SBOM Part Details
Refer to the following table for a description of each detail shown on the SBOM Part: <partName> s lideout for the SBOM part selected on the Manage SBOM Parts page. (To access this slideout, see Exploring Additional Details for an SBOM Part.)
The details on the SBOM Part slideout are organized on two tabs:
Part Details
The Part Details tab on the SBOM Part: <partName> slideout provides the following information about the selected part. A hyphen (-) is displayed for any detail whose value is not available.
| Section | Property | Description |
|---|---|---|
| General | This sections provide general information used to identify the SBOM part and other basic details. | |
| Bucket | The name of the bucket to which the SBOM part belongs. | |
| Part Name | The name of the SBOM part in componentName version (license) format. | |
| Part Type | The entity type of the component represented by the SBOM part. The supported types are derived from SPDX and CycloneDX specifications and include the following: Application—A software application Container—A container belonging to a software application Device—Software installed on a device File—A file belonging to a software application Firmware—Code embedded in a device Framework—A software framework to developing an application Library—A software library used in a program or application Operating System—An operating system on a device | |
| Part Link | If the SBOM part is linked to another part, the type of link and the name of the linked part (in linkType linkedPart format). A part can be linked only to another part in the same bucket. The link type describes the current SBOM part’s relationship with the linked part (so that the relationship syntax reads currentPart linkType linkedPart). The available link types are based on the SPDX and CycloneDX specifications for identifying relationships between open-source, third-party, and commercial components in software. For a description of the link types, refer to the following SPDX documentation: https://spdx\.github\.io/spdx\-spec/relationships\-between\-SPDX\-elements/ | |
| PURL | The PURL (package URL) for the component represented by the SBOM part. A PURL is an attempt to standardize existing approaches to reliably identify and locate software packages. That is, it attempts to identify and locate a software package in the most universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs, and databases. Refer to the package-url/purl-spec page in GitHub for additional information. | |
| Status | The review status of the part as defined in the source from which it was imported to SBOM Management. For a manually created part, the status is Not Reviewed . | |
| Created On | The date on which the SBOM part was created or imported in the system. | |
| Created By | The user who created on imported the SBOM part in the system. You can click the hyperlinked name to send an email to the user. | |
| Updated On | The date on which the SBOM part was last edited in the system. | |
| Updated By | The user who last edited the SBOM part in the system. You can click the hyperlinked name to send an email to the user. | |
| Catalog Item Details | This section shows the abstraction of data on which the SBOM part is based, as stored in the SBOM Catalog. This catalog is a collection of such abstractions, each containing a unique combination of a component version, selected licenses, and associated security vulnerabilities. Catalog items are shared across multiple SBOM parts in the system. | |
| Component | The hyperlinked component name, as stored in the abstraction used by the SBOM part. Click the link to open the web page of a component’s third-party project or repository within the appropriate forge. | |
| Version | The component version, as stored in the abstraction used by the SBOM part. | |
| Licenses | The license(s) associated with the component version, as stored in the abstraction. (If available, the SPDX short name is shown for each license.) Click the hyperlinked license name to view detailed information about the license in the Linux Foundation Projects SPDX license database. | |
| Vulnerabilities | The Vulnerabilities bar graph listing the current security-vulnerability counts by severity level for the component version. If no known vulnerabilities exist for the version (or this information cannot be obtained), a hyphen (-) is displayed. For more information about the color-coded severity levels, see Severity Levels for Security Vulnerabilities. To view the list of vulnerabilities associated with the component version, click anywhere on the bar graph. A Vulnerabilities slideout opens, showing a grid of the associated vulnerabilities and their details. See More About Security Vulnerabilities Associated with an SBOM Part for ways you can interact with these details. (You can also view the Vulnerabilities slideout by clicking the menu icon at the end of the part row and selecting Vulnerabilities .) | |
| Additional Information | This section includes a description of the SBOM part and its copyright statements, notices (license) text, and any system or user notes provided. | |
| Part Description | A description of the SBOM part. | |
| Copyrights | Copyright statements associated with the SBOM part. | |
| Notices Text | The license text associated with the SBOM part. | |
| Notes | Any notes provided for the SBOM part. For example, an imported SBOM part might include notes from the source environment, including system notes about the detection of the SBOM part (inventory item) during a scan, any legal or security notes provided by reviewers post-scan, or remediation notes about how the component was brought into compliance with company/security policy. This field can also include Cyclone VEX report information about whether or not known security vulnerabilities associated with the SBOM part actually affect the part. |
Associated Files
The Associated Files tab on the slideout for the SBOM part lists the following information about each file that is associated with the component represented by the part. (These files are found within the software entity represented by the part’s bucket.) A hyphen (-) is displayed for any detail whose value is not available.
Currently, the file information is obtained only through the import of SBOM parts. You can not add or delete the associated files in the list.
| Detail | Description |
|---|---|
| Name | The file name. |
| Path | The file path of the SBOM part within the application or entity where it is found. |
| MD5 | The file’s MD5 hash digest. |
| SHA1 | The file’s SHA-1 hash digest. |
| SHA256 | The file’s SHA-256 hash digest. |