Selecting an Existing Component Instance for the SBOM Part

Use this procedure to open the Select Component slideout to select a component instance from the SBOM Catalog to associate with the SBOM part you are in the process of creating or editing.

If the component instance is not found in the catalog (that is, the component is listed but its version and license are missing on the Select Component slideout), the selection process helps you to create the instance by prompting you to select a version and license(s) for the component. (These known versions and licenses for the component are gathered from the SBOM Data Library and the component repositories.) The instance that you create is automatically associated with the SBOM part and added to the SBOM Catalog.

To search for and select an existing component instance for the SBOM part:

1.

On the Create SBOM Part or Edit SBOM Part slideout (see Creating SBOM Parts Manually or Editing an SBOM Part) select the Create From Component option and then click Choose Component (or Change Component).

The Select Component slideout opens.

2.

Set up the search criterion:

a.

Enter a string in the field for the type of search you want to perform.

•

To search by component name, enter a name string in the Component field.

•

To search by the URL of the component’s forge repository, enter a URL string in the URL field.

b.

Select the type of string matching that the search should perform:

•

If you entered the exact component name or URL, select Exact from the Match Type dropdown list.

•

If you entered a partial string for either field, select the appropriate value from Match Type dropdown list: Contains, Starts With, or Ends With.

Note:You can enter a string in both the Component and URL fields. Keep in mind that the Match value you select applies to both values. The search results will include only those components that meet all the specified criteria.

Tip:Providing the exact component URL as the search criterion usually produces the result you want. Best practice is to use your browser to locate the desired component’s third-party repository or project site within a forge, such as GitHub, NuGet, or NPM (or the appropriate forge). Then copy the URL of the repository or project and paste it into the URL search field. This will result in the exact name for the component.

3.

Click Search to display the list of component instances from the SBOM Library that match your criteria.

4.

In the search results, select the appropriate component instance:

•

If you locate the instance that comprises the component, version, and license you want (even if it is missing either the version or the license), click the icon at the end of instance row to select the instance.

You are returned to the Create SBOM Part or Edit SBOM Part slideout, where information for the component instance you selected is now displayed for the SBOM part (see Selected Component Information Returned to the Create (Edit) SBOM Part Slideout). You can continue with creating or editing of the SBOM part as described in Creating SBOM Parts Manually or Editing an SBOM Part, respectively.

•

If you locate the component you want but both its version and license are missing (indicating that component instance is missing from the SBOM Catalog), click the icon at the end of component row. The Additional Information Required dialog is displayed, requiring you to select information to create the component instance. Refer to the remaining steps for further instructions.

5.

(Required) On the Additional Information Required dialog, if multiple repositories are listed for the component, select the appropriate third-party repository for the component you are identifying.

6.

(Required) Select the component’s version from the Version field.

7.

(Required) If one or more possible license are available in the Licenses field for the component version, select the license(s) you want to associate with the component instance. (If no licenses are available for the component version, the Licenses field is disabled.)

8.

Click Select to return to the Create SBOM Part or Edit SBOM Part slideout, where information for the component instance you created is now displayed (see Selected Component Information Returned to the Create (Edit) SBOM Part Slideout). The component instance is also added to the SBOM Catalog.

9.

Continue with creating or editing of the SBOM part as described in Creating SBOM Parts Manually or Editing an SBOM Part, respectively.

Selected Component Information Returned to the Create (Edit) SBOM Part Slideout

Once you return to the Create SBOM Part or Edit SBOM Part slideout after selecting the component instance, the following fields are made available on the slideout to provide information about the component instance.

•

Component—The name and version of the component.

•

Selected Licenses—The license(s) associated with this component.

•

Vulnerabilities bar graph—The counts (by severity) of the security vulnerabilities associated with this component version. See also More About Security Vulnerabilities Associated with an SBOM Part.

Additionally, the Name, Package URL (PURL), and URL fields for the SBOM part are automatically populated with information related to the component instance. The previous Choose Component button is replaced with a Change Component button.

Note:Clicking anywhere on the Vulnerabilities bar graph opens a slideout that provides details for the security vulnerabilities associated with the part (see More About Security Vulnerabilities Associated with an SBOM Part for more information). If no known vulnerabilities exist for the instance or this information cannot be obtained, a hyphen (-) replaces the bar graph.