, Access Complexity is High, Authentication is None, and that the Confidentiality Impact is Partial, Integrity Impact is Partial, and Availability Impact is Partial. It also indicates that Exploitability is Proof of concept code, Remediation Level is Official fix, and Report Confidence is Unconfirmed.

Note that since CVSS 2 was the first CVSS severity scoring standard, it is not appended with a version.

Exploitability metrics

Access vector (AV)

Local (AV:L): A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo).
Adjacent network (AV:A): A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software. Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment.
Network (AV:N): A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed “remotely exploitable”. An example of a network attack is an RPC buffer overflow.

Access complexity (AC)

High (AC:H): Specialized access conditions exist. For example, in most configurations, the attacking party must already have elevated privileges or spoof additional systems in addition to the attacking system (e.g., DNS hijacking). The attack depends on social engineering methods that would be easily detected by knowledgeable people. For example, the victim must perform several suspicious or atypical actions. The vulnerable configuration is seen very rarely in practice. If a race condition exists, the window is very narrow.
Medium (AC:M): The access conditions are somewhat specialized; the following are examples: The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted. Some information must be gathered before a successful attack can be launched. The affected configuration is non-default, and is not commonly configured (e.g., a vulnerability present when a server performs user account authentication via a specific scheme, but not present for another authentication scheme). The attack requires a small amount of social engineering that might occasionally fool cautious users (e.g., phishing attacks that modify a web browser’s status bar to show a false link, having to be on someone’s “buddy” list before sending an IM exploit).
Low (AC:L): Specialized access conditions or extenuating circumstances do not exist. The following are examples: The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g., Internet-facing web or mail server). The affected configuration is default or ubiquitous. The attack can be performed manually and requires little skill or additional information gathering. The 'race condition' is a lazy one (i.e., it is technically a race but easily winnable).

Authentication (Au)

Multiple (Au:M): Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. An example is an attacker authenticating to an operating system in addition to providing credentials to access an application hosted on that system.
Single (Au:S): One instance of authentication is required to access and exploit the vulnerability.
None (Au:N): Authentication is not required to access and exploit the vulnerability.

Impact metrics

Confidentiality impact (C)

None (C:N): There is no impact to the confidentiality of the system.
Partial (C:P): There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database.
Complete (C:C): There is total information disclosure, resulting in all system files being revealed. The attacker is able to read all of the system's data (memory, files, etc.).

Integrity impact (I)

None (I:N): There is no impact to the integrity of the system.
Partial (I:P): Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. For example, system or application files may be overwritten or modified, but either the attacker has no control over which files are affected or the attacker can modify files within only a limited context or scope.
Complete (I:C): There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. The attacker is able to modify any files on the target system.

Availability impact (A)

None (A:N): There is no impact to the availability of the system.
Partial (A:P): There is reduced performance or interruptions in resource availability. An example is a network-based flood attack that permits a limited number of successful connections to an Internet service.
Complete (A:C): There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.

CVSS 2: Temporal score

The threat posed by a vulnerability may change over time. Three such factors that CVSS captures are: confirmation of the technical details of a vulnerability, the remediation status of the vulnerability, and the availability of exploit code or techniques. Since temporal metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to "skip over" it.

Exploitability (E)

Not defined (E:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Unproven that exploit exists (E:U): No exploit code is available, or an exploit is entirely theoretical.
Proof-of-Concept code (E:POC): Proof-of-concept exploit code or an attack demonstration that is not practical for most systems is available. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
Functional exploit exists (E:F): Functional exploit code is available. The code works in most situations where the vulnerability exists.
High (E:H): Either the vulnerability is exploitable by functional mobile autonomous code, or no exploit is required (manual trigger) and details are widely available. The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus).

Remediation level (RL)

Not defined (RL:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Official fix (RL:OF): A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Temporary fix (RL:TF): There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.
Workaround (RL:W): There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.
Unavailable (RL:U): There is either no solution available or it is impossible to apply.

Report confidence (RC)

Not defined (RC:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Unconfirmed (RC:UC): There is a single unconfirmed source or possibly multiple conflicting reports. There is little confidence in the validity of the reports. An example is a rumor that surfaces from the hacker underground.
Uncorroborated (RC:UR): There are multiple non-official sources, possibly including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity.
Confirmed (RC:C): The vulnerability has been acknowledged by the vendor or author of the affected technology. The vulnerability may also be "Confirmed: when its existence is confirmed from an external event such as publication of functional or proof-of-concept exploit code or widespread exploitation.

CVSS 2: Environmental score

Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user's IT environment. Since environmental metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to 'skip over' it.

CVSS environmental score is divided into General modifiers and Impact subscore modifiers. General modifers include Collateral damage potential and Target distribution, while Impact subscore modifiers include Confidentiality requirement, Integrity requirement, and Availability requirement.

General modifiers

Collateral damage potential (CDP)

Not defined (CDP:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
None (CDP:N): There is no potential for loss of life, physical assets, productivity or revenue.
Low (light loss) (CPD:L): A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may be a slight loss of revenue or productivity to the organization.
Low-Medium (CDP:LM): A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there may be a moderate loss of revenue or productivity to the organization.
Medium-High (CDP:MH): A successful exploit of this vulnerability may result in significant physical or property damage or loss. Or, there may be a significant loss of revenue or productivity.
High (catastrophic loss) (CDP:H): A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. Or, there may be a catastrophic loss of revenue or productivity.

Target distribution (TD)

Not defined (CDP:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
None [0%] (TD:N): No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.
Low [0-25%] (TD:L): Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk.
Medium [26-75%] (TD:M): Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk.
High [76-100%] (TD:H): Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk.

