Skip to main content

SBOM Bill of Material View

The Bill of Materials view summarizes the components and their risk found in the SBOM, focusing on annotating the vulnerabilities with VEX audit details.

SBOM_Bill_of_Material_View.png

Actions

  • Use the Version Switcher dropdown to navigate to other application versions.

  • Use the Export SBOM: Dropdown to download the annotated SBOM. Options under the dropdown include:

    • Export Original SBOM: Download the original unmodified SBOM. The original SBOM filenames are in the following format:

      Original_<public-id>_<version>_<timestamp>.{cdx|spdx}.{json|xml}

    • Additional Export Options: Choose between CycloneDX or SPDX in either JSON or XML file formats. The annotated SBOM filenames follow the format below:

      <public-id>_<version>_<timestamp>.{cdx|spdx}.{json|xml}

      The export will always use the latest version of the supported specification.

    • Export PDF: Save a PDF report of the policy violations including a list of vulnerabilities, licenses, and components.

  • Select a component from the list to open the component details view.

Summary

Relationship of the reported dependencies. See Software Dependencies: A beginner's guide to learn more.

  • Component Summary

    • Direct: The explicit dependencies that a software component defines and employs.

    • Transitive: Dependencies indirectly used by a software component brought into your application as dependencies for other components.

    • Unspecified: When the component's dependency information was not declared in the SBOM.

  • Vulnerabilities Summary

    Provides a total of known vulnerabilities for the components in the SBOM.

  • Release Status

    • Release Ready: The SBOM contains no high or critical vulnerabilities, or all high and critical vulnerabilities are VEX annotated.

    • Partially Annotated: The SBOM includes some high or critical vulnerabilities, and not all of them are VEX annotated.

    • Needs Attention: The SBOM contains some high or critical vulnerabilities, and none of them are VEX annotated.

  • Policy Violation Summary

    Provides a total of known policy violations for the components in the SBOM.

Components

The component list displays the components found in the SBOM with their dependency information, vulnerabilities, and licenses. The percentage annotated provides feedback at a glance on how well your teams are doing monitoring risk in your SBOMs.

  • Use the search bar to filter by either the component name or license.

  • The Filter By menu narrows results by vulnerability and dependency type.

  • Selecting a component navigates to the component details view.

Export PDF Report

The generated PDF includes the Analysis Status for VEX annotated vulnerabilities and third-party reported vulnerabilities stored in the SBOM.

See the VEX Workflow for details.

SBM-Export-PDF-Analysis_Status.png