Manage your SBOM

Add your SBOM

Before you've added your first SBOM for a product version, you'll see an Add SBOM drop-down button. If you've already added an SBOM, this will change to Manage SBOMs and will have additional options, including checking SBOM file upload status.

To access these options, click the Add SBOM or Manage SBOMs drop-down button:

  • View upload status: This displays the SBOMs that have been uploaded for your products and versions. You can view the file name, file ID, when it was uploaded and by whom, the number of entries processed, and the status. If a file has uploaded successfully, you can see the number of dependency components processed from the SBOM. If a file has not uploaded successfully, you will see a red x icon next to the Failed to upload status. For these files, you will see an info icon to get more information on resolving the error.

Manage your SBOM

After uploading your SBOM file or manually creating your SBOM, you can manage your SBOM for each product and version in your software supply chain. Once you've uploaded your SBOM, Helm will match your software against the National Vulnerability Database (NVD), supported Package URLs (PURL) package managers, and CPE strings.

View dependency components in your SBOM

To view your SBOM, ensure you've selected a product and version so that you can view and manage its dependency components.

In the Components table, you can quickly see where you need to complete matching, as well as understand exploitability risk and end-of-support/end-of-life risk, enabling you to prioritize upgrades. You can easily see what needs to be reviewed and catch up on reviews your team has made, as well as understand and manage license risk.

Click to drill-down for more information

Most things in Helm tables are clickable, enabling you to quickly drill down for more information, such as component details, match suggestions, fixing a version, contact us, reviewing a dependency component, and more.

Click the next step for each dependency component

For each dependency component, if there is a clear next step you need to take, that will be in the Actions column. If not, you'll just see the actions overflow ... button.

Dependency components columns

To view your SBOM, ensure you've selected a product and version so that you can see that version's dependency components.

  • Name: This is what may be referred to as a component in other systems. It is the firmware, software, framework, library, file, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

  • Version: This is the version for this dependency component name (e.g., 10.1 for Windows).

  • Supplier: This is the organization that supplied the dependency component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows).

  • Match status: Shows component's match status, along with the corresponding match sources used to perform the match.

  • Review status: Indicates whether the dependency component has been reviewed or needs to be reviewed.

  • Licenses: Displays the dependency component's licenses.

Manage dependency components

For any dependency components that have a next step you need to perform to complete matching and vulnerability identification, you'll see that primary action button in the Actions column, such as fixing a version or selecting a unique match. All other actions are in the ... button to the right of this action. If you don't see a particular option, that means that you have view access for SBOMs.

  • Manage dependency component: This will display all details for this dependency component in view mode. This will also show how Helm matched the dependency component, as well as any review information from your team. If you edit the dependency component, you'll be prompted to confirm this change. This is because Helm will reload the dependency component and rematch it, which will discard any review information you may have added.

  • Add review note: Add a review note, then change the review status to Reviewed. You'll see this updated status in the Review status column, along with a note icon.

  • Review history: This will show any analysis notes or review status changes your team has made. You can also add a review note from here.

  • Reload dependency component: If a dependency component is in an error state that is not caused by an inaccurate or unsupported version, you can reload it, but you should rarely, if ever, need to do this. This is a backup action in case you run into an error state. Helm will discard any previous information for the dependency component, and attempt to match it to known software.

  • Delete dependency component: If you have appropriate permissions, you can remove a particular dependency component. To avoid accidentally removing something that you wanted to keep, you’ll then be prompted to confirm this action.

Follow these steps to ensure you've completed your dependency component matching and identified all possible vulnerabilities across your SBOM.

Any match status

The match status of each of your dependency components is indicated in the Match status column of the dependency components table. You can click directly on this status badge itself to begin the resolution process, or you can select an action from the Actions column.

  1. To ensure that you complete matching, filter on Select match first. Helm has provided strong match suggestions for these, so you should be able to match these relatively quickly. Click Select match on any of these statuses to start matching.

  2. For users with Admin role, we highly recommend that you create an alias for each dependency component you match. This will ensure that these are automatically matched for future SBOMs. If you're not sure whether to create an alias during the match, you (or your Admin) can always create one later.

  3. If you want to complete matching, filter on Not found next. This indicates that Helm was unable to find an exact match in the NVD. Click the Not found badge to view the match suggestions Helm has identified. If you don't see the correct match, make sure you create an alias so that this will be automatically matched for future SBOMs.

Any source

Helm uses many match sources to precisely identify your dependency components and ensure that you have a comprehensive view of your vulnerabilities. Each Matched status or Select match status displays the sources where the match was found.

Licenses

Filter your dependency components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

Last updated

© Copyright MedCrypt 2024, All rights reserved.