Impact subscore modifiers

Confidentiality requirement (CR)

Not defined (CR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (CR:L): Loss of Confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (CR:M): Loss of Confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (CR:H): Loss of Confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Integrity requirement (IR)

Not defined (IR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (IR:L): Loss of Integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (IR:M): Loss of Integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (IR:H): Loss of Integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Availability requirement (AR)

Not defined (AR:ND): Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.
Low (AR:L): Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
Medium (AR:M): Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
High (AR:H): Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

Changelog

Versioning schema

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and a core infrastructure version. Versions are depicted with web UI version first, followed by core infrastructure version, e.g., v3.2.0 | 2.71.1

How can I see my Helm versioning?

Click Help > About in the sidebar to view version information.

v4.2.38 | 2.93.7

Mar 31, 2025

Summary

Added CVSS score persistence for consistent vulnerability assessment
Bug fix

Added CVSS score persistence for consistent vulnerability assessment

We've implemented a system to maintain the original CVSS v2 and v3 severity scores assigned by the NVD, even when these scores are later removed from the NVD feed. This enhancement provides several benefits:

Maintains consistent vulnerability severity ratings over time
Prevents vulnerability assessments from unexpectedly changing due to NVD data updates
Ensures historical vulnerability records remain intact with their original severity classifications
Provides more stable reporting for compliance and audit purposes

Originally assigned CVSS v2 and v3 scores are retained in our database and continue to be displayed in the vulnerability information, even when they no longer appear in the latest NVD feed.

Bug fix

Fixed issue where vulnerabilities were not showing up for SBOM component that was matched to an alias via the Rules manager.

v4.2.38 | 2.93.5

Mar 24, 2025

Summary

Added new alias rules manager
Distribute SBOM processing across all organizations
Added automatic cancellation of SBOM processing when archiving product versions
Bug fixes

Added new alias rules manager

We’ve replaced our previous aliases feature with a comprehensive new alias rules manager that transforms how you match components to known software in the NVD. Key improvements:

Centralized rule management: Manage both alias rules and EOS/EOL rules from a single location.
Enhanced matching capabilities: Set robust matching conditions across Component name, Supplier, CPE, PURL, and Version.
Transparent matching process: Enhanced Manage match panel shows how components were matched and the impact of modifications.
Intelligent automation: Automatically scans and applies rules to both existing and future SBOMs.
Impact visibility: See affected products, versions, and components before making changes.
Better decision support: View vulnerability counts, known versions, CPEs, PURLs, and references for potential matches.
Conflict handling: Built-in detection prevents rule conflicts.
User guidance: Clear next steps and impact information throughout the matching workflow.
Prioritized badge display: When a component matches via an alias rule, the ALIAS badge will display first, even if the match is also associated with additional sources such as a package manager or NVD.

Components must be matched to known software in the NVD to view vulnerabilities, making this enhancement critical for effective vulnerability management. Alias rules respect manual matches and won’t override user decisions. All current active aliases have been migrated to the new rules manager. This enhancement also lays the foundation for future global aliases functionality, which will simplify software matching across multiple organizations.

Distributed SBOM processing across all organizations

SBOM processing is now distributed across all user organizations. This improvement ensures that large customer SBOMs won’t block processing for other customers, resulting in faster and more reliable processing for everyone.

Bug fixes:

Fixed issue with FDA SBOM export where End of Support (EOS) and End of Life (EOL) data were incorrectly switched
Added automatic cancellation of SBOM processing when archiving product versions. This prevents potential bugs that could occur when unarchiving versions that had SBOM files that had not completed processing.
Fixed issue where product list was not displaying properly on initial page load.

v4.2.33 | 2.91.1

Mar 3, 2025

Summary

Added original SBOM file name column to Products page
Added columns for original component name and supplier to Products page
Support for importing and exporting Windows KB patch info to CycloneDX
Bug fixes

Added original SBOM file name column to Products page

Added Original file name column, showing the originating SBOM file name, to the Products page. This feature allows you to identify which SBOM a particular component was uploaded from, especially useful when consolidating multiple SBOMs for a product version. It enables teams to quickly prioritize and assign vulnerability remediation tasks to the appropriate team members. To show this column in your view, click the Columns link at the top of the table, then enable the Original file name column.

Displays original component data on Products page

The Component name, Version, and Supplier columns on the Products page now display the original values from your SBOM, rather than the enriched data Helm uses to enhance match accuracy. The enriched information remains accessible in the Manage component panel under Matched dependency name, Matched dependency version, and Matched dependency supplier. This update enhances transparency and precision in component identification.

Support for importing and exporting Windows KB patch info to CycloneDX

Bug fixes

Fixed customer issue wherein a component name and supplier matched two different known software components, which should have resulted in a Select match state, for the user to choose the correct match. In this example, Debian Linux was erroneously associated with Progeny and could not be modified.
Fixed a problem where previously matched components, when rematched to other known software, did not update their Enriched PURL and/or Enriched CPE fields accordingly.

v4.2.30 | 2.89.2

Feb 21, 2024

Summary

Added Microsoft Azure DevOps extension for Helm

Added Microsoft Azure DevOps extension for helm

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

Support for processing non-compliant SPDX SBOMs

Our system now. processes SPDX SBOMs that do not fully adhere to the SPDX specification. This improvement increases compatibility with a wider range of SBOMs, ensuring more comprehensive analysis and integration.

Enable reloading of components in any match state

You can now reload components -- regardless of their match status — by selecting Actions > ... > Reload component. This functionality applies to components matched in the NVD or a package manager. Previously, reloading was limited to unmatched components or those in an error state.

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

Support for processing non-compliant SPDX SBOMs

Our system now processes Software Package Data Exchange (SPDX) SBOMs that do not fully adhere to the SPDX specification. This improvement increases compatibility with a wider range of SBOMs, ensuring more comprehensive analysis and integration.

Enable reloading of components in any match state

You can now reload components regardless of their match status by selecting Actions > ... > Reload component. This functionality applies to components matched to the NVD or a package manager. Previously, reloading was limited to unmatched components or those in an error state.

