SBOM Component Risk Analyzer

Artifact label:

Use the release or image name that owns the pasted SBOM.

Vulnerability gate:

Choose the lowest severity that should enter the component review queue.

Denied licenses:

Keep UNKNOWN in the list when missing license data should be reviewed.

SBOM source:

Paste CycloneDX, SPDX, or Syft JSON, or CSV rows with component, version, license, severity, and vulnerability ID.

SBOM input needs attention

{{ error }}

Component	Version	License	Vulnerabilities	Max severity	Risk	Copy
{{ row.component }}	{{ row.version }}	{{ row.license }}	{{ row.vulnerabilities }}	{{ row.maxSeverity }}	{{ row.risk }}
No components were parsed Paste CycloneDX JSON, SPDX JSON, Syft JSON, or CSV rows to populate the component risk ledger.

Severity	Component	Finding	Next action	Copy
{{ row.severity }}	{{ row.component }}	{{ row.finding }}	{{ row.next }}
No policy findings are available Fix the source input first; release, license, and identity findings appear here after parsing.

No component risk rows are available for the current SBOM input.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A software inventory becomes useful for release review only when its component rows can be trusted. A dependency name is a weak clue by itself; reviewers also need a version, a license signal, a package URL or similar identifier, and vulnerability links that still point to the component that was actually shipped.

Software bills of materials often arrive from several scanners and formats. CycloneDX, SPDX, Syft JSON, and CSV exports can all carry useful evidence, but they do not keep the same field names or relationship shapes. A BOM reference, SPDX identifier, package URL, version string, and license expression all reduce ambiguity when a security team tries to match advisory data back to a product build.

Flow from SBOM input to matching, scoring, and review outputs.

Component risk is not only a vulnerability count. A dependency with no matched CVE can still need review when the license is unknown, copyleft-heavy, or outside policy. A severe vulnerability can move lower in the queue when the evidence says it is fixed or not affected, but that state still has to line up with the product version and runtime packaging.

The practical result is a triage queue, not an automatic approval. A good review starts with the highest-risk rows, then checks scanner freshness, advisory records, runtime reachability, owner assignment, and license exceptions before anyone treats the artifact as ready.

How to Use This Tool:

Use the most complete SBOM export available and keep the artifact label close to the release, container image, or service you plan to review.

Set Artifact label to the image, service, product, or release name that should appear in the summary and exported evidence.
Choose Vulnerability gate to decide which severity levels create policy rows: Medium and above, High and critical, or Critical only.
Edit Denied licenses for the policy you want to enforce. Leave UNKNOWN in the list when missing license data should be treated as a review finding.
Paste or browse for CycloneDX JSON, SPDX JSON, Syft JSON, or CSV rows. CSV can include component, version, license, severity, vulnerability, state, scope, and package URL columns.
Check Component Risk Ledger first. It ranks parsed components by risk score and shows version, license, vulnerability count, maximum severity, and risk band.
Open SBOM Policy Finding Queue to separate vulnerability-gate findings from license findings, incomplete identity findings, and unmatched vulnerability records.
Use Component Risk Stack when you need to explain why a row is high. The chart separates vulnerability, license, and identity or scope points for the top components.

When the input is rejected, fix the source format before interpreting any result. A malformed JSON paste can fall back to CSV parsing, and a CSV without a recognized header is read as component, version, license, severity, vulnerability ID, status, scope, and package URL.

Interpreting Results:

The headline score weights the worst component more heavily than the average because one urgent runtime component can decide release priority. Policy findings add extra pressure, so an artifact with several license or identity repairs can score higher than its vulnerability count alone would suggest.

SBOM analyzer result views and interpretation cues
Result view	Useful reading	Do not overread
Component Risk Ledger	Sort by risk score, then inspect component identity, license, vulnerability count, and maximum severity.	A high row is a review priority, not proof that the component is exploitable in the running product.
SBOM Policy Finding Queue	Use the finding and next-action text to assign vulnerability, license, identity, or matching repair work.	An empty queue only means the pasted SBOM did not trip the selected rules.
Component Risk Stack	Compare the bar segments to see whether vulnerability, license, or identity and scope points drive the score.	The chart does not refresh vulnerability intelligence or validate legal obligations.

A low score is strongest when the SBOM itself is strong. Confirm that key components have versions, package URLs or equivalent identifiers, license data, and preserved vulnerability links before treating a quiet queue as reassuring.

Technical Details:

SBOM risk scoring is a structured triage model over the evidence already present in the pasted inventory. It does not perform software composition analysis, fetch advisory updates, or resolve licenses from registries. The quality of the result depends on how completely the SBOM preserves component identity, vulnerability relationships, license fields, and scope.

Component matching uses stable references first, then weaker name and version clues when needed. A vulnerability that keeps an affected reference, package URL, BOM reference, or matching component name can be assigned to the right row. A vulnerability without a usable relationship remains visible as an unmatched finding because silently dropping it would hide an SBOM-quality problem.

Formula Core

Each component score combines capped vulnerability points, license risk, missing identity evidence, and runtime scope. Scores are rounded after clamping to a 0 to 100 range.

R_{component} = round (clamp (V_{capped} + L_{risk} + 5 \times I_{missing} + S_{runtime}, 0, 100))

The artifact score keeps the highest component in front, adds part of the average component risk, and gives each non-clear policy row extra weight.

