Methods Available for Creating an SBOM Part

The following provides information about the methods available for creating an SBOM part manually. That is, you can choose to create a part by selecting an existing component instance with which to associate the part or by providing your own description of the component. You choose the method by selecting or clearing the Create From Component option, as described in Fields Used to Define an SBOM Part, when you create (or edit) an SBOM part.

Selecting a Component Instance From the SBOM Catalog

If you want to create an SBOM part by associating it with a component-version-license instance found in the SBOM Catalog, use the component search feature provided by SBOM Management to help you locate the instance. The search processes the criteria that you provide to gather a list of possible component-version-license instances from the catalog. The search also gathers known versions and licenses for the component from the SBOM Data Library and from the component’s external forge site, enabling you to create a component instance for the part if necessary. (The instance, in turn, is added to the catalog.) Selecting a component instance from the catalog to associate with the SBOM part ensures proper licensing and security-vulnerability reporting for the SBOM part.

Using Freeform Input to Identify the Component

At times, you might need to add a part to your SBOM that does not represent a typical self-contained component, but instead represents an individual source or binary file, a code fragment, an image and icon, or a documentation file. This type of component is most likely not found during component searches. To create an SBOM part associated with a component that is most likely not officially cataloged officially anywhere, you can provide freeform input to identify the part. However, you can always later associate the part with a component-version-license instance from the SBOM Catalog.