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.88.2

Jan 28, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed the issue where the CSV export displayed an incorrect EOS time.
FIxed the issue where multiple vulnerability digest emails were sent erroneously.
Fixed the issue where EOL/EOS data was rejected during SBOM upload if it contained a single quote (').
Added filter persistence so that applied filters are retained when switching between products and product versions. To ensure users understand when filters are still applied, added a blue circle indicator next to Filters.
Fixed an issue in the VEX Status Remediation field where selecting one field option would automatically select similar strings (e.g., Affected/Unaffected).

v4.2.23 | 2.87.0

v4.2.38 | 2.93.5

Mar 24, 2025

Summary

Added new alias rules manager
Distributed SBOM processing across all organizations
Enhanced matching process
Bug fixes

Added new alias rules manager

We've replaced our previous aliases feature with a comprehensive new Alias rules manager that transforms how you match components to known software in the NVD.

Key improvements:

Centralized rule management: Manage both alias rules and EOS/EOL rules from a single location
Enhanced matching capabilities: Set robust matching conditions across Component name, Supplier, CPE, PURL, and Version
Transparent matching process: Enhanced Manage match panel shows how components were matched and the impact of modifications
Intelligent automation: Automatically scans and applies rules to both existing and future SBOMs
Impact visibility: See affected products, versions, and components before making changes
Better decision support: View vulnerability counts, known versions, CPEs, PURLs, and references for potential matches
Conflict handling: Built-in detection prevents rule conflicts
User guidance: Clear next steps and impact information throughout the matching workflow
Prioritized badge display: When a component matches via an alias rule, the ALIAS badge will display first, even if the match is also associated with additional sources such as a package manager or NVD

This enhancement also lays the foundation for future global aliases functionality, which will simplify software matching across multiple organizations.

Distributed SBOM processing across all organizations

SBOM processing is now distributed across all user organizations. This improvement ensures that large customer SBOMs won't block processing for other customers, resulting in faster and more reliable processing for everyone.

Bug fixes

Fixed issue with FDA SBOM export where End of Support (EOS) and End of Life (EOL) data were incorrectly switched
Added automatic cancellation of SBOM processing when archiving product versions. This prevents potential bugs that could occur when unarchiving versions that had incomplete processing.
Fixed issue where product list was not displaying properly on initial page load.

v4.2.33 | 2.91.1

Mar 3, 2025

Summary

Added original SBOM file name column to Products page
Added columns for original component name and supplier to Products page
Support for importing and exporting Windows KB patch info to CycloneDX
Bug fixes

Added original SBOM file name column to Products page

Displays original component data on Products page

Support for importing and exporting Windows KB patch info to CycloneDX

Bug fixes

Fixed customer issue wherein a component name and supplier matched two different known software components, which should have resulted in a Select match state, for the user to choose the correct match. In this example, Debian Linux was erroneously associated with Progeny and could not be modified.
Fixed a problem where previously matched components, when rematched to other known software, did not update their Enriched PURL and/or Enriched CPE fields accordingly.

v4.2.30 | 2.89.2

Feb 21, 2024

Summary

Added Microsoft Azure DevOps extension for Helm

Added Microsoft Azure DevOps extension for helm

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

Support for processing non-compliant SPDX SBOMs

Enable reloading of components in any match state

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

Support for processing non-compliant SPDX SBOMs

Enable reloading of components in any match state

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.88.2

Jan 28, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed the issue where the CSV export displayed an incorrect EOS time.
FIxed the issue where multiple vulnerability digest emails were sent erroneously.
Fixed the issue where EOL/EOS data was rejected during SBOM upload if it contained a single quote (').
Added filter persistence so that applied filters are retained when switching between products and product versions. To ensure users understand when filters are still applied, added a blue circle indicator next to Filters.
Fixed an issue in the VEX Status Remediation field where selecting one field option would automatically select similar strings (e.g., Affected/Unaffected).

v4.2.23 | 2.87.0

Jan 9, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where hovering on indicator that a Windows vulnerability had been patched would cause a 504 error. This was an RBAC issue that occurred if the user had edit access on SBOM and vulnerabilities, but not for users with view-only permissions for both.
Fixed issue in the Lifecycle details section of Add component detail where the Date/Text drop-down was not populating.
Removed "undefined" placeholder values from blank form fields in Add component panel.
Fixed issue where the component review status history was not displaying in the Manage component panel.
Fixed Upcoming and Expired EOS/EOL filters to accurately return search results.

v4.2.22 | 2.87.0

Jan 7, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where switching to view mode for Rule manager was prompting to save when there hadn't been any changes made.
Fine-tuned UI and user experience

v4.2.18 | 2.87.0

Dec 19, 2024

Summary

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics
Bug fixes and UI improvements

Bulk remediate vulnerabilities

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics

Click the Columns link at the top of the Vulnerabilities table to enable the new Attack vector and other CVSS v3 metric columns.

Enhanced vulnerability filtering

We’re continuing to enhance our filtering mechanism and have added the oft-requested ability to drill down on component information and attack vector from the vulnerabilities table, as well as other CVSS v3 metrics. Stay tuned for more filtering updates soon!

Bug fixes and UI improvements

Fixed scrollbar issue for new filter drop-down panels for vulnerabilities and components
Adjusted lifecycle date filters to have past and future dates in months
Fixed saving logic for Manage component panel
Fixed toasts that display if Lifecycle details section is modified
Added banner to Manage component panel to indicate if a rule is already applied. If you have unsaved changes when you click the Rules manager link in this banner, it will prompt you to save or discard changes.

v4.2.16 | 2.87.0

Dec 13, 2024

Summary

View and manage level of support and EOS/EOL data for all components
Specify lifecycle details for each component
Enhanced component filtering
Export lifecycle information to FDA SBOM or CSV SBOM
Bug fixes and UI improvements

Identify and prioritize components nearing EOS/EOL

We’ve added columns for Level of support and EOS/EOL to the components table, as well as providing color-coded badges to let you know what’s currently actively supported and what’s nearing or has passed its support or maintenance date. We’ve also begun ingesting lifecycle information from our partner, Tidelift, as well as the endoflife.date site, and will likely provide some automation for this in an upcoming release.

