Skip to content

SBOM Dashboard

After uploading an SBOM, one can view the SBOM Dashboard by clicking on the SBOM name in the Group Dashboard, under the "Name" column. From there, the SBOM can be scanned for vulnerabilities by clicking the "Scan" button along the header section, and once a vulnerability report is generated, vulnerability info will also appear in the SBOM Dashboard.

SBOM Dashboard Header

At the top of the SBOM Dashboard is a header with an information section on the left and action section on the right. In the information one can find:

  • Name/Description: Edit these by clicking on them.
  • SBOM Uploaded: Date/time in UTC.
  • SBOM Token: Vigiles's unique identifier for this SBOM, which can be provided to the Vigiles CLI to perform API actions.
  • Version: If SBOM Linking is enabled, this shows the current version of the SBOM and has a link to the CVE Report History page.

The button group on the right side of the header contains the following buttons:

  • Notifications: In this dropdown, you can set a frequency for Vigiles to automatically generate vulnerability scans (defaulting to "None" for only manual scanning). If you change the frequency value here, the date of the next automatic scan is based on the date of your change (e.g. if you change the notifications to "Weekly", in one week the next automatic scan will occur).
    • Note - This has the same functionality as the "Notifications" setting on the group dashboard.
  • Compare: This links to the "Compare SBOMs" page, where you can compare this SBOM and its reports to another.
  • Download: Here you can download the SBOM, either in its original format or converted to a new format.
  • Edit: This links to the SBOM Editor, giving you a way to modify the components of the current SBOM. Not available for SPDX SBOMs.
  • Latest Report: This links to the latest Vulnerability Report for this SBOM.
  • (Re)scan SBOM: This will trigger a new scan and vulnerability report for the SBOM. Unlike the Group Dashboard, this button will not redirect you to the new vulnerability report; click the "Latest Report" button to navigate there.

NTIA Compliance

The National Telecommunications and Information Administration (NTIA) sets a standard for compliance regarding the minimum elements required in an SBOM. Under the header, the SBOM Dashboard has a field showing whether your SBOM is NTIA compliant, and clicking the field will provide more details on why it may not meet compliance. Currently, Vigiles only supports NTIA checking on SPDX SBOMs, so you can use the Download button to convert the SBOM to SPDX and check its compliance.

Unfixed Vulnerabilities and Vulnerability Graph

Once the SBOM has been scanned, a label below the header will show a count of its unfixed vulnerabilities. Below this label is a graphic displaying the proportion of vulnerabilities fixed by the latest vulnerability report compared to the one before it, as well as a bar displaying a breakdown of the CVSSv3 score among unfixed vulnerabilities (divided into Critical, High, Medium, Low, and None).

Components Table

The SBOM Components table provides an in-depth view of your SBOM's packages, listing for each its version, license, and vulnerability count. Click a package to expand into the following information:

  • CPE: The package's Common Platform Enumeration string
  • PURL: The package's Package URL
  • CVE Product: The product as associated with the Common Vulnerabilities and Exposures system
  • CVE Version: The version as associated with the Common Vulnerabilities and Exposures System
  • Checksum: A unique string of characters generated against the contents of the package, as well as the encoding used to generate it
  • Download Location: The source of the package
  • Package Supplier: The supplier or vendor of the package
  • Homepage: Where more info about the package can be located
  • Recipe: A collection of non-executable metadata used by BitBake to set variables and define additional build-time tasks
  • Summary: A short string summary detailing information about the package
  • Patches: Any backport patches that have been applied to remediate a vulnerability
  • Dependencies: A dropdown containing all the dependencies for the package. Click a dependency to view it in the Components table, if it exists. Specific categories of dependency include:
    • Build Dependencies: Packages required during a build
    • Runtime Dependencies: Packages required during runtime

SBOM Info

Unlike the previous sections regarding the contents of the SBOM, this section contains details on the SBOM file itself. For SBOMS generated through build systems such as Yocto, OpenWrt, or Buildroot, this section will simply list that format as well as the date and time the SBOM was uploaded, with further details in the Build System Info section below. For SPDX and CycloneDX SBOMs, this section will also contain the encoding format (e.g. JSON, XML, CSV, etc.), the spec version (e.g. SPDX 2.2), and some further details:

  • SPDX: The "Creation Information" label will contain any info from the "Creators" field of the SPDX specification, such as the person, organization, and/or tool that generated the SBOM.
  • CycloneDX: The "Tool(s) used" label will describe tools as in the "metadata" field of the CycloneDX specification. This includes their name, author(s), publisher, etc.

Build System Info

For SBOMs generated from Yocto, OpenWrt or Buildroot, this section will display the SBOM's generating machine, distro, and (for Yocto) image. If the SBOM was generated by Timesys Factory, then the board and Factory version will be displayed. This section does not appear for any SBOM not generated by one of the above.

License Policy Violations and New Components

If you have either of these Compliance Settings enabled, then the matching alerts will be shown here. See the linked page for more details on these sections.