Introduction

A SBOM Insights bucket represents the entity or context in which a collection of SBOM parts is used in your organization. For example, bucket might represent a specific application, container, product family, or another type of entity that uses the set of SBOM parts—that is, the open-source or third-party elements—contained in the bucket.

SBOM Insights reports are generated at the individual bucket level. By default, the reports use the bucket's name as the name of the entity in the report title or in details. However, this name might not correctly or fully identify the entity. If you want the reports to display an appropriate entity name along with the entity’s version and publisher, you must currently configure these details as JSON code within the bucket definition. The following procedure describes how to perform this configuration. 

The configured entity details are used in all SBOM Insights reports except the CycloneDX VDR (Vulnerability Disclosure Report) and the Cyclone DX VEX (Vulnerability Exploitability eXchange) report.

Instructions

Use the following steps to configure the entity details to be included in SBOM Insights reports for a given bucket.

To configure entity details for use in SBOM Insights reports:

1. Start with either method in SBOM Insights:
• To add entity details when creating a bucket, click Create Bucket in the left navigation panel.
  
  
• To update an existing bucket with entity details, click Manage Buckets in the left navigation panel, locate the bucket you want from the bucket list, click the menu icon in the bucket’s Action column, and select Edit.
  
  
2. In the Description field, enter the entity properties in JSON format, as shown in the following example. Substitute the example values for these properties with the correct values for the entity. (Even though a bucket might be defined as an entity type other than “application”, you must use the keywords applicationName, applicationVersion, and applicationPublisher.)
   

   {
       "applicationDetails": {
           "applicationName": "ReportTest",
           "applicationVersion": "1.2.3a",
           "applicationPublisher": "ACME"
       }
   }

   
   If you provide JSON code to identify entity details, do not enter any other content in the Description field. Should additional content exist in the field when reports are generated, this field is ignored and the reports use the bucket name instead of the entity name.

3. Click Save.
   Depending on the type of report you generate, these details will be displayed in the report title or as properties in the report body, replacing the bucket name. See the next section for examples.

Example Entity Details in Reports

The following shows how the entity information used as an example in the procedure above is displayed in reports.

In the CycloneDX Report

The report uses the entity information in its title.

In the SBOM Report (SPDX)

The report includes the entity details in the SPDX document name listed in the header information.

In the SBOM Report (HTML)

The report uses the entity information in its title.

In the SBOM Report (XLSX)

The report shows the entity information as properties in a separate column.

In the Third-Party Notices Report

The report uses the entity information in its title.

In the Vulnerability Report

The report uses the entity information in the heading of the Vulnerability Summary section.

More Information

For additional about SBOM Insights reports and bucket management, refer to the following documentation:

• Generating SBOM Insights Reports 
• Creating a Bucket 
• Editing a Bucket