Components installed with Software Bill of Materials applications
Summarize
Summary of Components installed with Software Bill of Materials applications
The Software Bill of Materials (SBOM) applications in ServiceNow Australia release include various components such as tables, user roles, and scheduled jobs that support managing and analyzing software components, licenses, and vulnerabilities. These components enable customers to upload, track, and evaluate SBOM data effectively.
Show less
Roles Installed
- SBOM Response Roles:
snsbomresponse.managelicense- Allows resolving licenses to components.snsbomresponse.licenseresolver- Permits viewing uploaded license information and managing permitted or banned licenses.snsbomresp.sbomanalyst- Inherits admin roles and provides access to the SBOM Workspace for analysis.
- Data Model for SBOM Roles:
snsbomdm.appwrite,snsbomdm.appcreate,sbomdm.appread- Provide permissions to read, create, and edit SBOM table records.
- SBOM Core Roles:
snsbomcore.sbomingest- Permits manual and API-based SBOM uploads.snsbomcore.admin- Grants full access to create, read, edit, and upload SBOMs, including access to SBOM Core modules, inheriting Data Model roles.
Tables Installed
The SBOM applications install multiple tables organized by function:
- Data Model for SBOM Tables: Includes tables to store uploaded BOM entities, components and their versions, component relationships, license information, supplier data, component identifiers and properties, hashing algorithms, contact information, external references, and package groupings.
- SBOM Response Tables: Include configuration for creation rules (AVIT rules), mappings of components to vulnerabilities, fix information for vulnerabilities, component report insights (such as stale or abandoned components), integration imports for version lists and vulnerability intelligence, and component version publishing dates.
Scheduled Jobs
The SBOM applications include scheduled jobs to automate vulnerability and fixability assessments and vulnerability intelligence updates:
- Calculate Component Fixability and Vulnerability: Assesses how to fix vulnerable components and estimates fixability.
- OSV Integration Jobs: Retrieve publicly known vulnerabilities for newly imported and all imported packages.
- Deps.dev Integration: Retrieves all known versions of packages to identify stale and abandoned components.
- Update vulnbasedcriticality: Updates the criticality of components based on vulnerabilities.
Several types of components are installed with activation of the Software Bill of Materials applications, including tables, user roles, and scheduled jobs.
Roles installed
| Role title [name] | Description | Contains roles |
|---|---|---|
|
sn_sbom_response.managelicense |
This role is installed with the SBOM Response application. This role permits you to resolve licenses to components. |
None |
|
sn_sbom_response.licenseresolver |
This role is installed with the SBOM Response application. This role permits you to view uploaded license information and determines which licenses are permitted and which are banned. |
None |
|
SBOM write [sn_sbom_dm.app_write], SBOM create [sn_sbom_dm.app_create], SBOM read [sbom_dm.app_read] |
These roles are installed with the Data Model for SBOM application. They permit you to read, create, and edit records in SBOM tables. |
None |
|
SBOM Cores ingests [sn_sbom_core.sbom_ingest] and SBOM Core admin [ sn_sbom_core.admin] |
These roles are installed with the SBOM Core application. The sn_sbom_core.sbom_ingest role permits you to upload SBOMs manually and via the REST API. The sn_sbom_core.admin role permits you to create, read, edit data, and upload SBOMs. This role also gives you access to the SBOM Core modules in your instance. It inherits the roles from the Data Model for SBOM application. |
|
|
SBOM Analyst [sn_sbom_resp.sbom_analyst] |
This role is installed with the SBOM Response application. It inherits the sn_sbom_core.admin role and enables you to access the SBOM Workspace. |
|
Tables installed with the SBOM applications
The tables listed in the following table are installed with the Data model for SBOM application.
| Table | Description |
|---|---|
SBOM document [sn_sbom_doc] |
Contains the BOM entities you've uploaded. |
SBOM component [sn_sbom_component] |
Contains imported SBOM components, classifiers, and versions that are included in the parent component. |
SBOM component relationship [sn_sbom_comp_relationship] |
Contains components and their dependencies. |
SBOM m2m bom component [sn_sbom_m2m_bom_comp] |
Contains the BOM component mappings. |
SBOM license [sn_sbom_license] |
Contains the open-source license IDs used for components. |
SBOM supplier [sn_sbom_supplier] |
Contains the organization that supplied the component, which might be a manufacturer, distributor, or repackager. |
SBOM component ID [sn_sbom_comp_id] |
Contains the component identifiers. |
SBOM component properties [sn_sbom_comp_property] |
Contains the component name-value properties. |
SBOM hash [sn_sbom_hash] |
Contains component hashing algorithms. |
SBOM contact [sn_sbom_contact] |
Contains contact information for the supplier. |
SBOM external references [sn_sbom_comp_external_ref] |
Contains components, component types, and external URLs that document systems, sites, and information that might be relevant but are not included with the SBOM. |
SBOM package group [sn_sbom_pkg_group] |
Contains the package group information for every component. Multiple version of libraries may be used across applications. Versions of the same components are grouped and added to this table to avoid pulling the same data multiple times. |
The tables listred in the following table are installed with the SBOM Response application
| Table | Description |
|---|---|
SBOM creation rule configuration [sn_sbom_config_rule] |
Contains AVIT creation rules used in the SBOM Workspace. |
SBOM m2m component vulnerabilities [sn_sbom_m2m_comp_vuln] |
Contains the components and associated vulnerabilities. |
| Component vulnerability fix information [sn_sbom_comp_vuln_fix_info] |
Contains the fix versions for each third-party vulnerability associated to a version of the component. |
| Component report insights [sn_sbom_comp_report_insight] |
Contains insights about stale, abandoned, and fixability data for components. |
| Deps Integration Imports [sn_sbom_deps_integration_import] |
Contains imported version list information for a given package or library. |
| OSV Integration Imports [sn_sbom_osv_integration_import] |
Contains vulnerability intelligence information for a given version of a package or library. |
| Component Version Lists [sn_sbom_st_version_list] |
Contains version information and published dates for components. |
Scheduled jobs
| Job | Description |
|---|---|
| Calculate Component Fixability and Vulnerability | Calculates information about how to fix components with vulnerabilities and how likely it is that you can fix components. |
| OSV Integration New Components | Retrieves all publicly known vulnerabilities associated with packages (libraries) that were imported after the last integration run. |
| OSV Integration Comprehensive | Retrieves all publicly known vulnerabilities associated with all packages that have been imported. |
| Deps.dev Integration | Retrieves all publicly known versions for packages and used with to identify components in Stale and Abandoned states. |
| Update vuln_based_criticality on bom components | Updates criticality for components with vulnerabilities. |