CPE Matching Experience in SBOM Manager vs. Lifecycle
Sonatype SBOM Manager and Sonatype Lifecycle both support Common Platform Enumeration- (CPE) based vulnerability matching; however, the behavior and configuration differs depending on your setup and licening.
The following table outlines how CPE matching behaves across different installation types, including new installations and deployments that existed before the introduction of CPE matching:
Licensing Scenario | SBOM Manager Matching | Lifecycle Matching | App/Org Configurable | Notes |
|---|---|---|---|---|
New and Existing SBOM Manager-Only Deployments | Always On | N/A | Not Configurable | Matching is baked into SBOM ingestion. |
New Lifecycle-Only Deployments | N/A | Enabled by Default | Configurable per Org/App | Ships with matching enabled. |
Existing Lifecycle-Only Deployments | N/A | Disabled by Default | Configurable per Org/App | Matching is opt-in. |
New Multi-Solution Deployments (SBOM Manager & Lifecycle) | Enabled by Default | Enabled by Default | Configurable via Lifecycle | SBOM Manager follows Lifecycle's setting. |
Existing Multi-Solution Deployments (SBOM Manager & Lifecycle) | Disabled by Default | Disabled by Default | Configurable via Lifecycle | Both disabled by default; matching is opt-in. SBOM Manager follows Lifecycle's setting. |
Data Merging and Display Logic
The sections below explain the data merging and display logic behavior for Sonatype SBOM Manager and Sonatype Lifecycle.
Lifecycle Data Merging and Display Logic
Selective Display – Each component in Lifecycle reports displays only one vulnerability source: either from third-party SBOM data or Sonatype's vulnerability catalog, which includes CPE matches.
Priority to Sonatype’s Vulnerability Catalog – If a CPE-based match exists, Lifecycle suppresses the third-party SBOM-based record and surfaces only the Sonatype vulnerability catalog vulnerability. This prioritization behavior is consistent with current Lifecycle functionality. The enhancement simply increases the pool of matches.
SBOM Manager Data Merging and Display Logic
Merged Display – SBOM Manager shows both third-party SBOM vulnerabilities and matches from Sonatype’s vulnerability catalog (including CPE-derived ones) in the same table.
Vulnerability Research Metadata Tagging – Each merged record is tagged with the following Data Enrichment definition so that you can differentiate public vs. vetted data:
Sonatype Enhanced – Metadata was enriched by Sonatype, offering deeper insights beyond basic SBOM or public data.
Vendor Data – Metadata comes directly from the vendor's SBOM. No additional enrichment.
Public Data – Metadata is from public sources, mapped via CPE.
This information is visible in the user interface in SBOM Manager's Component Details View.