Specify lifecycle details for each component

You can specify Level of support and EOS/EOL information in a date or text format for each component in the new Lifecycle details section of the component details panel. You can then set component rules to apply this information across all products, so you only have to do this once!

Set rules to apply component lifecycle information across all products

Export lifecycle information to FDA SBOM or CSV SBOM

Enhanced component filtering

To enable you to quickly find what you need, we’ve enhanced our filtering mechanism and added lifecycle management filters. You can now filter components on Level of support and EOS/EOL information to ensure you understand which are supported and which are nearing end-of-life, enabling you to prioritize upgrades in critical areas. Stay tuned for more filtering updates soon!

Bug fixes and other improvements:

All CycloneDX remediation justification values should now be accurately exported in your FDA SBOM report.
All products should now display accurately on the components page.
Global search improvements
- Fixed issue wherein components from archived products were being returned in the global search.
- Global search results table display now extends to the bottom of the page.

Thank you!

v4.2.4 | 2.85.0

November 21, 2024

Summary

Automatically generate component license information
Encode pURLs with spaces during exports
Import and export component hashes
Filter on CISA KEV and remediation through our API
Updated terminology from Vendor to Supplier in SBOM CSV export

Automatically generate component license information

You can now have Helm automatically add license information for your components. For any component that you want to enrich with license information, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Encode pURLs with spaces during exports

If your SBOM has a Package URL (pURL) that contains spaces, we'll now automatically encode those when exporting. This ensures compatibility with third-party tools and eliminates issues caused by improperly formatted pURLs.

Import and export component hashes

You can now import and export component hashes in your SBOMs, and can export them in any SBOM format, as well as our FDA SBOM, improving validation and tracking of SBOM component integrity across products.

Filter on CISA KEV and remediation through our API

You can now filter vulnerabilities that are the CISA KEV list or based on their remediation via our Helm API, making it easier than ever for you to identify and prioritize high-impact vulnerabilities.

Updated terminology from Vendor to Supplier in SBOM CSV export

To align with industry standards, the SBOM CSV export now labels the Vendor column as Supplier. This terminology update improves consistency and clarity.

v4.2.4 | 2.83.0

November 7, 2024

Summary

Export EOS/EOL data to FDA SBOM report
Enhanced CPE parsing and matching
Added ability to filter components by licenses
Re-added match and review information to component details
Bug fixes and performance enhancements

Export EOS/EOL data to FDA SBOM report

If you have uploaded an SBOM that contains end-of-support (EOS) or end-of-life (EOL) data, this information will be automatically populated in your FDA SBOM report. We're in the process of adding the ability to manually add EOS/EOL info, so stay tuned!

Enhanced CPE parsing and matching

We've enhanced CPE parsing to enable the matching of incomplete CPEs to components. Although a CPE has 13 segments, not all CPEs contain all of those segments, thus Helm will now interpret CPEs that have at least 5 of the expected segments, filling in missing segments with a wildcard (*).
We've enhanced CPE enrichment to enable component matching even in scenarios where the components have the scenario wherein CPEs have multiple vendors.

Added ability to filter components by licenses

You can now filter your components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

Re-added match and review information to component details

The match and review details have been re-added to the component details panel to help you quickly access key information.

Bug fixes and performance enhancements

Resolved intermittent failure of large CycloneDX and SPDX SBOMs due to timeouts.
Improved load time of vulnerability and component pages.
Fixed display issue with rescored CVSS vector strings, ensuring accurate low, high, and none values.

v4.1.4 | 2.82.0

October 4, 2024

Summary

Enhanced component panel
License management is now available!
Customize your FDA SBOM export
Bug fixes, UX enhancements, and help updates

Enhanced component panel

Manage your components more easily with our unified details panel, providing a comprehensive view of each component. You can now quickly scan information in view mode, then switch to edit mode if you need to make any modifications.

License management is now available!

Customize your FDA SBOM export

We've just made our expert FDA SBOM even better! When exporting your FDA SBOM, you can now include CycloneDX and VEX vulnerability remediation analysis, as well as review information for components. These enhancements will help ensure you're ready for your FDA submission. Thank you to our customers for highlighting their need to include review statuses and notes! We very much appreciate your insights and expertise in continuing to enhance your SBOM vulnerability management and streamline your FDA submission process!

Bug fixes, UI enhancements, and help updates

Bug fixes:

Fixed the date filter on the Vulnerabilities page such that the start date is now midnight and end date is 11:59:59 pm. This fixes both the date range presets as well as the timeframes covered in the new vulnerability emails.

UI enhancements

Improved component matching to handle component names prepended with special characters, such as "@".
Updated component lists to show all components, even when they match the same NVD product and version. Your SBOM export will also include this higher level of specificity.

Help updates: To quickly get you up to speed on these new updates, we've added or extensively revised the following topics:

v4.1.3 | 2.81.1

September 24, 2024

Summary

Implemented human-readable URL parameters
Bug fixes and performance enhancements

Implemented human-readable URL parameters

We've implemented human-readable URL parameters across the entire UI, which now reference unique IDs of products, product versions, components, and vulnerabilities, as well as applied filters and searches, and more. You'll also see this improvement when you sign in to Helm from new vulnerability emails you receive. This deep linking enables you to more easily share information. These enhancements prepare Helm for upcoming features like breadcrumb navigation and expanded bulk actions, beginning with bulk remediation.

Bug fixes and performance enhancements

Resolved a performance issue to enable Helm to handle large volumes of vulnerabilities, minimizing timeouts and unexpected errors.
Fixed issue wherein some SPDX exports were failing under specific conditions, particularly with larger SBOMs.
Enhanced SBOM component rescanning and matching, improving reliability when the initial scanning process fails during an SBOM upload or when the component is manually added.

v4.0.46 | 2.80.4

September 9, 2024

Summary

Enhanced matching for Linux packages

Enhanced matching for Linux packages

We’re excited to announce a major improvement to our Linux package matching process, increasing efficiency by reducing manual work for users.

