Software Bill Of Materials (SBOM)¶
To access the SBOM service, select SBOM from the application's sidebar in the BoostSecurity dashboard. From the main SBOM view, the list of projects and their detected vulnerabilities, as well as the account-wide view, are provided.
Account Summary¶
The first section of the SBOM view is the account summary. The overall number of vulnerabilities per level is provided, i.e., the overall number of vulnerabilities across all projects and third-party components in the account. The SBOM document can be downloaded in either Cyclonedx or Spdx format for the account, from the account summary. The account summary SBOM documents contain the inventory of all components across all projects in the account.
Projects Specific Summary¶
The projects summary section provides a project's based posture, providing the number of vulnerabilities summary
- Per severity level
- Per project for all projects in the account
The project-specific SBOM document can be downloaded in either the Cylonedx or Spdx format for any project from that section.
The projects are presented in descending order of vulnerability severities.
Info
The search area can be used to search for a project by name keyword across all projects in the account.
Packages¶
The Packages view provides a quick way to find all packages and third-party components included across all projects in the account.
The packages are presented in decreasing order of number and severity of vulnerabilities. For each package, the following are provided:
- The number and severity of vulnerabilities.
- Number of repositories in the account, that includes the package.
Note
The search area can be used to search for a package by name or vulnerability id.
Package Details¶
Further details about a package are displayed by selecting a particular package from the list of packages. Such details include:
- Name
- Type
- Version
- Repositories
- Vulnerailities
- Ecosystem
- OpenSSF Score
Vulnerabilities¶
The vulnerability details for each package can be viewed by selecting the Vulnerabilities
tab. The list of vulnerabilities is presented, including the
- Vulnerability ID
- Severity
- Advisories
- Source
- Description
- CVSS v3.1 Score
- EPSS Score
CVSS 3.1 and EPSS Score¶
By clicking on a particular vulnerability listed in the Vulnerabilities
tab, the CVSS and EPSS scores can be viewed.
The vulnerabilities details view can be exited with "Esc" or by clicking the close (x) button.
Repositories¶
Likewise, the list of repositories can be viewed by selecting the Repositories
tab. The list of projects is presented.
The project link can be selected from the list of projects, taking the user to the project-specific view.
No Packages Found¶
If no results are found based on selected filters, you will be notified that no vulnerable packages meet the criteria.
Transitive Dependencies¶
Transitive dependencies occur when security vulnerabilities or issues are detected not directly within the project's code but within dependencies of a project's codebase forming a chain of interconnected components.
BoostSecurity analyzes dependencies and their associated vulnerabilities comprehensively and not only identify issues within the project's direct dependencies but also uncover vulnerabilities within transitive dependencies. By flagging these transitive dependencies, BoostSecurity provides an avenue for developers to prioritize and address security issues, thereby ensuring the integrity applications.
Patch recommendations¶
For each vulnerability in a library, we display a link to the library's vulnerability details page. This page contains a list of all the versions of the library that are affected by the vulnerability. If a patch is available, it will specify the version of the library that contains the fix.
Data Update Cycle¶
Data sources are regularly refreshed to ensure the most up-to-date information is available for analysis and decision-making. Updates occur every 12 hours, maintaining the accuracy and relevance of the data provided to users.