FAQ

Common questions from Interlynk users, organized by topic and ranked by how frequently they come up.

Vulnerability Management

How do I import vulnerability statuses from one version to another?

Use the Import Status wizard on the target version's Vulnerabilities tab. Select the source version and choose the CVEs whose statuses you want to carry over. The wizard matches vulnerabilities across versions using CPE, PURL, and name-version.

Why does the vulnerability import wizard show no CVEs to import?

The import wizard looks for differences in vulnerability status between the source and destination versions. If all vulnerabilities in the source version are in "Unspecified" status, there is nothing to import. Only statuses like "Affected", "Not Affected", or "In Triage" are eligible for import.

Can vulnerability status import be automated when a new SBOM version is uploaded?

Yes. Interlynk supports automatic status carry-over when new versions are uploaded. This eliminates the manual import step. Contact support or check version settings for auto-import controls.

Why does vulnerability import fail when the SBOM generator changes between versions?

If you switch SBOM generators (e.g., from Mend to CycloneDX Maven plugin), component names may differ between versions. The import wizard matches on CPE, PURL, and name-version. If these change, the wizard cannot find matching components. Ensure consistent component naming or use PURLs/CPEs for reliable matching.

Why is the vulnerability count different between Interlynk and NVD for the same component?

This can happen when NVD CPE queries use wildcard or placeholder versions (e.g., 1.1.1:-) that Interlynk handles differently. If you notice a discrepancy, report it to support with the specific component, version, and NVD query for investigation.

Why does the vulnerability count at the product level double-count vulnerabilities from parts?

The top-level vulnerability summary row is intended to be the sum of all part vulnerabilities plus the product's own. If the count appears doubled, this may be a display bug — contact support with the specific product and version.

How do I filter for unique/deduplicated CVEs across a product with multiple parts?

Currently, the vulnerability view shows CVEs per part, which can result in duplicates. As a workaround, export vulnerabilities as CSV and use a spreadsheet to filter unique CVEs. A UI-level deduplication filter is under consideration.

What does "Incomplete Only" filter mean in the vulnerabilities view?

"Incomplete" refers to statuses that have been assigned but are missing required information per VEX guidelines. "Unspecified" and "In Triage" are considered complete once set. "Affected" and "Not Affected" require additional information (justification, notes, etc.) — if that information is missing, the status is considered incomplete.

Why is a known vulnerability (e.g., from GitHub Security Advisories) not showing up for my component?

Some GitHub Security Advisories are only available at the repository level and may not be published to GitHub Global Advisories or OSV. If a vulnerability has a GHSA ID but is not in Global Advisories, it will not appear in Interlynk's vulnerability data. As a workaround, create a custom vulnerability using the CVE or GHSA ID.

How do I create a custom vulnerability when one is missing from the platform?

You can create custom vulnerabilities from two places:

• Version Vulnerabilities page — directly assign it to a component.

• Global Vulnerabilities page — assign it a PURL for auto-matching.

Use the CVE ID when available for best compatibility.

What is the difference between EPSS Score and EPSS Percentile?

The EPSS Score is the probability of the vulnerability being exploited in the next 30 days. The EPSS Percentile is the rank of that vulnerability relative to all other scored vulnerabilities. These numbers can differ significantly — a low probability score can still have a high percentile if most other vulnerabilities have even lower scores. See FIRST's EPSS documentation for details.

How does Interlynk handle CVSS v3.1 vs CVSS v4.0 scoring?

NVD and OSV may report different CVSS versions for the same vulnerability. NVD is transitioning to CVSS v4.0 as default while OSV often shows CVSS v3.1. These scores are not directly comparable. Interlynk displays the data as received from each source — check which CVSS version is being shown when comparing scores.

Why is the NVD link missing or broken for some vulnerabilities?

In some cases, the link may incorrectly use a GHSA identifier instead of the CVE number, which NVD does not recognize. This is a known bug. If you encounter a missing or broken NVD link, report the specific CVE to support.

