Table of Contents
SBOM
A Software Bill of Materials (SBOM) is an inventory of software components and their ingredients see here, allowing organizations to determine when and where a component was created, the creator, license data and so on.
Access SBOM
- Before you can access the SBOM page and view its resources, you must subscribe to the SCA module. For more on SCA licensing, refer to Application Security Licenses.
- SelectApplication Security>SBOM.
The SBOM displays an inventory of dependencies in your organization, including the following details:- Package: The name of the package.
- Version: The version of the package.
- License: The package license.
- Found In: The repositories in which the package was detected. The number in the column represents the amount of repositories in which the package is found.
- Vulnerabilities: The vulnerabilities detected in the package, with a link to a CVE database for further information. The number in the column represents the amount of multiple vulnerabilities detected in the package.For more details about the vulnerability click on the package in the inventory table. See below for more on dependency vulnerability details.
- Highest Severity: The highest severity of a vulnerability found in a package when multiple vulnerabilities are detected, or the severity of a single vulnerability.Selecting a package from the inventory table opens the resource explorer displaying additional information about the entity.
- TheDetailstab opens as the default view, providing metadata about the package including name, version, license, vulnerabilities and the amount of repositories in which the package is found. Selecting the amount of repositories opens the Repositories tab - see below for more
- TheIssuestab includes a list of all vulnerabilities detected in the package, including their description, the affected version, the version fix, the CVE policy/vulnerability with a link to the database for more details, severity, CVE ID, CVSS score and vector, risk factors, the fix version, and whether the fix is private or public. To view the issue in more detail, select View Issue, which redirects to Projects.
- TheRepositoriestab includes details of the repositories hosting the packages, their location and dependency tree, including both direct and indirect dependencies and the Supply Chain Graph
Supply Chain Graph
The
Supply Chain Graph
is a real-time attestation of the artifacts used to build, configure and invoke cloud infrastructure in your environment. It shows an opinionated supply chain attack surface of your repositories and describes how cloud infrastructure and applications may become compromised.To access the
Supply Chain Graph
, select SBOM
> package in the inventory table > Repositories
tab > Graph
under Actions
.For more information about the Supply Chain Graph, refer to Supply Chain Security.
Filters
You can apply the following filters to narrow down a search for a package.
Repository: Filter packages by repository.
Only repositories that include packages are listed
- *Ecosystem: Filter by the package manager hosting the dependency*
- Images: Filter by the image hosting the dependency.
- License: Filter by package license.
- Vulnerabilities: Filter the vulnerabilities by CVE ID.
- Severity: Filter the vulnerabilities by severity.
- 'Show only vulnerable': ToggleONto display vulnerable packages only in the inventory table.
Generate SBOM
Generate repository SBOM data as a CycloneDX or CSV file: Select the menu in the top right >
Generate SBOM
> choose a repository, output and type of material > Generate
.The generated data will only include filtered data when applying filters.
