Defining the default CPE for component versions

How to find a component version's CPEs

Component version CPEs can be found on:

• the BOM page by clicking and selecting SBOM Fields.

• the component version's page and clicking the Settings tab → SBOM Fields.

Defining a default CPE

If the KnowledgeBase does not have any associated CPEs for the component version, you can add or create a default CPE for this component version. Only one CPE can be assigned in this way.

If the KnowledgeBase has associated CPEs for the component version and no default CPE has been assigned, an additional info box will accompany the text field above, displaying a list of CPEs automatically selected by Black Duck. The CPEs selected are the first five IDs associated with the component version from the KnowledgeBase, sorted alphabetically.

If you choose to define a default CPE for this component version, you can use the provided text field to search the KnowledgeBase for existing CPE IDs associated with the component version or create a custom default CPE. Only one CPE can be assigned in this way.

If a default CPE has been assigned, you can delete it by clicking the x in the text field and clicking the Save button.

Where to find CPEs in the SBOM report

CPEs associated with a component version can be found in the SBOM report generated by Black Duck:

• SPDX format: CPEs are listed under the externalReferences section of the relevant component entry. The reference type for a CPE is SECURITY.

• CycloneDX: CPEs appear in the cpe field within the properties section of the corresponding component.