Skip to main content

SBOM Component Details View

The component detail view summarizes component metadata found from the source SBOM and Sonatype data services. Use this view to verify and report risk associated with components reported in your SBOM.

Use the VEX workflow to annotate any reported and discovered vulnerabilities from within your SBOM.

SBOM-Component-Details-Header.png

Displayed under the component name; the parent organization, application, file name, and imported date for the SBOM this component. Use the top breadcrumb to return to the bill of materials view.

Component Identifiers

Color-coded identifiers help you rapidly identify relational information about the component. A list of possible tags is provided in the table below:

Tag Icon

Definition

93489736.png

The public ecosystem from which the component is found

PackageURL

A unique identifier containing the component coordinates

image2021-7-29_11-53-28.png

Indicates the component is a direct dependency

image2021-7-29_11-55-58.png

Indicates the component is a transitive dependency

Component Summary

The component summary section provides risk analysis details for the component.

Screenshot_2024-12-17_at_3_24_16_PM.png

Field

Description

Highest CVSS Score

Displays the score for the highest threat level security vulnerability as well as the total number of security vulnerabilities.

Vulnerabilities Verified

The component vulnerabilities reported in the SBOM. Sonatype-verified vulnerabilities are confirmed risks associated with the component.

Policy Violations

The total number of critical and severe policy violations on the component.

Disclosed Vulnerabilities and Sonatype Identified Vulnerabilities

The disclosed vulnerabilities section provides a table of vulnerabilities included in the original SBOM for components not known to Sonatype. The Sonatype identified vulnerabilities section lists vulnerabilities of the component and is updated through Continuous Monitoring.

SBOM-Component-Details-Disclosed-and-Undisclosed.png

Field

Description

CVSS Score

The Common Vulnerability Scoring System (CVSS) score for the specified vulnerability. See Reference Policies for details on CVSS scoring.

Issue

The issue identifier is assigned to the vulnerability. Select the identifier to expand a panel providing details for this vulnerability.

Sonatype Verified Status

  • Sonatype Verified - Displays when Sonatype has confirmed that the vulnerability is present in that version of the component.

  • Unverified - Indicates that Sonatype does not have the data to verify the declared vulnerability for the component.

Analysis Status

Analysis status aligns with Vulnerability Exploitability Exchange (VEX) standards. The analysis states how you know a vulnerability has been addressed.

  • Resolved

  • Resolved with pedigree

  • Exploitable

  • In triage

  • False positive

  • Not affected

Justification

Analysis Status and Justification align with VEX standards. Justification provides additional information to further illustrate findings and mitigation controls. Possible Justification values include the following:

  • Component not present

  • Vulnerable code not in the execute path

  • Vulnerable code cannot be controlled by adversary

  • Inline mitigations already exist

Action

These actions are for use in the VEX workflow:

  • Add Annotation: opens a form to add VEX annotation to the vulnerability

  • Edit Annotation: modify the current VEX annotation

  • Copy Annotation: copy the annotation for this component vulnerability from the closest previous application version where this vulnerability has been annotated

  • Delete Annotation: remove the annotation from the vulnerability

These options are only displayed when available. For instance, the edit and delete options are not shown when no annotation is present. Similarly, the copy option will not display when there is no previous annotation to copy.

Vulnerability Details

Details about the vulnerability expand and appear in a side panel when you select an Issue ID.

SBOM-Component-Details-Vulnerability-Details.png

The Vulnerability Details panel provides details of vulnerability including; description, explanation, detection, recommendations, affected versions, root causes, advisories, and CVSS details.

Policy Violations

The policy violation tab lists the policy violations for the component. The violations may be selected to open the violation details view.

Screenshot_2024-12-17_at_3_21_17_PM.png