Previously, some Linux packages without identifiers in SBOMs were challenging to match. After collaborating with customers to address this issue, we’ve just released a solution that delivers a 29% improvement in matching accuracy.

As shown in the graph below, you can see a significant reduction in unmatched components and a clear increase in matched components after applying this enhancement. This means fewer manual interventions and more streamlined package management.

v4.0.46 | 2.79.2

August 30, 2024

Summary

Helm's new design system is live: Work smarter and stay focused
Multi-task and remediate risk faster across multiple Helm tabs
Help updates

Helm’s new design system is live: work smarter & stay focused

We’re thrilled to announce that Helm’s new design system is now live! 🎉

When you next sign in to Helm, you’ll notice a refreshed look-and-feel to enhance your experience and streamline your workflow. Here’s a quick overview of what you’ll see:

Light and dark themes: Choose between our newly updated dark theme or our brand-new light theme. To switch themes, click the sun/moon icon in the main navigation bar.
More intuitive badges and colors: We’ve standardized and enhanced our badges and color schemes for quicker component matching and vulnerability prioritization.
Enhanced UI elements: Enjoy a cleaner and more intuitive interface with refined controls, error handling, and new icons to improve navigation and usability.
Customizable data display: Take control of how you view and interact with data. You can now adjust table column visibility, perform multi-sorts, and choose your preferred display density.
Contextual actions: Easily access additional information or perform actions directly from tables by clicking on cell values.

Customizable data display

Our new design offers even more flexibility in how you view and manage your data:

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.
Multi-column sorting: Focus on what’s important by applying complex sorts across multiple columns. Access this feature through the Sort fields link at the top of each table.
Flexible display density: Optimize your view by selecting a compact or expanded display mode and adjusting the number of rows per page to suit your preferences.
Advanced date picker: Gain precise control over date filtering with options for absolute/relative dates, custom ranges, and multi-month views.

Multi-task and remediate risk faster across multiple Helm tabs

If you’ve tried to have multiple Helm tabs open, you may have found yourself signed out. Great news! You can now work in Helm across multiple browser tabs.

Help updates

As part of our new design system, we've completely revised several related topics to help you match components and remediate vulnerabilities faster:

Assess match suggestions

v3.6.34 | 2.79.2

August 13, 2024

Summary

Automated enrichment of missing CPEs and PURLs
Automated enrichment of missing licenses for open-source components

Automated enrichment of missing CPEs and PURLs

During the component matching process, if a component in your SBOM does not have a CPE or PURL (not ingested or manually added), Helm's AI copilot will now automatically generate and assign the appropriate enriched CPE or PURL to that component. You can view any Enriched CPE or Enriched PURL in the component details. This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Auto-enrich open-source components with missing licenses

For your open-source SBOM components that have PURLs, but do not have licenses identified yet, Helm will check whether those components have licenses. If so, Helm will automatically enrich those components with that license information. Helm will not change the license information for any components that already have one or more licenses identified. This information will be included in any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report. As mentioned in our last release, we are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

v3.6.34 | 2.78.0

July 15, 2024

Summary

Export license information in SBOM
Bug fixes

Export license information in FDA reports

You can now export license information for any FDA reports that include SBOM components, including your original or enriched SBOM, your FDA SBOM, or your VDR report. We are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

Bug fixes

Fixed issue where CPE or PURL information would not display in some instances

v3.6.34 | 2.77.0

June 21, 2024

Summary

Added remediation evidence to vuln export
Enhanced severity filtering
Ingest CycloneDX SBOM entries that have an empty or omitted Type field
Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux
Bug fixes and UX improvements

Added remediation evidence to vulnerability export

We've enhanced our vulnerability export functionality to include remediation evidence for each vulnerability. This provides a clearer picture of the actions taken to address vulnerabilities, enabling you to more easily demonstrate compliance and the remediation steps taken or planned to secure your products.

Enhanced severity filtering

We've refined vulnerability severity filtering to prioritize rescores over base scores. This ensures that you can better prioritize vulnerabilities based on their actual risk, helping you focus on the most exploitable issues first.

Ingest CycloneDX SBOM entries that have an empty or omitted Type field

We now support the ingestion of CycloneDX SBOM entries that have an empty or omitted Type field.

Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux

If you are generating your SPDX SBOM using Yocto on Linux, it will often generate OpenEmbedded() as a vendor, which is not helpful for matching purposes. We will now ignore this value, maintaining a cleaner and more relevant database.

Bug fixes and UX improvements

Fixed exporting CVSS scores in VEX and VDR reports for SBOM entries that do not have a CVSS score. Our exports now reflect a blank score field instead of the previous default of -1.0 when a CVSS score is not available.
Enhanced new vulnerability email subject to handle edge cases, including ensuring that vulnerability emails are sent on the expected day, regardless of time zone.

v3.6.32 | 2.76.0

June 6, 2024

Summary

Automatic enrichment of CVE vulnerabilities with CPEs
Automatically create product versions and upload SBOMs with our GitHub action
Enhanced information in vulnerability emails
Fixes for SPDX SBOM upload failures
Support for SPDX SBOMs with NOASSERTION in supplier field
Added CycloneDX and VEX remediation status filters
Added Source column for vulnerabilities
Support for .zst SBOMs generated by Yocto on Linux
Bug fixes and UX improvements

Automatic enrichment of CVE vulnerabilities with CPEs

Our advanced Large Language Model (LLM) now enriches vulnerability data from the National Vulnerability Database (NVD), which has not kept pace with CPE and other data enrichment for the past six months, leaving those of us in the cybersecurity space in a bit of a quandary.

