Tutorial 5 - Working with SBOMs in a Product#

You have just received a Software Bill of Materials (SBOM) from your supplier. Sign into DejaCode.

Create a Product#

  1. Select Products from the main menu bar.

  2. Click the green Add Product button. Enter the values you know. Refer to Product model for details about each field.

  3. Set a name, then click the Add Product button at the bottom of the form.

_images/add-new-product.jpg

Load an SBOM to your Product#

  1. Download and unzip the following SBOM example from:

    https://github.com/aboutcode-org/dejacode/raw/refs/heads/main/docs/sboms/storm-core-1.0.1.cdx.json.zip.

  2. On the Product details page, from the Action dropdown, select Load Packages from SBOMs:

    • Click the Browse field beneath SBOM file or zip archive

    • Select the storm-core-1.0.cdx.json file and leave the additional options unchecked and click the Load Packages button.

_images/action-load-packages-from-sbom.jpg
  1. Click the Imports tab to view your progress.

_images/imports-tab-1.jpg
  1. View your import results in the Inventory tab.

_images/inventory-tab-1.jpg
  1. You can enrich the data provided by your supplier, From the Action dropdown, select Improve Packages from PurlDB:

_images/improve-packages-from-purldb.jpg
  1. Click the Imports tab to view your progress.

_images/imports-tab-2.jpg
  1. Return to the Inventory tab.

_images/inventory-tab-2.jpg
  1. Filter the Inventory by Compliance status to determine which packages may require additional curation. Select Review Required in this context.

_images/compliance-status-filter.jpg
  1. Click the pencil icon in the Item column to review a Package. Use the modal form to update the Concluded license expression and select the Approved in this context and click the Update button.

_images/product-package-relationship.jpg
  1. Unfilter the Inventory by selecting All from the Compliance status dropdown.

_images/compliance-status-all.jpg

Review Vulnerabilities Affecting Your Product#

  1. You can filter Inventory by vulnerable packages.

_images/inventory-affected-by-vulnerabilities.jpg
  1. Navigate to the Vulnerabilities tab on the Product page, which presents a comprehensive view of all the Vulnerabilities for your Product filtered to those with a Risk greater than the Risk Threshold defined for your Dataspace.

_images/product-vulnerabilities-tab-1.jpg
  1. You can sort and filter by Risk, Exploitability and Severity, as well as other fields, to focus on specific Vulnerabilities.

  2. You can set a specific Risk Threshold for your Product. Click the pencil icon next to the Product name, scroll down to Vulnerabilitiesrisk threshold and enter a value such as 9 and click the Update Product button to filter your results to show only critical items.

_images/product-vulnerabilities-risk-threshold.jpg

Conduct Vulnerability Analysis#

  1. Review each vulnerability in the Vulnerabilities tab.

_images/vulnerability-analysis-modal1.jpg
  1. Add details or analysis for each vulnerability as needed, which will enhance reporting and exports.

_images/vulnerabilities-tab-with-analysis1.jpg

Export CycloneDX SBOM with VEX#

  1. On the Product details page, from the Share dropdown, select CycloneDX SBOM + VEX.

_images/share-cdx1.jpg
  1. The analysis details you provide for product package vulnerabilities are included in the vulnerabilities section of the CycloneDX VEX output.