Dependencies and SBOMs

Monitor your dependencies

The Dependencies view lists all the direct and transitive dependencies found across your codebase.

Direct dependencies are directly declared in your code, while transitive dependencies are called by other dependencies.

It also includes the number of sources where the dependency is introduced and the opened incidents related to this version. This list can help you understand which dependencies you rely on the most and where to prioritize remediation efforts. The view also includes the license for each dependency, as well as its license type:

• Copyleft licenses require that any software using the licensed dependency must be distributed under the same license, which can be a threat to your intellectual property. You may find additional information on Wikipedia.
• Permissive licenses allow modified software to be distributed under different terms.

Please note that some licenses fall outside one of those categories and will be identified as Uncategorized.

Generate SBOMs

You can generate a Software Bill of Materials (SBOM) for one or several sources.

All SBOMs are generated using the CycloneDX format. This capability is offered by:

• The Sources view:

  • Directly using the top right call-to-action, you can select several sources and decide to generate a file per repository or combine them within a single file.
  • Using the bulk actions to select sources and click on the Generate bulk action button.
  • Or even from a source information panel itself.

  

• Or the Dependencies view, using the same call-to-action as from the Sources view.

Was this page helpful?