When does Interlynk detect a new CVE — at SBOM import time or when the CVE gets a CPE assignment?

Interlynk detects CVEs when a CPE match is established in NVD. If a CVE is published but does not have CPE assignments yet, it will not be matched to your components until NVD assigns the CPE. The "Assigned" date in Interlynk reflects when the match was first detected, not when the CVE was published.

SBOM Upload & Management

Why is my SBOM upload failing with a validation error?

Common causes include:

• Empty supplier fields — If the SBOM contains empty supplier elements, upload may fail. Remove the empty supplier fields or wait for a platform update that handles this case.

• Unsupported format — Verify the file is valid CycloneDX or SPDX in JSON or XML format.

• Quality requirements — Run sbomqs locally to check quality scores before uploading.

Why is the SBOM upload delayed or not processing?

During periods of high upload volume, SBOM processing may be delayed. The upload service processes SBOMs asynchronously. If your SBOM does not appear after several minutes, check the Change Log page for processing errors or contact support.

How do I merge multiple SBOMs together using sbomasm?

Use sbomasm to merge SBOMs. The default mode is hierarchical (preserves component grouping). Use the -f flag for flat mode if you want all dependencies at the same level:

Alternatively, upload each SBOM as a separate product in Interlynk and use the Parts feature to create an umbrella product.

What SBOM formats does Interlynk support?

Interlynk supports CycloneDX and SPDX in JSON and XML formats. For the best experience, use the latest specification versions.

API & CLI (pylynk)

Where can I find the API documentation for Interlynk?

The API documentation is available at docs.interlynk.io/api. Interlynk uses a GraphQL API. You can use GraphQL introspection tools to explore the full schema from the API endpoint.

Why do I get an "Invalid project" error when uploading via pylynk?

Common causes:

• Product name mismatch — The --prod value must exactly match the product name in Interlynk, including dashes and spaces (e.g., 'SmartECG - Package' vs 'SmartECG Package').

• Quote type — In some CI/CD environments (e.g., Azure DevOps), use double quotes ("product-name") instead of single quotes ('product-name').

• Verify the product name by running python3 pylynk.py prods --table.

What is the difference between projectGroup and project in the API?

In the API, projectGroup refers to a Product and project refers to an Environment. Use projectGroupId (not projectId) when targeting a product. This naming inconsistency is a known source of confusion.

How do I create a new build version for a product via the API?

Use the sbomCreate mutation to create a new SBOM under a project, then use componentCreate to add components. See the API documentation for mutation details or contact support for sample scripts.

How do I get an API security token?

Navigate to Personal Settings (click your avatar in the top-right, then your name) and select the Security Tokens tab. Note: Security tokens are not available on the Free tier — contact support to discuss upgrading.

How do I create component relationships via the API?

Use the componentRelationCreate mutation with fromCompId, toCompId, and relationType parameters. Note: relationships created via the API may appear correctly in the Tree View and exported SBOM but may not immediately show in the UI's "Depends On" field until the page is refreshed.

Notifications

Why am I not receiving email notifications for new vulnerabilities?

Check the following:

1. Subscription — You must subscribe to specific products by clicking the bell icon on the product page and selecting "Vulnerabilities."

2. Configuration level — If you moved notification emails from organization-level to personal-level, ensure the personal notification settings are properly configured.

3. Notification Manager — Use the Notification Manager feature to review and manage all your notification subscriptions in one place.

Why am I receiving notifications for projects I haven't subscribed to?

This may indicate a configuration issue. Review your notification subscriptions in the Notification Manager and ensure you are only subscribed to the intended products and environments.

Permissions & Roles

How do I allow developers to create API tokens without giving them full organization settings access?

API token creation is under the user's Personal Settings. If developers cannot access it, they may be missing the required permission. Contact support to ensure the role is configured correctly — token creation should not require full organization admin access.

Why is my custom role's permissions not working as expected?

