This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Manage Imported SBOMs

Use the Anchore Enterprise GUI to import, organize, and analyze external SBOMs. This page covers the full imported SBOM workflow — from the import dialog through vulnerability and compliance results.

Import an SBOM

To import an external SBOM, navigate to the Imported SBOMs view via the left navigation panel. In the top-right of the page, select the Import SBOM button.

Imported SBOMs view

In the Import an SBOM dialog, provide the following information:

  • SBOM Name: A name for the SBOM document
  • Version: A version for the SBOM document
  • Type: Optionally, provide a type describing the entity represented by the SBOM. Must be one of the following: application, container, device, file, filesystem, firmware, library, module, virtual_machine_disk, or unknown
  • Groups: Optionally, select one or more SBOM groups with which to associate the imported SBOM
  • Annotations: Optionally, add any annotations to store with the imported SBOM — for example, a Vendor name for the application or module represented by the SBOM
  • SBOM File: Select the SBOM document to import

Import an SBOM dialog

View Document Insights

When an SBOM is imported, Anchore Enterprise calculates a set of document insights describing the properties of the SBOM document. These insights indicate various quality metrics and result in an overall SBOM Quality score. For a full breakdown of each metric, see Document Insights.

SBOM document insights and quality score

Note: Support for xml and tag-value formats is achieved by converting the stored document to Syft json before inspection. Document insights are calculated based on the converted version.

View SBOM Contents

To view the contents of an imported SBOM, select the Contents tab.

SBOM contents tab

The Contents tab displays a list of packages, versions, and associated licenses for the current SBOM.

Organize Imported SBOMs

Imported SBOMs can be placed into groups to reflect logical organization structures — for example, by vendor, product line, or team. Groups provide a way to manage and analyze related SBOMs together, enabling aggregate visibility into software composition and security health across a collection of artifacts. Grouping can be done during import or after an SBOM has already been imported.

The SBOM Group Summary view shows the list of associated imported SBOMs along with their key attributes, including name, version, type, and SBOM Quality score. The group-level SBOM Quality score reflects the average quality score across all constituent SBOMs, giving a quick indication of overall documentation completeness for the group. Vulnerability results and compliance evaluations can also be viewed at the group level, aggregating findings across all SBOMs within the group.

SBOM group summary view

View Vulnerabilities

Once imported, SBOMs are queued for vulnerability scanning. To view vulnerability results for an imported SBOM or SBOM group, select the Vulnerabilities tab.

SBOM vulnerabilities tab

The list of vulnerabilities can be filtered using the following criteria:

  • Vulnerability Age: select the number of days since the last time a particular vulnerability has been reported
  • Minimum Severity: select the desired minimum CVSS severity
  • Minimum CVSS Score: select the desired minimum CVSS score

Select Reset Filters to revert all filters to their default values.

The Anchore Rank column provides a sequence value for prioritizing vulnerability review and remediation, based on the Anchore Score — a composite security index comprised of CVSS score and severity, EPSS percentage, and CISA KEV status. The higher the value, the higher the priority to address it.

Select Export CSV in the top-right to export all data for the filtered set of vulnerabilities. The CSV includes all data fields for the complete set of vulnerabilities matching the filter criteria, with a record for each vulnerability instance per affected package and SBOM.

Evaluate Compliance

Imported SBOMs can have policy evaluated against them. Policy support is currently limited to the Vulnerabilities gate. See SBOM Mapping for details on creating policy mappings for imported SBOMs.

To view compliance results, select the Compliance tab.

SBOM compliance tab

Details about the policy and rules evaluated are shown, including the Final Action and the overall Evaluation Result. A summary of findings by action, vulnerability severity, and allowlisted findings is also shown.