Exploring Additional Details for an SBOM Part

The Manage SBOM Parts page lists the SBOM parts across buckets in your Organization, showing important information about each part in the list, including the name of its bucket, its associated component and licenses, totals of its known security vulnerabilities, and its creation and last-update dates. If you want to view additional details about a given part, use the following procedure. These details include the part’s copyright statements, notices (license) text, abstracted details (stored in the SBOM Insights catalog and shared by other parts), paths of files associated with the part, and more.

To view additional details for an SBOM part, follow these steps:

1. Access the Manage SBOM Parts page to show the list of SBOM parts in your Organization. See Viewing SBOM Parts for instructions.
2. To access additional details for a given SBOM part in the list, click a non-linked portion of the part’s row to open a slideout that uses the name of the SBOM part as its title.
3. Click the appropriate tab on the slideout to view details about the SBOM part:
Part Details
Catalog Item Details
Associated Files
Additional Information
4. When you are finished viewing details, click the icon in the upper right of the slideout to close it.

Part Details

The Part Details tab on the SBOM part slideout lists the information displayed for the part in the Manage SBOM Parts list, plus additional details. A hyphen (-) is displayed as the value for any detail whose information is not available.

SBOM Part Details

Detail

Description

Bucket

The name of the bucket to which the SBOM part belongs.

Part Name

The name of the SBOM part in componentName version (license) format.

Part Type

The entity type of the component represented by the SBOM part. The supported types are derived from SPDX and CycloneDX specifications and include the following:

Application—A software application
Container—A container belonging to a software application
Device—Software installed on a device
File—A file belonging to a software application
Firmware—Code embedded in a device
Framework—A software framework to developing an application
Library—A software library used in a program or application
Operating System—An operating system on a device

Part Link

If the SBOM part is linked to another part, the type of link and the name of the linked part (in linkType linkedPart format). A part can be linked only to another part in the same bucket.

The link type describes the current SBOM part’s relationship with the linked part (so that the relationship syntax reads currentPart linkType linkedPart). The available link types are based on the SPDX and CycloneDX specifications for identifying relationships between open-source, third-party, and commercial components in software.

For a description of the link types, refer to the following SPDX documentation:

https://spdx.github.io/spdx-spec/relationships-between-SPDX-elements/ 

Component

The hyperlinked component name and version for the SBOM part. Click the link to open the web page of a component’s third-party project or repository within the appropriate forge.

Licenses

The license(s) associated with the component version. (If available, the SPDX short name is shown for each license.)

Click the hyperlinked license name to view detailed information about the license in the Linux Foundation Projects SPDX license database.

PURL

The PURL (package URL) for the component represented by the SBOM part.

A PURL is an attempt to standardize existing approaches to reliably identify and locate software packages. A PURL is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs, and databases. Refer to the package-url/purl-spec page in GitHub for additional information.

Created On

The date on which the SBOM part was created or imported in the system.

Created By

The user who created on imported the SBOM part in the system. You can click the hyperlinked name to send an email to the user.

Updated On

The date on which the SBOM part was last edited in the system.

Updated By

The user who last edited the SBOM part in the system. You can click the hyperlinked name to send an email to the user.

Catalog Item Details

The Catalog Items tab on the SBOM part slideout shows the abstraction of data on which the SBOM part is based, as stored in the SBOM Insights Catalog. This catalog is a collection of such abstractions, each containing a unique combination of a component version, selected licenses, and associated security vulnerabilities. Catalog items are shared across multiple SBOM parts in the system.

A hyphen (-) is displayed as the value for any detail whose information is not available or not applicable.

Abstraction Data Used by the SBOM Insights Part

Field

Description

Component

The hyperlinked component name, as stored in the abstraction used by the SBOM part. Click the link to open the web page of a component’s third-party project or repository within the appropriate forge.

Version

The component version, as stored in the abstraction used by the SBOM part.

Licenses

The license(s) associated with the component version, as stored in the abstraction. (If available, the SPDX short name is shown for each license.)

Click the hyperlinked license name to view detailed information about the license in the Linux Foundation Projects SPDX license database.

Vulnerabilities

The Vulnerabilities bar graph listing the current security-vulnerability counts by severity level for the component version. If no known vulnerabilities exist for the version (or this information cannot be obtained), a hyphen (-) is displayed. For more information about the color-coded severity levels, see Severity Levels for Security Vulnerabilities.

To view the list of vulnerabilities associated with the component version, click anywhere on the bar graph. A slideout opens, providing a list of the vulnerabilities and their details. See Viewing Security Vulnerability Details for an SBOM Part for ways you can interact with these details.

Associated Files

The Associated Files tab on the slideout for the SBOM part lists the information about each file in which the component associated with the part is used (that is, integrated or called) within the software entity represented by the part’s bucket. The following information is displayed for each file in the list. (To reformat the list grid to focus on specific data, see Managing Lists in SBOM Insights.)

Files Associated with the SBOM Part

Column

 

Name

The file name.

Path

The file path relative to the SBOM part.

MD5

The file’s MD5 hash digest.

SHA1

The file’s SHA-1 hash digest.

SHA256

The file’s SHA-256 hash digest.

Additional Information

The Additional Information tab on the slideout for the SBOM part provides a description of the part, copyright statements, notices (license) text, and system or user notes provided about the part.

Additional Information

 

 

Part Description

A description of the SBOM part.

Copyrights

Copyright statements associated with the SBOM part.

Notices Text

The license text associated with the SBOM part.

Notes

Any notes provided for the SBOM part.

For example, an SBOM part imported from Code Insight might include system notes about the detection of the SBOM part (inventory item) during the scan, any legal or security notes provided by reviewers post-scan, or remediation notes about how the component was brought into compliance with company/security policy.

This field can be used to provide Cyclone VEX report information about whether or not known security vulnerabilities associated with the SBOM part actually affect the part.