Determine whether any vulnerabilities are associated with the components in an uploaded Software Bill of Materials (SBOM) file.

The following applications must be installed and activated before you can view the vulnerabilities and enhanced vulnerability data:
  • SBOM Response
  • Vulnerability Response Integration with NVD and CWE jobs
  • Vulnerability Response
See Exploring Software Bill of Materials for more information.

Role required: sn_sbom_resp.sbom_analyst

  1. Navigate to All > SBOM Workspace > Components.
  2. you can view vulnerability information either through a visualization or a component record.
    Method Actions
    BOM Entities with Vulnerabilities visualization Select the BOM Entities with Vulnerabilities visualization graph.
    • If vulnerabilities are associated with this component, the totals are displayed in the CVE and CWE columns on the list. A component can have more than one vulnerability. If available, you can check the Fixability column on this list for entries.
    • If no vulnerabilities are associated with this component, these columns display 0 or no values for the component.

    If the CVE, CWE, and Fixibilty columns are not displayed, you can add them to the page by selecting the gear icon Gear icon on the upper right of the page and Edit columns. Select them from the Available column list and select OK.
    Component record
    1. Select a record from the list below the visualizations.
    2. Select the Vulnerabilities tab on the record.
      1. If no data is displayed, no reported vulnerabilities are associated with the record.
      2. If data is displayed, see Reviewing the Components module in the Software Bill of Materials Workspace and follow the steps in the remediation workflow for Application Vulnerability Response to address the vulnerability.

        For more information, see Remediating Application Vulnerability Response vulnerabilities.

Assessing your risk with vulnerability intelligence

View more enhanced vulnerability data with SBOM Response on component records. The SBOM Response application, Vulnerability Response, National Vulnerability Database (NVD) Integration and Common Weakness Enumeration (CWE) scheduled jobs described in Supported applications must be installed and activated.

  1. Select the All Components visualization to view its list of associated records.
  2. Select a link in the Name column to open a record.

    The States, Stale, Abandoned, and Vulnerable are displayed under the component name. A component can have any combination of these states. If no state is displayed, the component is not stale, abandoned, or vulnerable.

    Review the current version and the latest published version. In the right panel, you can view a version history. The current version is highlighted in the version history and its location in the list may provide you with insight as to why a component is Stale, Abandoned, and Vulnerable. For example, you might be using an older version of a component.

  3. Select the Overview, Hashes, BOM Entities, Vulnerabilities, and AVIs related tabs on the record.
    • Overview - A summary of the component details.
    • BOM Entities - A list of the entities associated with this component.
    • Hashes - If imported, hashes are displayed.
    • Vulnerabilities - Information about known vulnerabilities associated with this component. If this list is empty, there are no known vulnerabilities.

      If the list is populated, select the tab to view vulnerability IDs, summaries, and other vulnerability information for Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) data associated with this record. CVEs are broken down by severity, CWEs are broken down by how likely the component can be exploited. You can view the enhanced vulnerability records in the Vulnerability Response or Application Vulnerability Response applications by selecting the vulnerability ID link.

    • AVIs (AVITs) - Application vulnerable items associated with this component if you have created AVIT creation rules that match the component to a known vulnerability. The Application Vulnerability Response application (AVR) relates a vulnerability to an application to create an AVI record. For more information, see Creating rules for application vulnerable items in the Software Bill of Materials Workspace.