Tutorial 5 - Working with SBOMs in a Product#
You have just received a Software Bill of Materials (SBOM) from your supplier. Sign into DejaCode.
Create a Product#
Select Products from the main menu bar.
Click the green Add Product button. Enter the values you know. Refer to Product model for details about each field.
Set a name, then click the Add Product button at the bottom of the form.

Load an SBOM to your Product#
Download and unzip the following SBOM example from:
On the Product details page, from the Action dropdown, select Load Packages from SBOMs:
Click the Browse field beneath SBOM file or zip archive
Select the storm-core-1.0.cdx.json file and leave the additional options unchecked and click the Load Packages button.

Click the Imports tab to view your progress.

View your import results in the Inventory tab.

You can enrich the data provided by your supplier, From the Action dropdown, select Improve Packages from PurlDB:

Click the Imports tab to view your progress.

Return to the Inventory tab.

Filter the Inventory by Compliance status to determine which packages may require additional curation. Select Review Required in this context.

Click the pencil icon in the Item column to review a Package. Use the modal form to update the Concluded license expression and select the Approved in this context and click the Update button.

Unfilter the Inventory by selecting All from the Compliance status dropdown.

Review Vulnerabilities Affecting Your Product#
You can filter Inventory by vulnerable packages.

Navigate to the Vulnerabilities tab on the Product page, which presents a comprehensive view of all the Vulnerabilities for your Product filtered to those with a Risk greater than the Risk Threshold defined for your Dataspace.

You can sort and filter by Risk, Exploitability and Severity, as well as other fields, to focus on specific Vulnerabilities.
You can set a specific Risk Threshold for your Product. Click the pencil icon next to the Product name, scroll down to Vulnerabilitiesrisk threshold and enter a value such as 9 and click the Update Product button to filter your results to show only critical items.

Conduct Vulnerability Analysis#
Review each vulnerability in the Vulnerabilities tab.

Add details or analysis for each vulnerability as needed, which will enhance reporting and exports.

Export CycloneDX SBOM with VEX#
On the Product details page, from the Share dropdown, select CycloneDX SBOM + VEX.

The analysis details you provide for product package vulnerabilities are included in the
vulnerabilities
section of the CycloneDX VEX output.