Viewing SBOM Components
Browse the parsed component list from your SBOM, including names, versions, PURLs, and licenses.
After uploading an SBOM, you can view its contents on the SBOM tab of a release page.
SBOM metadata
The top of the SBOM page shows:
- Format: CycloneDX or SPDX
- Spec Version: The version of the SBOM specification used
- Components: Total number of components extracted
- File Hash: SHA-256 hash of the original file for integrity verification
- File Size: Size of the uploaded file
Component list
The component table shows each extracted component with:
- Name: The component or package name
- Version: The component version
- PURL: Package URL, a standardized identifier for the component (e.g.,
pkg:npm/express@4.18.2) - Type: Component type (library, framework, application, etc.)
- Licenses: Declared licenses for the component
- Supplier: The organization that supplies the component
Understanding Package URLs (PURLs)
A Package URL (PURL) is a standardized way to identify software packages across ecosystems. CVEium uses PURLs as the primary method for matching components to known vulnerabilities.
A PURL follows the format: pkg:type/namespace/name@version
Examples:
pkg:npm/express@4.18.2— npm package "express" version 4.18.2pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1— Maven packagepkg:pypi/django@4.2.7— PyPI package
How components are matched to vulnerabilities
CVEium uses two matching strategies:
- PURL-based matching: Uses the ecosystem and package name from the PURL to find known vulnerabilities. This is the primary and most accurate method.
- Name-based fallback: If no PURL is available, falls back to matching by component name. This is less precise and results in a lower confidence score.
The match confidence is displayed alongside each vulnerability in the triage view.