Fields Used to Define an SBOM Part
|
Field |
|
Description |
||||||||||||||||||||||||
|
Bucket |
Select the bucket to which you want to add the SBOM part. |
|||||||||||||||||||||||||
|
Create From Component |
Choose either option:
Clicking either button opens the Select Component slideout, enabling you to start the search process. For the next steps, see Selecting an Existing Component Instance for the SBOM Part.
For an explanation of reasons for selecting an existing component or creating its not selecting this option, see Methods Available for Creating an SBOM Part. |
|||||||||||||||||||||||||
|
Choose Component |
Note:This field is available only if the Create From Component option is selected but no component instance has been selected for the SBOM part yet. See the previous Create From Component field description. Click this button to open the Select Component slideout, enabling you to search for a component instance in the SBOM Catalog to associate with the SBOM part. For further instructions, see Selecting an Existing Component Instance for the SBOM Part. Once the component is selected, this button switches to Change Component. See the later field description for this button. |
|||||||||||||||||||||||||
|
The following fields are available on when the Create From Component option is selected and a component instance is currently selected for the SBOM part. See the previous Create From Component and Choose Component field descriptions. |
||||||||||||||||||||||||||
|
|
Component |
The name and version of the component as retrieved from the SBOM Catalog or SBOM Data Library. Click the hyperlinked component name to open the web page of a component’s third-party project or repository within the appropriate forge. (This external site is opened in a separate browser tab.) This field is read only and can be changed only if you select a different component by using the Change Component button. |
||||||||||||||||||||||||
|
Change Component |
Click this button to open the Select Component slideout, enabling you select a different existing component for the part. For next steps, see Selecting an Existing Component Instance for the SBOM Part. |
|||||||||||||||||||||||||
|
Licenses |
The license(s) associated with the component as retrieved from the SBOM Catalog or SBOM Data Library. Click the hyperlinked license name to view detailed information about the license within the Linux Foundation Projects SPDX license database. (This external site is opened in a separate browser tab.) This field is read only and can be changed only if you select a different component by using the Change Component button. |
|||||||||||||||||||||||||
|
Vulnerabilities |
Note:This bar graph is displayed only when security vulnerabilities are associated with the selected component instance. Otherwise, a hyphen (-) is displayed. The Vulnerabilities bar graph listing the current counts of security vulnerabilities by severity level for component version. If no known vulnerabilities exist for the version (or this information cannot be obtained), a hyphen (-) is displayed. For more information about the color-coded severity levels, see Severity Levels for Security Vulnerabilities. To view the list of vulnerabilities associated with the part, click anywhere on the bar graph. A slideout opens, listing the vulnerabilities and their details. See More About Security Vulnerabilities Associated with an SBOM Part. |
|||||||||||||||||||||||||
|
Name |
Enter the name of the component—usually in componentName version (license) format—associated with the SBOM part. This name is automatically provided if you have selected a component instance for the part from SBOM Catalog. See the previous Create From Existing Component field description. |
|||||||||||||||||||||||||
|
Part Type |
Select the entity type for the component represented by the SBOM part. The supported types are derived from SPDX and CycloneDX specifications and include the following:
|
|||||||||||||||||||||||||
|
Link Part |
If you want to link the SBOM part to another part in the same bucket to identify a relationship between the parts, select this option. The Select SBOM Part slideout opens, enabling you to select the other part. (See Linking the Current SBOM Part to Another Part for the next steps.) Once you select the part, you returned to the Create SBOM Part slideout to finish defining the link by selecting the link type. See the Part Link Type and other field descriptions below. Additionally, the Link Part button is replaced with a Remove Linked Part. If you do not want to establish a link with another part, do not select this option. Note:The Link Part button is enabled only if you have already a selected a bucket in the Bucket field for the SBOM part you are creating. (The bucket must be identified because the part that you select for the link must exist in the same bucket as the SBOM part you are creating or editing.) |
|||||||||||||||||||||||||
|
The following fields are available once you link the current SBOM part with another part in the bucket. |
||||||||||||||||||||||||||
|
Remove Linked Part |
Click to remove the current link. This button is replaced with the Link Part button |
|||||||||||||||||||||||||
|
Linked Part Name |
The component instance name—in component version (license) format—of the SBOM part linked with the current part. |
|||||||||||||||||||||||||
|
|
Linked Part Selected Licenses |
The license(s) associated with the linked SBOM part. Click the hyperlinked license name to view detailed information about the license within the Linux Foundation Projects SPDX license database. (This external site is opened in a separate browser tab.) This field is read only |
||||||||||||||||||||||||
|
Part Link Type |
Select the value that identifies the relationship between the current part (the part that you are creating or editing) and the linked part. The current part is always the first element in the relationship syntax. For example, if you select the type Build Dependency of, the relationship syntax reads “the currentPart is a build dependency of the linkedPart”. These values are based on SPDX and CycloneDX specifications for identifying relationships between open-source, third-party, and commercial components in software. For a description of the relationships, refer to SPDX Specification, Clause 11: Relationship between SPDX Elements Information. |
|||||||||||||||||||||||||
|
Package URL (PURL) |
Enter the PURL (package URL) for the component represented by the SBOM part. The use of package URLs is an attempt to standardize the way in which software packages and their locations are identified so that this information is more universal and uniform across programming languages, packaging conventions, tools, APIs, and databases. Refer to the package-url/purl-spec page on GitHub for additional information. This value (if available) is automatically provided if you have selected a component instance for the part from SBOM Catalog. See the previous Create From Existing Component description. |
|||||||||||||||||||||||||
|
URL |
Enter the URL for forge repository of the component. This value (if available) is automatically provided if you have selected a component instance for the part from SBOM Catalog. See the previous Create From Existing Component description. |
|||||||||||||||||||||||||
|
Part Description |
Enter a description of the component. |
|||||||||||||||||||||||||
|
Copyrights |
Enter the copyright information associated with the component. |
|||||||||||||||||||||||||
|
Notices Text |
Enter the license text associated with the component. |
|||||||||||||||||||||||||
|
Technopedia ID |
Provide the following link to the Technopedia documentation: https://resources.flexera.com/web/media/documents/Datasheet-DP-Technopedia.pdf |
|||||||||||||||||||||||||
|
Notes |
Enter any notes or analyses that you want an SBOM reviewer to know about. |
|||||||||||||||||||||||||