Skip to main content

SBOM Bill of Material View

The Bill of Materials view summarizes the components and their risk found in the SBOM, focusing on annotating the vulnerabilities with VEX audit details.

Screenshot_2024-12-17_at_2_35_56_PM.png

Actions

  • Use the Version Switcher dropdown to navigate to other application versions.

  • Use the Export SBOM dropdown to download the annotated SBOM. Options under the dropdown include:

    • Export Original SBOM - download the original unmodified SBOM. The original SBOM filenames are in the following format:

      Original_<public-id>_<version>_<timestamp>.{cdx|spdx}.{json|xml}

    • Additional Export Options - choose between CycloneDX or SPDX in either JSON or XML file formats. The annotated SBOM filenames are in the following format:

      <public-id>_<version>_<timestamp>.{cdx|spdx}.{json|xml}

    • Export PDF - save a PDF report of the policy violations including a list of vulnerabilities, licenses, and components.

  • Select a component from the list to view the component's details view.

Example of exporting a PDF in SBOM Manager. The example report includes a summary of violations for the Webwolf application.

Summary

Relationship of the reported dependencies. See Software Dependencies: A beginner's guide to learn more.

  • Component Summary

    Direct - the explicit dependencies that a software component defines and employs.

    Transitive - dependencies indirectly used by a software component brought into your application as dependencies for other components.

    Unspecified - when the component's dependency information was not declared in the SBOM.

  • Vulnerabilities Summary

    Provides a total of known vulnerabilities for the components in the SBOM.

  • Policy Violation Summary

    Provides a total of known policy violations for the components in the SBOM.

  • Vex Annotations

    The percentage of vulnerabilities annotated with exploitability information refers to how complete the VEX annotation for known vulnerabilities is.

Components

The component list displays the components found in the SBOM with their dependency information, vulnerabilities, and licenses. The percentage annotated provides feedback at a glance on how well your teams are doing monitoring risk in your SBOMs.

  • Use the search bar to filter by either the component name or license.

  • The Filter By menu narrows results by vulnerability and dependency type.

  • Selecting a component navigates to the component details view.

Export PDF Report

The generated PDF includes the Analysis Status for VEX annotated vulnerabilities and third-party reported vulnerabilities stored in the SBOM.

See the VEX Workflow for details.

SBM-Export-PDF-Analysis_Status.png