Automatically create product versions and upload SBOMs with our GitHub action

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Enhanced information in vulnerability emails

If you're one of the cybersecurity experts who doesn't have any new vulnerabilities for the day/week/month cycle, congratulations! These updates include handling the scenario of zero new vulnerabilities and providing clearer details on the period covered by each email.

Fixes for SPDX SBOM upload failures

We've made a number of back-end improvements to help ensure that your SPDX SBOMs upload successfully.

Support for SPDX SBOM files with supplier set to NOASSERTION

We now treat suppliers set to NOASSERTION in SPDX SBOM files as undefined when importing this information into Helm, thus the Supplier column for that vulnerability will show as a blank.

Added CycloneDX and VEX remediation status filters

Added Source column for vulnerabilities

Support for .zst SBOMs

Helm now supports SPDX SBOMs that are in .zst compressed files, which are automatically created when using Yocto Linux native SBOM generation capabilities."

Bug fixes & UX/docs improvements

Fixed issues with multiple toast notifications for some SBOM uploads

v3.6.17 | 2.75.2

May 13, 2024

Summary

Auto-update vulnerability temporal metrics across product version
Enhanced omponent matching for fewer unmatched components
Purl and cpe id’s now considered in sbom entry uniqueness
Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components
Performance improvements on SBOM page loading
Enhanced CycloneDX VEX and VDR reports with vulnerability rescores
New sign in page
Bug fixes and UX improvements

Auto-update vulnerability temporal metrics across product version

Let us take some of the load of managing vulnerabilities off of you! When you create or modify a rescoring profile for product version, you can set all V3 vulnerabilities for that version to automatically rescore with any changes to their temporal score metrics coming from the NVD. This enhancement streamlines your vulnerability management process, ensuring that temporal scores reflect the most up-to-date information, saving you time spent manually monitoring and updating this information, thereby reducing the risk of missing critical updates, so you can ensure you're focusing on the vulnerabilities that matter most.

Auto-update vulnerability temporal scores

You can also set individual vulnerabilities to automatically update their temporal scores based on NVD data refreshes. This timesaving feature ensures your vulnerability information stays current with minimal manual effort.

Enhanced component matching for fewer unmatched components

We've improved our component matching algorithm to better handle scenarios where a vendor of an unknown component doesn't directly match known software. We will now automatically match unknown components that have CPE and PURL matches, but have an incorrect supplier. Previously, these components were initially marked with a Not found in NVD status, but could actually be resolved to the correct component via our match suggestions. Helm now identifies the corresponding known software, which will either be uniquely identified or will have a Multiple matches status (if there are still multiple possibilities). Our enhanced matching process should result in fewer unmatched components, thus ensuring more accurate and efficient component resolution.

Enhanced determination of component uniqueness

We have added CPE and PURL IDs when determining if an SBOM component is unique or is a duplicate.

Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

In response to feedback, we've added the CycloneDX bom-ref parameter to all components in your SBOM export, enabling you to point each vulnerability back to a component, regardless of whether it is matched to known software. Initially, the bom-ref only displayed for matched components. For any unknown (unmatched or not uniquely matched) software, this will be the unique ID that was generated for that SBOM component when it was added to Helm. This will now be in your SBOM or VDR report.

Performance improvements on SBOM page loading

We've made a number of coding and query improvements to load SBOMs more quickly, which may also improve load time for your vulnerabilities.

Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

If you've rescored your vulnerabilities either across a product version or individually, your CycloneDX VEX and VDR reports will now include vulnerability rescore information. This will now align with the Vulnerabilities report. You will now see a ratings section in your JSON file that will include a rating for any rescore on that vulnerability. For vulnerabilities rescored both at the product version level and individually, all associated scores will be included. While CVSS v2 scores remain static, they are also included in the ratings section to provide a comprehensive view. The source for all score data is set to Medcrypt Helm.

We've replaced our initial sign in page with a new look-and-feel. After clicking Sign in, you'll be prompted to enter your username and password on our authentication page.

v3.6.10 | 2.74.2

April 30, 2024

Summary

Rename products and versions
Enhanced granularity for CVSS score filtering
UX improvements

Rename products and versions

In response to customer feedback, we've added the ability for you to rename products and versions right from the product and version drop-downs on each page of Helm. Simply hover over the product or version in the respective drop-down to display the edit icon, then edit the product name or version.

Enhanced granularity for CVSS score filtering

We've improved the CVSS score filtering functionality to support floating-point values, allowing you to pinpoint vulnerabilities with greater precision. Now you can filter vulnerabilities using specific scores like 7.9, which will return everything from 7.9 to 10. This will enable you to precisely target and remediate vulnerabilities that fall within a more granular threshold.

UX improvements

Enhanced API key generation from the UI
Improved loading performance

v3.6.8 | 2.73.0

April 11, 2024

Summary

Enhanced support for large SBOMs
CycloneDX 1.5 support
Daily and monthly digests for new vulnerabilities
Bug fixes, UX and doc improvements

Enhanced support for large SBOMs

Our platform now let you upload SBOMs of up to 50MB in size. This significant enhancement enables organizations with larger software inventories to efficiently manage and analyze their software bill of materials within our platform.

CycloneDX 1.5 support

You can now upload your CycloneDX 1.5 SBOM to Helm. Any information in your file that is not currently supported in Helm will still be retained if you want to export either your original or enhanced SBOM.

Daily and monthly digests for new vulnerabilities

Bug fixes, UX, and doc improvements

Fixed issue where loading page status displayed on the Vulnerabilities table after sorting columns. The Vulnerabilities Detected/Updated field now sorts only by date detected and not by date updated.
Resolved caching issue where some components would not display when the SBOM page was filtered.
Adjusted permissions to allow non-admin users with SBOM and Vulnerability modification access to create rescore profiles for product versions.
Numerous UI improvements

v3.3.0 | 2.71.1

March 22, 2024

Summary

Processing modals
Bug fixes and UI improvements
New & updated docs

Processing modals

For larger SBOMs that can take longer to load, we've added a processing modal so you'll know when your upload is completed and whether it was successful. Similarly, we've added a processing modal for other operations that could take longer, including when you're rescoring a lot of vulnerabilities across an entire product version or if you've just added a component manually and we're attempting to automatically match it to known software in the NVD or package manager.