Permission changes may not take effect immediately or may have a bug in a specific release. If a role with specific permissions (e.g., "edit support status") is not functioning, contact support with the role name and expected vs actual behavior.

Components & Support Status

How is "Direct" dependency defined for support level analysis?

"Direct" includes:

• The primary component of the product

• Any component directly dependent on the primary component

• For products with parts: each part's primary component and its direct dependencies

Transitive dependencies (dependencies of dependencies) are not included in the "Direct" count.

Why is a component showing "Unknown" support status when it is actively maintained?

This can happen when the platform does not correctly detect the latest version of a component from the package registry. Report the specific component name and version to support for investigation.

Can I set support status at the parent product level and have it propagate to parts?

This is currently a feature request. Today, support status must be managed per-part for shared components. A future update may allow centralized support status management at the parent product level.

Why does the support status CSV export exclude components from parts?

This is a known bug. The UI displays components from all parts in the Support Status tab, but the CSV export only includes components from the top-level product. This is being tracked for a fix.

PURL & Component Identity

How should I format the PURL for non-standard version strings?

Use the version string exactly as it appears in the source repository. For example: pkg:github/eclipse-threadx/[email protected]_rel — include the leading v and trailing _rel as-is.

What PURL type should I use for components not on standard package managers?

Use generic as the PURL type for any source that does not fit the known package types. The current supported list is available at the PURL types index.

SBOM Features

How do I add hashes to a component for regulatory submissions (e.g., FDA)?

Currently, hashes cannot be added directly through the platform UI. As a workaround:

• Download the SBOM and add hashes manually to the JSON.

• Use sbomasm to edit an existing SBOM and add hash values.

A platform feature for adding hashes through the UI is planned.

What does "Redact internal components" do when downloading an SBOM?

Redaction replaces the core identifying properties of components marked as "Internal" (name, version, description, CPE, PURL) with SHA-based identifiers. This maintains structural integrity and audit compliance while hiding proprietary component details.

Can I exclude internal components from an SBOM export entirely?

Exclusion/suppression of internal components is not currently supported. Interlynk only supports redaction (replacing identifying properties with SHA IDs) to maintain structural integrity for compliance purposes.

Products & Environments

Why are my products or SBOMs not visible after upload?

You may be viewing the wrong environment. Check the environment selector on the Products or Versions page and switch to the correct environment (e.g., "Default" vs "Production").

How do I compare two versions across different environments?

Use the SBOM Compare tool under Tools in the left navigation panel. This tool allows you to select any product/version and compare it against a different product/version, including across environments.

CI/CD Integration

Where can I view CI/CD metadata sent during pylynk upload?

On the Versions page of a product, click the arrow ">" next to the version to expand the details view. CI/CD metadata (provider, PR info, build info, commit SHA) will be shown if it was sent during upload. If no metadata was sent, the fields will appear empty.

How do I upload SBOMs from Azure DevOps pipelines?

Use pylynk in your pipeline. Key tips:

• Use double quotes for product names and environment values.

• Ensure the product name exactly matches what is configured in Interlynk.

• Set the API token as a pipeline secret variable.

General

What is an SBOM?

SBOM (Software Bill of Materials) is a cybersecurity artifact that lists all internal and external components used to build a software product. SBOMs are used to meet regulatory requirements and map software to potential vulnerabilities. Learn more from CISA's SBOM page.

How often are vulnerability scans run?

Vulnerability scans run automatically when a new SBOM is uploaded. Existing SBOMs are periodically re-scanned as new vulnerability data becomes available.

Can I export my data from Interlynk?

Yes. SBOMs, vulnerability reports, and compliance data can be exported from the platform dashboard or via the API using pylynk.

Is there a rate limit on the API?

Yes. API rate limits vary by subscription tier. If you encounter rate limit errors, reduce request frequency or contact support for limit adjustments.

How do I request a new feature?

Email [email protected] with a description of the feature, the use case it addresses, and any relevant context.