BOM processing

[higginsm99]

Hi
A Syft generated CycloneDX SBOM contains the path ("path") to each component found. However, after importing the SBOM into DT, DT does not show this information when you look at the component details. For example, I scanned a container comprising 1700 components and after it was analysed by DT I had 200 vulnerabilities of which 3 were in agent-base 4.1.1 and 3 were in agent-base 4.1.2...but I could not see any information as to where agent-base was found. Does DT keep the path information? Knowing the paths to the files containing vulnerable component(s) is useful because it helps a developer pinpoint the package that contains the vulnerable component and either update it or contact the vendor for an update. I did try looking in the Syft SBOM and the DT "Inventory with Vulnerabilities" SBOM, but there are no useful tags retained in the DT SBOM to do a match with.

[stevespringett]

Does DT keep the path information?

Yes, and no. For components of type file, the name of the component should ideally be the path and filename. If the component is some other type (application, library, etc), then the name will likely not include the path. In these cases, its common to store that information in properties. DT does not currently support CycloneDX properties.

[higginsm99]

Hi Steve - thank you. Would it make sense for the component details "Notes" field to be populated with the properties information not processed by DT?

[stevespringett]

As a temporary hack, that's likely the only place to store them until such time as DT supports CycloneDX properties.