R_{artifact} = round (clamp (0.60 \times \max (R_{component}) + 0.25 \times mean (R_{component}) + 1.5 \times N_{policy}, 0, 100))

Rule Core

SBOM component risk scoring rules
Signal	Rule	Review meaning
Vulnerability severity	Critical adds 36 points, high adds 24, medium or moderate adds 10, low adds 4, informational adds 1, and unknown adds 3. The vulnerability subtotal is capped at 62.	Multiple severe records can dominate the score, but they cannot hide license and identity problems completely.
Resolved state	Resolved, fixed, not-affected, or false-positive records contribute 15% of the normal severity points.	VEX-like state reduces urgency but still leaves a review trace.
License policy	Denied licenses add 24 points. Unknown, NOASSERTION, strong-copyleft, proprietary, commercial, restricted, and EULA-like labels also add review risk.	License findings can matter even when no vulnerability is attached.
Identity quality	Missing version, package URL, or known license adds 5 points per missing item.	Weak identity makes scanner comparisons, exceptions, and later audits less reliable.
Scope	Runtime-like scope adds 6 points. Test, development, optional, excluded, and provided scope add no runtime points.	Runtime components normally deserve earlier owner review.

Numeric vulnerability scores are normalized to common qualitative bands before they are used. A score of 9 or higher is critical, 7 to below 9 is high, 4 to below 7 is medium, and a positive score below 4 is low. Text labels such as critical, high, medium, moderate, low, informational, and unknown are also recognized.

SBOM risk band thresholds
Score range	Band label	Usual follow-up
`>= 75`	Critical queue	Assign owner review before release, especially for runtime and policy findings.
`55` to `74`	High review	Check whether a fix, exception, or SBOM repair is needed.
`30` to `54`	Elevated	Review the cause, then decide whether normal remediation tracking is enough.
Below `30`	Monitor	Keep in routine SBOM review, especially if identity fields are complete.

All scoring is deterministic for the pasted data and selected settings. Changing the vulnerability gate changes policy rows, while changing denied licenses can change both license findings and risk scores.

Review Limits and Privacy:

This is a local triage aid for security and compliance review. It helps organize SBOM evidence, but it cannot replace source advisories, scanner freshness, legal review, runtime reachability analysis, or product-owner judgment.

The pasted SBOM is parsed in the browser session; the analyzer does not query an advisory database or package registry.
Stale scanner data stays stale in the output. Refresh the SBOM before using the queue for release decisions.
License labels are treated as policy signals, not legal conclusions. Confirm obligations and approved exceptions outside the score.
Unmatched vulnerability rows are data-quality warnings. Repair the SBOM or scanner export before assuming the affected component is absent.

Worked Examples:

High runtime vulnerability

A CycloneDX export for orders-api:2.8.0 includes log4j-core with version 2.14.1, an Apache license, runtime scope, and a critical CVE. Component Risk Ledger ranks it near the top, Policy Finding Queue shows the critical finding, and Component Risk Stack shows vulnerability points as the main driver.

License-first queue item

A component has no parsed vulnerability records, but its license is UNKNOWN and UNKNOWN remains in Denied licenses. Policy Finding Queue asks for license resolution, and the risk score increases because the component lacks a known license.

CSV matching repair

A CSV row lists CVE-2026-0001 but does not keep a package URL, BOM reference, or matching component name and version. The queue keeps the record as an unmatched vulnerability so the export can be regenerated instead of losing the signal.

Advanced Tips:

Keep the vulnerability gate aligned with the review meeting. Use Critical only for a quick release stop check, and use Medium and above when the goal is backlog grooming.
Treat UNKNOWN as a denied license during audit preparation, then remove it only when missing license rows are being handled in a separate workflow.
Regenerate noisy CSV exports with package URLs or BOM references when the queue shows unmatched vulnerabilities; stronger identifiers prevent false splits.
Compare the Component Risk Stack against the policy queue before assigning work, because a high score may come from license and identity evidence rather than fresh vulnerabilities.
Refresh scanner output before release decisions. The score only reads the pasted SBOM evidence and does not fetch newer vulnerability or license data.

FAQ:

Does this look up fresh CVEs?

No. It scores vulnerability records already present in the pasted SBOM or CSV rows. Refresh the SBOM with your scanner before relying on the queue.

Why can a component score high without many vulnerabilities?

License policy, unknown licenses, missing package URLs, missing versions, and runtime scope can raise the score even when the vulnerability count is low.

What should I do with an unmatched vulnerability?

Check whether the SBOM kept affected references, package URLs, component names, and versions. Regenerate the SBOM or scanner export when those links were lost.

Why did my JSON input behave like CSV?

The JSON could not be parsed, so the input was read as CSV. Check for truncated JSON, pasted console text, or shifted CSV columns before trusting the ledger.

Can the policy queue approve a release?

No. A clear queue means the selected rules did not find gate-level issues in the pasted data. Release approval still needs scanner freshness, owner review, and license policy confirmation.

Glossary:

SBOM: A software bill of materials that lists components and supply-chain evidence for a software artifact.
Package URL: A standardized package identifier that can include ecosystem, namespace, name, version, qualifiers, and subpath.
BOM reference: A stable reference inside an SBOM that can link components, dependencies, and vulnerability records.
Denied license: A license identifier or label that the selected policy treats as requiring review.
VEX-like state: A vulnerability state such as not affected, fixed, resolved, or false positive that reduces but does not erase review weight.
Unmatched vulnerability: A vulnerability record that could not be linked back to a parsed component.

References:

2025 Minimum Elements for a Software Bill of Materials (SBOM), CISA.
CycloneDX specification overview, OWASP Foundation, 2025.
SPDX Specification 2.3 package information, SPDX Workgroup.
Package-URL (PURL), Ecma TC54, 2025.
CVSS v3.1 Specification Document, FIRST.
Syft output formats, Anchore.

SBOM Component Risk Analyzer

Introduction:

How to Use This Tool:

Interpreting Results:

Technical Details:

Formula Core

Rule Core

Review Limits and Privacy:

Worked Examples:

High runtime vulnerability

License-first queue item

CSV matching repair

Advanced Tips:

FAQ:

Glossary:

References: