Skip to content

Software Bill Of Materials (SBOM)

To access the SBOM service, select SBOM from the application's sidebar in the BoostSecurity dashboard. From the main SBOM view, the list of projects and their detected vulnerabilities and the account-wide view are provided.

SBOM Service

Account Summary

The first section of the SBOM page is the account summary. The overall number of vulnerabilities per level is provided, i.e., the overall number of vulnerabilities across all projects and third-party components in the account. The SBOM document can be downloaded in either Cyclonedx, Spdx or CSV format for the account, from the account summary. The account summary SBOM documents contain the inventory of all components across all projects in the account.

SBOM Account Wide view

Projects Specific Summary

The projects summary section provides a project-based posture, providing a summary of the number of vulnerabilities:

  • Per severity level
  • Per project for all projects in the account

SBOM per project view

The projects are presented in descending order of vulnerability severities.

Info

The Search For filter area can be used to search for a project by name keyword across all projects in the account, and you can also use the Filter By filter to only show repositories with vulnerabilites.

Project Specific Filters

Packages

By selecting the Packages tab in the Visualize filter, Boost provides a quick way to find all packages and third-party components included across all projects in the account.

SBOM Packages view

The packages are presented in decreasing order of number and severity of vulnerabilities. For each package, the following are provided:

  • The number and severity of vulnerabilities.
  • The number of repositories in the account, including the package.

Note

The search area can be used to search for a package by name or vulnerability id.

Search For

Package Details

Select a package from the list of packages to view further details. These details include:

Vulnerabilities

The vulnerability details for each package can be viewed by selecting the Vulnerabilities tab. The list of vulnerabilities is presented, including the

Vulnerabilities Details

CVSS 3.1 and EPSS Score

The CVSS and EPSS scores can be viewed by clicking on a vulnerability listed in the Vulnerabilities tab.

CVSS & EPSS Score

The vulnerabilities details view can be exited with "Esc" or by clicking the close (x) button.

Repositories

Select the Repositories tab to view the list of repositories.

Repositories Details

The project link can be selected from the list of projects, taking the user to the project-specific view.

No Packages Found

If results are not found based on selected filters, you will be notified that no vulnerable packages meet the criteria.

No packages found

Transitive Dependencies

Transitive dependencies occur when security vulnerabilities or issues are detected not directly within the project's code but within the dependencies of a project's codebase, forming a chain of interconnected components.

BoostSecurity analyzes dependencies and their associated vulnerabilities comprehensively. It not only identifies issues within the project's direct dependencies but also uncovers vulnerabilities within transitive dependencies. By flagging these transitive dependencies, BoostSecurity provides an avenue for developers to prioritize and address security issues, thereby ensuring the integrity of applications.

Transitive Filter

Transitive Details

SBOM Upload

BoostSecurity supports the direct upload of Cyclonedx SBOM files through the UI.

This enables users to generate and upload CycloneDX-format SBOMs for standalone analysis, which BoostSecurity then enriches with vulnerability insights, risk scores, and metadata, without requiring build pipeline integration. SBOMs uploaded via this method receive the same treatment as those generated from integrated projects which include:

  • Vulnerability enrichment (CVEs, EPSS, CVSS v3.1)
  • Malware detection
  • OpenSSF scorecard data
  • License insights
  • Dependency graph resolution (including transitive dependencies)

Once uploaded, the file is treated like any other inventory: enriched, monitored, and visualized through the SBOM interface.

How to upload CycloneDX SBOM files

To upload a CycloneDX SBOM file:

  1. Navigate to the SBOM page of the BoostSecurity dashboard.

  2. Click on the SBOM Upload button at the top right of the interface.

    SBOM Upload Button

  3. From the modal that appears, select the SBOM Type: Container Image or SCM Repository.

    Select SBOM Type

  4. Fill in required parameters and upload the file. Depending on your selected SBOM type, provide the required fields and select your CycloneDX file.

    • For Container Image uploads:

      1. Provider: Select the container registry service where your image is hosted. Supported providers include Docker Hub, AWS ECR, Google Container Registry, and others.
      2. Registry Name: Enter the domain or hostname of your container registry. For example, registry.hub.docker.com or 123456789.dkr.ecr.us-west-2.amazonaws.com.
      3. Repository Name: Specify the name of the repository within your registry that contains the container image. For instance, my-application/backend-service.
      4. Digest: Provide the SHA256 digest of the specific image version you intend to upload. This ensures the exact image is identified. An example digest would be sha256:abc123....
      5. Base URL (Optional): If you're operating in an on-premise environment or using a private registry, input the base URL of your registry here. This helps BoostSecurity locate and access your registry appropriately.
      6. Select File: Click this button to browse and select the CycloneDX SBOM file corresponding to your container image.

      Finally click the Upload button to finish the SBOM upload.

      Container Image SBOM Upload

    • For SCM Repository upload, fill out the required parameters:

      1. Monorepo: If your repository is a monorepo containing multiple projects or services, indicate this here. This helps in accurately associating the SBOM with the correct sub-project.
      2. Provider: Choose the source code management (SCM) platform hosting your repository, such as GitHub, GitLab, Bitbucket, etc.
      3. Repository Name: Enter the full path to your repository, typically in the format organization/repository-name.
      4. Default Branch: Specify the primary branch of your repository, commonly main or master. This identifies the branch from which the SBOM was generated.
      5. Commit ID: Provide the unique SHA hash of the commit corresponding to the SBOM. This ensures the SBOM is tied to a specific state of your codebase

      Finally click the Upload button to finish the SBOM upload.

      SCM Repository SBOM Upload

Once the upload is complete, the SBOM will be automatically analyzed, and vulnerabilities will be detected and enriched.

Patch recommendations

For each library vulnerability, we display a link to the library's vulnerability details page. This page contains a list of all the library versions affected by the vulnerability. If a patch is available, it will specify the library version containing the fix.

Patched

Data Update Cycle

Data sources are regularly refreshed to ensure the most up-to-date information is available for analysis and decision-making. Updates occur every 12 hours, maintaining the accuracy and relevance of the data provided to users.