Bug fixes and UI improvements

We've improved performance when filtering your SBOM. We also fixed a bug where filters were not persisting if you copied a Helm URL that included a match status to another tab, or if you navigated from a filtered item from the global search results (Discover) page.

New & updated help docs

Since we're continually adding and enhancing great new features, we want to make sure you can take advantage of all the new functionality, so we'll let you know any important doc updates in this section.

Enhanced docs:

v3.2.0 | 2.71.1

March 14, 2024

Summary

Added VDR (Vulnerability Disclosure Report) report
Email notifications for new vulnerabilities
Support for CycloneDX XML SBOMs
Enhanced API documentation
Bug fixes and other improvements

VDR reports

As part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we've added VDR (Vulnerability Disclosure Reports) to our suite of reports. Offering comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats.

Stay on top of new vulnerabilities

Support for CycloneDX XML SBOMs

Enhanced API documentation

Bug fixes and other improvements

We've made numerous enhancements to improve the UI and SBOM loading performance.

We'd love to hear your feedback!

v3.0.1 | 2.70.0

February 15, 2024

Summary

VEX reports
Improved vulnerability query performance

VEX reports

Stay tuned! As a part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will be adding VDR (Vulnerability Disclosure Reports) to our suite of reports soon. Offering detailed insights into identified vulnerabilities, VDR reports equip you with comprehensive understanding and proactive mitigation strategies, ensuring robust security posture against emerging threats.

v2.68.0 | 2.69.1

January 29, 2024

Summary

FDA-ready reports
Export SDPX SBOM
New About modal

FDA-ready reports

In our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will also be adding VDR (Vulnerability Disclosure Reports) and VEX (Vulnerability Exploitability eXchange) reports to our suite of reports soon. VDR reports provide detailed insights into identified vulnerabilities, providing a comprehensive understanding of vulnerability details, impact, and mitigation strategies to proactively respond to potential security threats. VEX reports focus on the exploitability of vulnerabilities, how easily they can be exploited, and their potential impact.

Export SPDX SBOM

You can now export your original or enhanced SPDX SBOM in JSON. For an enhanced SBOM, you can also include PURL and CPE info for any matches, as well as include all associated vulnerabilities.

You may have noticed that the bottom bar where your Helm version displays has been removed. Don’t worry, you can still get to your version from the sidebar > Help > About. This will launch an About modal, where you can see your current Helm version.

v2.66.1 | 2.66.1

January 4, 2024

Summary

Added ability to remediate vulnerabilities
Bug fixes, UI, and performance improvements

Remediate vulnerabilities

You can now remediate vulnerabilities to add granular status information, including tracking remediation changes and providing evidence for why changes were made. For each vulnerability, you can now set a CycloneDX 1.4 and/or CycloneDX 1.4 VEX status, or both. We're adding a more robust audit trail, and you can see the next step toward this in the Vulnerability details modal. You can see any interim statuses and notes you provided manually, as well as automatic tracking of any new remediation changes. If you set any interim statuses, the last one you set will now be reflected in that vulnerability's VEX status.

Bug fixes and other improvements

Fixed issue where a rescore profile would fail when rescoring large numbers of vulnerabilities
Several UI and experience improvements

v2.65.2 | 2.65.13

December 7, 2023

Summary

Rescore all vulnerabilities in a product version via rescore profiles
Rescore individual vulnerabilities
Support for SPDX SBOMs
Enhanced SBOM export now includes CPE and PURL data
New exploits and threats info, including EPSS and CISA KEV
Bug fixes and other improvements

Rescore all vulnerabilities in a product version via rescore profiles

You can create and apply rescore profiles to a product version based on your product's particular environment and usage, ensuring you're focusing on the most exploitable and impactful vulnerabilities. Any newly detected vulnerabilities for that product version will be automatically rescored with that profile.

Rescore individual vulnerabilities

You can now rescore the CVSS v3 score of any individual vulnerability associated with a particular product version so that it reflects your product's particular environment and usage. This will override any rescore profile already applied to the associated product version.

Support for SPDX SBOM format

You can now upload SPDX SBOM files, including those generated using Yocto on Linux. You can take all of your generated SPDX files, zip them using WinZip or gzip, then upload that zipped file to Helm. We'll do the rest!

Enhanced SBOM export now includes CPE and PURL data

When you upload your SBOM, we'll attempt to find exact matches in the NVD, as well as in supported package managers. If we find an exact CPE or PURL match in a package manager or if you manually specify the CPE and/or PURL for a component, you'll now be able to export an enhanced SBOM that includes CPE and PURL data.

Focus on the most exploitable vulnerabilities

You can now benefit from robust exploit and threat information from a variety of sources, including CISA KEV, ExploitDB, Metasploit, and Top 25 CWEs. You can also ensure that you're focusing on the most impactful and exploitable vulnerabilities via EPSS scores.

Bug fixes and other improvements

Improved performance when loading SBOM and vulnerability information
Improved onboarding to get you started or unstuck quickly. We now provide in-page guidance to help you upload an SBOM, view components for a particular product version, or expand your search criteria when there are no results. You'll see these in our SBOM, Vulnerabilities and Discover (Global search) pages.
Numerous user interface improvements

v2.62.6 | 2.62.6

November 2, 2023

Summary

Windows KB patch support
In-app status notifications
Performance and user experience improvements

Native support for Microsoft Windows KBs

Although a lot of medical devices run on Microsoft Windows operating systems, the NVD does not account for vulnerabilities having been patched by Windows KBs, making it very difficult to understand what vulnerabilities might still be impacting your device. You can now add KBs to your devices running a Windows OS, aligning your digital product version with your physical test device and thus ensuring that you have an accurate list of vulnerabilities that impact your Windows device.

