Skip to main content

SBOM Component Details View

The component detail view summarizes component metadata found from the source SBOM and Sonatype data services. Use this view to verify and report risk associated with components reported in your SBOM.

Use the VEX workflow to annotate any reported and discovered vulnerabilities from within your SBOM.


Displayed under the component name; the parent organization, application, file name, and imported date for the SBOM this component. Use the top breadcrumb to return to the bill of materials view.

Component Identifiers

Color-coded identifiers help you rapidly identify relational information about the component. A list of possible tags is provided in the table below:

Tag Icon



The public ecosystem from which the component is found


A unique identifier containing the component coordinates


Indicates the component is a direct dependency


Indicates the component is a transitive dependency

Component Summary

The component summary section provides risk analysis details for the component.



Highest CVSS Score

Displays the score for the highest threat level security vulnerability as well as the total number of security vulnerabilities.

Vulnerabilities Verified

The component vulnerabilities reported in the SBOM. Sonatype-verified vulnerabilities are confirmed risks associated with the component.


How the component is used as categorized by Sonatype.


Includes a link to the project if it is available.

Disclosed Vulnerabilities and Additional Sonatype Identified Vulnerabilities

The disclosed vulnerabilities section provides a table of vulnerabilities impacting this component as reported in the SBOM. The additional Sonatype identified vulnerabilities section lists undisclosed vulnerabilities associated with the component.




CVSS Score

The Common Vulnerability Scoring System (CVSS) score for the specified vulnerability. See Reference Policies for details on CVSS scoring.


The issue identifier assigned to the vulnerability. Select the identifier to expand a panel providing details for this vulnerability.

Verified Status

Displays whether or not Sonatype has verified that the vulnerability is present in that version of the component.

Analysis Status

Analysis status aligns with Vulnerability Exploitability Exchange (VEX) standards. The analysis states how you know a vulnerability has been addressed.

  • Resolved

  • Resolved with pedigree

  • Exploitable

  • In triage

  • False positive

  • Not affected


Analysis Status and Justification align with VEX standards. Justification provides additional information to further illustrate findings and mitigation controls. Possible Justification values include the following:

  • Component not present

  • Vulnerable code not in execute path

  • Vulnerable code cannot be controlled by adversary

  • Inline mitigations already exist


Vulnerability Details

Details about the vulnerability expand and appear in a side panel when you select an Issue ID


The Vulnerability Details panel provides details of vulnerability including; description, explanation, detection, recommendations, affected versions, root causes, advisories, and CVSS details.