Components installed with Software Bill of Materials applications
Summarize
Summary of Components installed with Software Bill of Materials applications
Activating the Software Bill of Materials (SBOM) applications in ServiceNow installs several key components including tables, user roles, and scheduled jobs. These components collectively enable effective management, analysis, and response to software bill of materials data, licenses, and vulnerabilities.
Show less
Roles Installed
The SBOM applications install multiple user roles that control access and permissions:
- SBOM Response Roles:
- snsbomresponse.managelicense: Allows resolving licenses to components.
- snsbomresponse.licenseresolver: Permits viewing uploaded license info and determining permitted vs banned licenses.
- snsbomresp.sbomanalyst: Inherits admin roles and grants access to the SBOM Workspace.
- Data Model for SBOM Roles:
- SBOM write (snsbomdm.appwrite), create (snsbomdm.appcreate), read (sbomdm.appread): Enable creating, editing, and reading SBOM records.
- SBOM Core Roles:
- sbomingest (snsbomcore.sbomingest): Allows manual and API SBOM uploads.
- admin (snsbomcore.admin): Full SBOM data access, upload, and module access; inherits Data Model roles.
Tables Installed
The SBOM applications install comprehensive tables to store and manage SBOM data. Key tables include:
- Data Model for SBOM Tables: Store BOM documents, components, component relationships, licenses, suppliers, identifiers, properties, hashes, contacts, external references, and package groupings to efficiently manage component versions and avoid redundant data pulls.
- SBOM Response Tables: Support vulnerability management and reporting with tables for AVIT creation rules, component-vulnerability mappings, vulnerability fix information, report insights, and integration imports for dependencies and vulnerability intelligence.
Scheduled Jobs
Several scheduled jobs automate key SBOM maintenance and intelligence tasks:
- Calculate Component Fixability and Vulnerability: Determines fixability and vulnerability data for components.
- OSV Integration (New Components and Comprehensive): Fetches publicly known vulnerabilities for imported packages, either incrementally or comprehensively.
- Deps.dev Integration: Retrieves all known versions of packages to identify stale or abandoned components.
- Update vulnbasedcriticality on BOM components: Updates criticality scores of components based on vulnerabilities.
Practical Impact for ServiceNow Customers
By enabling the SBOM applications, customers gain a robust framework to ingest, analyze, and respond to software bill of materials data. The installed roles allow appropriate access control for license management and vulnerability analysis. The extensive data model tables provide a structured repository for component and license details. Scheduled jobs keep vulnerability intelligence current and enable proactive remediation planning. This setup supports compliance, security risk management, and informed decision-making around software components in your environment.
Several types of components are installed with activation of the Software Bill of Materials applications, including tables, user roles, and scheduled jobs.
Roles installed
| Role title [name] | Description | Contains roles |
|---|---|---|
|
sn_sbom_response.managelicense |
This role is installed with the SBOM Response application. This role permits you to resolve licenses to components. |
None |
|
sn_sbom_response.licenseresolver |
This role is installed with the SBOM Response application. This role permits you to view uploaded license information and determines which licenses are permitted and which are banned. |
None |
|
SBOM write [sn_sbom_dm.app_write], SBOM create [sn_sbom_dm.app_create], SBOM read [sbom_dm.app_read] |
These roles are installed with the Data Model for SBOM application. They permit you to read, create, and edit records in SBOM tables. |
None |
|
SBOM Cores ingests [sn_sbom_core.sbom_ingest] and SBOM Core admin [ sn_sbom_core.admin] |
These roles are installed with the SBOM Core application. The sn_sbom_core.sbom_ingest role permits you to upload SBOMs manually and via the REST API. The sn_sbom_core.admin role permits you to create, read, edit data, and upload SBOMs. This role also gives you access to the SBOM Core modules in your instance. It inherits the roles from the Data Model for SBOM application. |
|
|
SBOM Analyst [sn_sbom_resp.sbom_analyst] |
This role is installed with the SBOM Response application. It inherits the sn_sbom_core.admin role and enables you to access the SBOM Workspace. |
|
Tables installed with the SBOM applications
The tables listed in the following table are installed with the Data model for SBOM application.
| Table | Description |
|---|---|
SBOM document [sn_sbom_doc] |
Contains the BOM entities you've uploaded. |
SBOM component [sn_sbom_component] |
Contains imported SBOM components, classifiers, and versions that are included in the parent component. |
SBOM component relationship [sn_sbom_comp_relationship] |
Contains components and their dependencies. |
SBOM m2m bom component [sn_sbom_m2m_bom_comp] |
Contains the BOM component mappings. |
SBOM license [sn_sbom_license] |
Contains the open-source license IDs used for components. |
SBOM supplier [sn_sbom_supplier] |
Contains the organization that supplied the component, which might be a manufacturer, distributor, or repackager. |
SBOM component ID [sn_sbom_comp_id] |
Contains the component identifiers. |
SBOM component properties [sn_sbom_comp_property] |
Contains the component name-value properties. |
SBOM hash [sn_sbom_hash] |
Contains component hashing algorithms. |
SBOM contact [sn_sbom_contact] |
Contains contact information for the supplier. |
SBOM external references [sn_sbom_comp_external_ref] |
Contains components, component types, and external URLs that document systems, sites, and information that might be relevant but are not included with the SBOM. |
SBOM package group [sn_sbom_pkg_group] |
Contains the package group information for every component. Multiple version of libraries may be used across applications. Versions of the same components are grouped and added to this table to avoid pulling the same data multiple times. |
The tables listred in the following table are installed with the SBOM Response application
| Table | Description |
|---|---|
SBOM creation rule configuration [sn_sbom_config_rule] |
Contains AVIT creation rules used in the SBOM Workspace. |
SBOM m2m component vulnerabilities [sn_sbom_m2m_comp_vuln] |
Contains the components and associated vulnerabilities. |
| Component vulnerability fix information [sn_sbom_comp_vuln_fix_info] |
Contains the fix versions for each third-party vulnerability associated to a version of the component. |
| Component report insights [sn_sbom_comp_report_insight] |
Contains insights about stale, abandoned, and fixability data for components. |
| Deps Integration Imports [sn_sbom_deps_integration_import] |
Contains imported version list information for a given package or library. |
| OSV Integration Imports [sn_sbom_osv_integration_import] |
Contains vulnerability intelligence information for a given version of a package or library. |
| Component Version Lists [sn_sbom_st_version_list] |
Contains version information and published dates for components. |
Scheduled jobs
| Job | Description |
|---|---|
| Calculate Component Fixability and Vulnerability | Calculates information about how to fix components with vulnerabilities and how likely it is that you can fix components. |
| OSV Integration New Components | Retrieves all publicly known vulnerabilities associated with packages (libraries) that were imported after the last integration run. |
| OSV Integration Comprehensive | Retrieves all publicly known vulnerabilities associated with all packages that have been imported. |
| Deps.dev Integration | Retrieves all publicly known versions for packages and used with to identify components in Stale and Abandoned states. |
| Update vuln_based_criticality on bom components | Updates criticality for components with vulnerabilities. |