In-app status notifications

You’ll now see in-app status notifications in the top-right corner to let you know that an action has been completed, such as uploading an SBOM or applying KBs to a product version.

Performance improvements and bug fixes

We’ve made significant performance improvements, as well as several enhancements to improve your user experience.

Let us know how we’re doing!

Get a V&V report

v2.60.1

November 2023

Summary

Allowing SBOMs that pass NTIA minimum requirements
Performance improvements and bug fixes

Allowing SBOMs that pass NTIA minimum requirements

We improved our capabilities to handle SBOMs that pass NTIA minimum requirements. If the SBOM you are uploading is an invalid CycloneDX SBOM, Helm will still accept it and process it for vulnerabilities.

Performance improvements and bug fixes

This release has improvements to performance and a few bug fixes on the dashboard page.

v2.59.2

November 2023

Summary

Performance improvements and bug fixes
Online help documentation added

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Online help documentation added

v2.57.3

November 2023

Summary

New Get started modal
Export SBOM with vulnerabilities
Combined Upload SBOM modal
Improved feedback when SBOM fails to upload
Other usability improvements and bug fixes

If you haven’t uploaded any SBOM yet or created one manually, you will see a new Get started modal pop up when you sign in to Helm. You’ll have four different options:

You need help with your FDA submission: You can request help from our expert Services team and leverage our best practices, templates, and checklists in improving your FDA submission.
You have a CycloneDX format. You can upload your SBOM file all in one step.
You have an SBOM in another format. You can contact us and we’ll get right back to you to get you moving.
You don’t know what an SBOM is or don’t have one yet. We’re here to help. Our expert Services team will help you create your SBOM, assess your current state, and help you identify and mitigate cybersecurity risks.

Export your SBOM with vulnerabilities

We’ve simplified your upload experience. If you’re uploading your first SBOM, you’ll see an Add SBOM drop-down button, from which you can select Upload SBOM. You can now browse to your SBOM file and specify your product name and product version in one step. Once you’ve uploaded at least one SBOM, this drop-down button changes to Manage SBOMs. In that case, you’ll be able to either select an existing product name and version, or create a new product name/version pair.

Improved feedback when an SBOM file fails to upload

If you upload an SBOM file, you can hover over the FAIL status to get more information on why the file failed to upload, including scenarios such as: missing required fields, additional fields present that are not defined in the JSON schema when the schema does not allow additional properties, and field values not matching expected data types.

v2.56.6

October 2023

Summary

Added match status tokens and enhanced status indicators
Added CPE and PURL package manager support
Enhanced details for components
Enhanced filters for SBOMs
In-product help added

Added NVD and NOT IN NVD tokens and enhanced status indicators

In response to customer feedback on the importance of knowing whether a component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:

Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.
Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.

A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.

Added CPE and PURL package manager support

Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.

Enhanced details for components

We’ve added a lot of information to your component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token

Enhanced filters for SBOMs

You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.

In-product help added

Let us know if you see other areas we could improve!

Interested in providing feedback on upcoming features?

We are working on adding some great new functionality, including:

Windows KB patching,
a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,
the ability to copy/paste from a CSV or other file to create an SBOM,
more human-readable information,
complete CycloneDX ingestion and export,
SPDX support,
and other cool new things.

v2.55.5

September 2023

Summary

Enhanced global search
Changed date first detected time
Added date dashboard was last updated
Removed character restrictions on input fields
Added SSO support for PingID

New global search

Global search is now expanded to include searching across all your Product SBOMs for a particular component. You can still search for a specific CVE via CVE-ID, now you get a summary of the vulnerability as well as a list of any products that might be potentially impacted.

Changes to first detected time

The first detected date in Helm on the Vulnerabilities page now reflects the date when Helm detected the vulnerability for your component.

Last update timestamp

On the Metrics dashboard you can now see when the dashboard was last updated.

Character restrictions in input fields

Helm had strict character restrictions in input fields that have now been removed.

SSO support for PingID

Helm supports SSO for organizations on the enterprise plan. We now have a working integration with PingID.

v2.54.7

September 2023

Summary

Enhanced look-and-feel with new page layouts
Performance improvements and bug fixes

New page layouts

Both the Products page and the Vulnerabilities page now have a new look and feel as well as some new functionality for vulnerability filters.

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Helm Docs

Helm help center home

Upload SBOM & match to known software

Prioritize and remediate risk

API & Administration

Get Started

Helm features

What is Helm?

Key features

Quickstart process

Get familiar with the Helm UI

Navigation

Top navigation bar

Breadcrumbs

Vulnerabilities breadcrumbs

Components breadcrumbs

URLs

Sidebar

Filter

Search

Themes

Tables

Customizable data display

Why can't I see some columns?

Contextual actions

Help

Understand your dashboard

Dashboard overview

Vulnerabilities over time

Top 5 impacted products

Add your first product:

Top 5 vulnerable dependencies

Helm terminology

Automate and integrate

Match components

manage sboms

manage vulnerabilities

Ensure FDA readiness

Terminology

Administration

what's new

Helm help center home

Upload SBOM & match to known software

Prioritize and remediate risk

API & Administration

Quickstart process

Helm terminology

Get familiar with the Helm UI

Navigation

Top navigation bar

Breadcrumbs

Vulnerabilities breadcrumbs

Components breadcrumbs

URLs

Sidebar

Filter

Search

Themes

Tables

Customizable data display

Why can't I see some columns?

Contextual actions

Help

Helm features

What is Helm?

Key features

Understand your dashboard

Dashboard overview

Vulnerabilities over time

Top 5 impacted products

Add your first product:

Top 5 vulnerable dependencies

Understand data sources and update frequency

How often is data updated?

What data sources does Helm use?

National Vulnerability Database (NVD)

AI co-pilot

CVE.org

Private vulnerability repository

Exploit Database (ExploitDB)