Viewing Your Results

Once you've identified a project or uploaded an SBOM to BOM Doctor, you'll be able to review your results. BOM Doctor provides a lot of information about your Software Bill of Materials (SBOM), and presents that information in a few different ways.

First, take a moment to review your application as it exists now. Then, upgrade your components to the best possible version and watch as your application's health improves!

SBOM Graph

Image Caption

An example of the SBOM Graph view in BOM Doctor. Three colored panels, labeled 1, 2, and 3, seperate the view into three sections.

By default, the first view you see is the SBOM Graph.

Left Panel

The left panel (the number 1) shows some vital information about the application as a whole.

example of the application's name

The name of the application.

  • Select the box to see the project in Maven, if applicable.

example of the application's version number

Version number.

  • Select the box to open a new BOM Doctor window/tab of that same version number.

example of the organization's name

The organization's name.

example of the the Category type

Category type.

  • A broad classification of what the application is typically used for.

example of the aggregate health score

The aggregate health score of this application and all its dependencies. Learn more about how BOM Doctor scores applications.

example of the security bar

How well the application leverages non-vulnerable components.

  • A fuller bar is better.

example of the popularity bar

How well the application leverages components that are popular in their respective categories.

  • A fuller bar is better.

example of the legal risk bar

How well the application leverages components that don't use restrictive licenses.

  • A fuller bar is better.

example of the violation count bar

The number of vulnerabilities contained within the application's components. From left-to-right, the ovals indicate:

  • Critical severity (CVSS score of > 9)
  • Severe severity (CVSS score ≥ 7 but < 9)
  • Moderate severity (CVSS score ≥ 4 but < 7)
  • Low severity (CVSS score of < 4)

example of the level up bar

How many points to the next level. Upgrading to better versions of your components increases your score.

Center Panel

The center panel (the number 2) shows a dependency tree for your application. The dependency tree is designed with three goals in mind:

  • To make viewing your application's dependencies easier
  • To make it easy to see how improving a component can improve your application's health
  • To make it obvious which components are having the biggest effect on your application's health

The node on the left side of the tree is your application. The nodes connected to the application node are your direct dependenciesthat is, the dependencies that the  application calls directly. All nodes farther to the right are transitive dependencies – the dependencies being called by your dependencies.

example of an individual node in the SBOM graph view with a blue arrow and a health score

Each node shows the application or component name and a number that represents the aggregated health of that element plus all its dependencies.

A solid blue arrow indicates that an upgrade is available. A shaded blue arrow indicates that an upgrade is being actively simulated by the BOM Doctor.

Right Panel

Clicking on a node in the dependency tree opens the right panel (the number 3), which shows some vital information about that component.

You'll notice that the right panel looks similar to the left panel – that's by design! Part of the secret to understanding your application's overall health is realizing that your dependencies are each their own mini-application, and can be judged on similar criteria.

If the component has an upgrade available, you'll see two additional options.

Select Update to the Best Version, and BOM Doctor will simulate a new SBOM that uses this better component. Select Compare All Versions to see a table of other possible upgrades. The Compare All Versions table also shows whether or not the component has any Breaking Changes – that is, changes to the component's inner workings that might require additional developer time to resolve.

SBOM Report

By selecting the SBOM Report button in the top right-hand corner, you can transform the dependency graph into a report. The report shows much of the same information as the SBOM graph, just in a format that's better for exporting.

Select Preview PDF in the top right to export in the PDF format for easy storage and sharing.

Give it to Me Straight Doc

Any time you're reviewing your results on the SBOM Graph, click the squirrel doctor (Dr. Squirrely BOM) in the bottom left for advice on what to do next.

Dr. Squirrely BOM will summarize your results for you.

Image Caption

Example of the advice given by BOM Doctor after selecting the "Give it to me straight Doc" option. In this image, the text reads: "Almost ready for take off! You've made it to the launchpad. Time to add some rocket fuel! Some of your dependencies are still dragging you down. You can test how different versions of your dependencies would improve your score without touching your own code base. Give it a try and see if you are ready to take off!"

Take note of the doctor's advice and either celebrate your excellent bill of health or get ready for surgery!

Up Next

Upgrading a Component