Reviewing the Components module in the Software Bill of Materials Workspace

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Reviewing the Components module in the Software Bill of Materials Workspace

    The Components module within the Software Bill of Materials (SBOM) Workspace provides ServiceNow customers with a detailed view of their imported software components, highlighting those that are vulnerable, stale, abandoned, or part of high-risk combinations. This module helps users track component health and security status based on imported SBOM data, which is updated daily for improved performance and faster load times.

    Show full answer Show less

    Access and Role Requirements

    To view the Components module, users need the snsbomresp.sbomanalyst role and can navigate via Workspaces > SBOM Workspace > Components. Displayed information depends on the installed SBOM applications.

    Key Features

    • SBOM Core Application: Provides a full inventory of uploaded components including name, description, version, and BOM entity count.
    • SBOM Response Application: Adds interactive visualizations such as graphs showing stale, abandoned, and vulnerable components, enabling quick identification of components needing attention.
    • Definitions:
      • Stale components: Versions more than two major releases and two years behind the latest.
      • Abandoned components: Not updated for over two years.
      • Vulnerable components: Components with vulnerabilities of High severity or greater.
      • High-risk combinations: Stale or abandoned components with at least one Critical or High vulnerability that can potentially be fixed.
    • Fixability Status: Indicates whether vulnerabilities in components are completely fixable, partially fixable, or not fixable, helping prioritize remediation efforts.
    • License Classification: Shows components categorized by their software licenses to assist in compliance management.
    • Version History and CVE Details: The right panel displays component version histories with highlights on the current version and columns showing Common Vulnerabilities and Exposures (CVE) and fixability.
    • Deps.dev Integration: Provides package intelligence to better identify and manage high-risk components.

    Practical Benefits

    • Enables proactive risk management by clearly identifying components that are outdated, vulnerable, or abandoned.
    • Supports prioritization of remediation actions through fixability insights, helping reduce security risks efficiently.
    • Improves license compliance tracking by classifying components according to their licenses.
    • Provides up-to-date, performance-optimized scorecards and visualizations to quickly assess component health.

    Additional Guidance

    For deeper vulnerability analysis, customers can refer to the guidance on reviewing vulnerability intelligence within the workspace. Similarly, licensing compliance can be managed by following instructions on license classification and resolution in the SBOM workspace.

    The Components module in the Software Bill of Materials (SBOM) Workspace displays current information about vulnerable, stale, abandoned, and high-risk combinations for the components you import.

    Viewing the Components module

    Role required: sn_sbom_resp.sbom_analyst

    Navigate to Workspaces > SBOM Workspace > Components.

    What you can see in the module depends on the applications you have installed.

    Imported data is not calculated and populated by live queries. Scores on the Home and Components pages are updated once daily with performance enhancements for reporting. This enhancement might provide you with faster load times for the scorecards on the Home and Components modules in the SBOM Workspace.

    These enhancements have no impact on how or where data is stored.

    Installed application Description
    If you have installed SBOM Core An inventory of all uploaded components that includes the following information:
    • Name
    • Description
    • Version
    • BOM entity count
    If you have installed SBOM Response Select a graph or a number on the graph to view a list of associated records.
    All Components
    The list of Stale and Abandoned components, as well as those with at least one vulnerability in your total component count. These counts can help you identify components that require your attention. These subsets of components might not match your total component count because all of your components might not fit into these categories.
    • A stale component's version is more than two major versions behind the latest version and two years behind the latest version.
    • An abandoned component has not been updated for more than two years.
    • Vulnerable components are components that have any vulnerabilities with a severity of High or greater.
    High-risk combinations

    High-risk components might require your immediate attention. The Deps.dev integration, which is installed when you install the SBOM Response application, provides the packages intelligence for components in the Stale and Abandoned states.

    Imported, high-risk combinations are comprised of stale and abandoned components with at least one severe (Critical or High) vulnerability that you can fix with updates, replacement, or another type of repair. The Completely fixable status means that a component has an available version that can fix it. The percentage of the total number of high-risk components that have fixable versions is noted.

    Fixibility of vulnerable components
    Totals and breakdowns of the components with Critical, High, Medium, and Low vulnerabilities and if some or all of their vulnerabilities can be fixed. If a component has more than one vulnerability, the most critical vulnerability takes precedence.

    The fixability status:

    • Complete - There are fix versions for all the vulnerabilities associated with the current version of the component.
    • Partial - There is a fix version for at least one but not all of the vulnerabilities associated with the current version of the component.
    License classification of components
    Totals and breakdowns of components by their license classifications.

    The Component List under the visualizations enables you to see the name, description, version, and entity counts. In the right panel, you can view a version history. The current version is highlighted in the version history. The Common Vulnerabilities and Exposure (CVE) and Fixability columns are also displayed.

    Assessing your risk with vulnerability intelligence

    See Checking a Software Bill of Materials entity for vulnerabilities for more information about how to review vulnerability intelligence data in the workspace.

    Assessing your risk with license compliance

    See Classifying licenses and resolving component licenses in the Software Bill of Materials workspace for more information about how to license data your import with your components and viewing your over-all license compliance in the workspace.