Viewing SBOM fields

After creating or activating a SBOM template, you can find them in their relevant sections. See the sections below for the specific areas where the SBOM fields appear:

BOM component

SBOM BOM component fields are viewed and edited in the component version row on the project's BOM page. They are shown in the output of SPDX and CycloneDX reports. Users with the Global Project Administrator, Global Project Manager, Component Manager, or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM fields.

To view and add information on the component version level:

  1. Navigate to the project's BOM page.

  2. Click Options button at the end of the desired component version row.

  3. Select SBOM Fields and enter the information for the custom fields. This opens the SBOM Fields dialog box.


    SBOM Fields dialog box

The SBOM fields are not mandatory, but must be populated with correctly formed information:

  • Originator: If the package identified in the SBOM file originated from a different person or organization than identified as Package Supplier, this field identifies the origin of the package. Select Organization or Person. If either entity is selected, the Name field becomes mandatory. The email address field remains optional.

  • Supplier: The organization that supplied the component that the BOM describes. Select Organization or Person. If either entity is selected, the Name field becomes mandatory. The email address field remains optional.

  • PURL: Enter a valid package URL (scheme:type/namespace/name@version?qualifiers#subpath). For more information, please consult PURL specification documentation online.

  • CPE: Enter a valid Common Platform Enumeration identifier ([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}). For more information, please consult CPE specification documentation online.

  • Package Comment: General comments about the package being described.

  • Package Valid Until Date: The end of the support period for a package from the supplier.

  • Download Location: The URL or other specific location within a version control system (VCS) where the component was downloaded. Please note that in SPDX and CycloneDX, an instance of a component can have multiple download locations. However, in Black Duck, a component version can only have one download location. When an SBOM is imported, only the first URL is imported and the rest are ignored.

Component

SBOM component fields are viewed and edited on the component page. The output is displayed in SPDX and CycloneDX reports. Users with the Global Project Administrator, Global Project Manager, Component Manager, or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM fields.

To view and add information on the component level:

  1. Click the component in your project's BOM. This will take you to the component version page.
  2. Click the component name.

    Component version page

  3. Click the Settings tab on the top right.

  4. Click the SBOM Fields tab in the lefthand menu.

    SBOM Fields tab of the Component page

The SBOM fields are not mandatory, but must be populated with correctly formed information:

  • Originator: Select Organization or Person. If either entity is selected, the Name field becomes mandatory. The email address field remains optional.

  • Description: Enter any text describing the package.

Component Version

Component version SBOM fields are viewed and edited on the component version's settings page. Users with the Global Project Manager, or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM additional fields.

To change information on the component version level:

  • Click the component in your project's BOM. This will take you to the component version page.

  • Select the Settings tab.

  • Select SBOM Fields.


    Component Version page

  • Edit the desired SBOM field:

    • Download Location. The URL or a specific location within a version control system (VCS) that the component was downloaded from.

Project

SBOM project fields are viewed and edited on the project settings page. Users with the Global Project Manager, or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM additional fields.

To change information on the project level:

  1. Select the project name using the Watching or My Projects dashboard. The Project Name page appears.

  2. Select the Settings tab.

  3. Select SBOM Fields.



  4. Edit the desired SBOM field:

    • Originator. If the package identified in the SBOM file originated from a different person or organization than identified as Package Supplier, this field identifies the origin of the package.

      Select either Organization or Person from the Entity dropdown menu. Enter a name in the Name field. This is a mandatory field.

      Optionally, you can add an email address for the entity in the Email field.

    • Project Alias. Project Alias masks the name of your project version name in SBOM reports. Enter a new project name in the Project Alias field to be used in a SBOM report.

Project group

SBOM project group fields are viewed and edited on the project group page. Users with the Global Project Group Administrator, Project Administrator (for the projects they are associated with), or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM additional fields.

When enabled, all project groups under this group will inherit the field values, but they can be overriden in each group.

To view and add information on the project group level:

  1. Click and then select Project Groups.

  2. Click the blue Manage button on the top right of the page.

  3. Select SBOM Fields.



The Creator section contains the following fields:

  • Organization: Mandatory. This field must contain the name of an organization. It is pre-populated with COMPANY NAME, but can be replaced with the name of your organization.

  • Organization's email: Optional. Enter the email address for the organization.

  • Person: Optional. Enter the name of a person representing the organization.

  • Person's Email: Optional. Enter the email address for the person representing the organization.

Creator Comments: Optional. A field for creators of the SPDX file to provide general comments about the creation of the SPDX file or any other relevant comment not included in the other fields.

Propagate field values to all child groups: Enable this checkbox if you want the all project groups under this group to inherit the field values above. They can be overriden in each group.

Project version

These are additional fields that can be included in the SBOM report. These field values will propagate when this project is used as subproject, you can override them at the BOM level. SBOM project version fields are viewed and edited on the project version page. Users with the Global Project Administrator, Global Project Manager, Project Administrator (for the projects they are associated with), or Project Manager (for the projects they are associated with) role can enable or disable the values for the SBOM fields.

To view and add information on the project version level:

  1. Select the project name using the Watching or My Projects dashboard. The Project Name page appears.

  2. Select the desired project version.

  3. Select the Settings tab.

  4. Select SBOM Fields.



  5. The SBOM fields are not mandatory, but must be populated with correctly formed information:

    • Supplier: Select Organzation or Person. If either entity is selected, the Name field becomes mandatory. The email address field remains optional.

    • PURL: Enter a valid package URL (scheme:type/namespace/name@version?qualifiers#subpath). For more information, please consult PURL specification documentation online.

    • CPE: Enter a valid Common Platform Enumeration identifier ([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}). For more information, please consult CPE specification documentation online.

    • Package Comment: General comments about the package being described.

    • Package Valid Until Date: The end of the support period for a package from the supplier.

    • Download Location: The URL or other specific location within a version control system (VCS) where the component was downloaded. Please note that in SPDX and CycloneDX, an instance of a component can have multiple download locations. However, in Black Duck, a component version can only have one download location. When an SBOM is imported, only the first URL is imported and the rest are ignored.