Manage SBOM

Add your SBOM

Before you've added your first SBOM for a product version, you'll see an Add SBOM drop-down button on the Products (SBOM) page. If you've already added an SBOM, this will change to Manage SBOMs and will have additional options, including checking SBOM file upload status.

To access these options, click the Add SBOM or Manage SBOMs drop-down button:

• View upload status: This displays the SBOMs that have been uploaded for your products and versions. You can view the file name, file ID, when it was uploaded and by whom, the number of entries processed, and the status. If a file has uploaded successfully, you can see the number of components processed from the SBOM. If a file has not uploaded successfully, you will see a red x icon next to the Failed to upload status. For these files, you will see an info icon to get more information on resolving the error.

Manage your SBOM

After or , you can manage your SBOM for each product and version in your software supply chain. Once you've uploaded your SBOM, Helm will match your software against the National Vulnerability Database (NVD), supported Package URLs (PURL) package managers, and CPE strings.

View components in your SBOM

To view your SBOM, ensure you've selected a product and version so that you can .

In the Products (SBOM) table, you can quickly see where you need to complete matching, as well as understand exploitability risk and end-of-support/end-of-life risk, enabling you to prioritize upgrades. You can easily see what needs to be reviewed and catch up on reviews your team has made, as well as understand and manage license risk.

Click to drill-down for more information

Most things in Helm tables are clickable, enabling you to quickly drill down for more information, such as component details, match suggestions, fixing a version, contact us, reviewing a component, and more.

Click the next step for each component

For each component, if there is a clear next step you need to take, that will be in the Actions column. If not, you'll just see the actions overflow ... button.

Component columns

• Original file name: This is your original SBOM file name. This enables you to merge SBOMs for a product version while retaining its origin, enabling faster prioritization and remediation for larger teams.

• Component name: This is the component (dependency) name (e.g., firmware, software, framework, library, file, operating system, etc.) that is installed on the physical representations of your device (e.g., Windows, OpenSSL). This is the component name from your SBOM.

• Version: This is the version for this component name (e.g., 10.1 for Windows) that was in your SBOM.

• Supplier: This is the organization that supplied the component that was in your SBOM. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

• Level of support: Indicates whether the component is supported. Can be date or text value.

• EOS/EOL: Indicates whether the component has a known end-of-support or end-of-life date or other information. Like Level of support, this can also be a date or text value. If there is a date, this indicates that the component will no longer be supported or maintained after this time, thus it will potentially become more vulnerable and less reliable over time. You should either upgrade to a supported version or replace it with an alternate component to reduce risk.

• Review status: Indicates whether the component has been reviewed or needs to be reviewed.

• Licenses: Displays the component's licenses.

Manage components

• Manage component: This will display all details for this component in view mode. This will also show how Helm matched the component, as well as any review information from your team. If you edit the component, you'll be prompted to confirm this change. This is because Helm will reload the component and rematch it, which will discard any review information you may have added.

• Add review note: Add a review note, then change the review status to Reviewed. You'll see this updated status in the Review status column, along with a note icon.

• Review history: This will show any analysis notes or review status changes your team has made. You can also add a review note from here.

• Reload component: If a component is in an error state that is not caused by an inaccurate or unsupported version, you can reload it, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state. Helm will discard any previous information for the component, and attempt to match it to known software.

• Delete component: If you have appropriate permissions, you can remove a particular component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.

Filter components

Click the Filters drop-down on the Components page to filter quickly to what you need.

• Component details: Search by component name or component review status

• Match details: Search by component match status

• License details: Search by SPDX license ID or custom license name

• Lifecycle details: Search for components with upcoming or expired end-of-support/end-of-life (EOS/EOL) dates, or search for components that will expire within a particular date range.

Recommended filters to reduce risk

Follow these steps to ensure you've completed your component matching and identified all possible vulnerabilities across your SBOM.

Match status

The match status of each of your components is indicated in the Match status column of the components table. You can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column.

1. To ensure that you complete matching, filter on Select match first. Helm has provided strong match suggestions for these, so you should be able to match these relatively quickly. Click Select match on any of these statuses to start matching.

2. For users with Admin role, we highly recommend that you create an alias for each component you match. This will ensure that these are automatically matched for future SBOMs. If you're not sure whether to create an alias during the match, you (or your Admin) can always create one later.

3. If you want to complete matching, filter on Not found next. This indicates that Helm was unable to find an exact match in the NVD. Click the Not found badge to view the match suggestions Helm has identified. If you don't see the correct match, make sure you create an alias so that this will be automatically matched for future SBOMs.

Match source

Lifecycle details

Be confident that you're using actively maintained and supported components when building a new product or updating an existing one. Filter quickly on the support status of your components, as well as the timeframe for components that are nearing their end-of-support or end-of-life dates, enabling you to prioritize updates effectively, thereby ensuring the stability and security of your device throughout its lifecycle.

License details

Filter your components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

You can filter on GPL licenses and other restrictive licenses to quickly evaluate legal risk, enabling you to quickly prioritize updating or changing components that have licensing that could impact your IP and legal compliance. You can also filter on which components have at least one license, those that don't currently have any license information, as well as those that are specifically set to No license or NONE or Unknown or NOASSERTION (the values in caps are SPDX values), ensuring you understand your legal risk for every component in your product.