SBOM Mapping
The SBOM policy mapping editor creates rules that define which policies and allowlists should be used to perform the policy evaluation of an SBOM based on the name and version of the SBOM.
Organizations can set up multiple policies that will be used on different SBOMs based on use case. For example the policy applied to a web facing service may have different security and operational best practices rules than a database backend service.
Mappings are set up based on the Name and Version of an SBOM. Each field supports wildcards.
Create a SBOM Mapping
From the Policies screen, click Mappings.
Under SBOMs, click on the “Let’s add one!” button.
From the Add New SBOM Mapping dialog, add a name for the mapping, choose the policy for which the mapping will apply, an SBOM Name, and SBOM Version. You can optionally add an allowlist for the mapping.
Note Once you have created your first mapping, any mapping that is created afterwards will contain an additional optional field called Position. Policy evaluation is performed sequentially from top to bottom. The system will stop at the first match, so the order or position of the mapping is important.
| Field | Description |
|---|---|
| Name | A unique name to describe the mapping. |
| Position | Optional: Set the order for the new mapping. |
| Policies | Name of policy to use for evaluation. A drop down will be displayed allowing selection of a single policy. |
| Allowlist(s) | Optional: The allowlist(s) to be applied to the SBOM evaluation. Multiple allowlists may be applied to the same SBOM |
| Name | The name of the SBOM to match. |
| Version | The Version of the SBOM |
- Click OK to create the new mapping.