Skip to main content

CPE Matching Experience in SBOM Manager vs. Lifecycle

Sonatype SBOM Manager and Sonatype Lifecycle both support Common Platform Enumeration- (CPE) based vulnerability matching; however, the behavior and configuration differs depending on your setup and licening.

The following table outlines how CPE matching behaves across different installation types, including new installations and deployments that existed before the introduction of CPE matching:

Licensing Scenario

SBOM Manager Matching

Lifecycle Matching

App/Org Configurable

Notes

New and Existing SBOM Manager-Only Deployments

Always On

N/A

Not Configurable

Matching is baked into SBOM ingestion.

New Lifecycle-Only Deployments

N/A

Enabled by Default

Configurable per Org/App

Ships with matching enabled.

Existing Lifecycle-Only Deployments

N/A

Disabled by Default

Configurable per Org/App

Matching is opt-in.

New Multi-Solution Deployments (SBOM Manager & Lifecycle)

Enabled by Default

Enabled by Default

Configurable via Lifecycle

SBOM Manager follows Lifecycle's setting.

Existing Multi-Solution Deployments (SBOM Manager & Lifecycle)

Disabled by Default

Disabled by Default

Configurable via Lifecycle

Both disabled by default; matching is opt-in.

SBOM Manager follows Lifecycle's setting.

Data Merging and Display Logic

The sections below explain the data merging and display logic behavior for Sonatype SBOM Manager and Sonatype Lifecycle.

Lifecycle Data Merging and Display Logic

  • Selective Display – Each component in Lifecycle reports displays only one vulnerability source: either from third-party SBOM data or Sonatype's vulnerability catalog, which includes CPE matches.

  • Priority to Sonatype’s Vulnerability Catalog – If a CPE-based match exists, Lifecycle suppresses the third-party SBOM-based record and surfaces only the Sonatype vulnerability catalog vulnerability. This prioritization behavior is consistent with current Lifecycle functionality. The enhancement simply increases the pool of matches.

SBOM Manager Data Merging and Display Logic

  • Merged Display – SBOM Manager shows both third-party SBOM vulnerabilities and matches from Sonatype’s vulnerability catalog (including CPE-derived ones) in the same table.

  • Vulnerability Research Metadata Tagging – Each merged record is tagged with the following Data Enrichment definition so that you can differentiate public vs. vetted data:

    • Sonatype Enhanced – Metadata was enriched by Sonatype, offering deeper insights beyond basic SBOM or public data.

    • Vendor Data – Metadata comes directly from the vendor's SBOM. No additional enrichment.

    • Public Data – Metadata is from public sources, mapped via CPE.

    This information is visible in the user interface in SBOM Manager's Component Details View.