Type: SoftwareComponentInstance

Software Components

SBOM

The Software Bill of Materials (SBOM) is a list of components that make up a software product. An exported SBOM contains all the information about the Software Components associated with an Artifact or Product. Each SoftwareComponentInstance is a distinct software component that has been detected or reported for a given Product or Artifact. The SoftwareComponent type contains common information about the software component that does not change from one detection to another.

The SoftwareComponentInstance model

The SoftwareComponentInstance model contains all the information about a SoftwareComponentInstance, such as its name, version, author and build information.

Querying for SoftwareComponentInstances

You can query for SoftwareComponentInstances using the allSoftwareComponentInstances query. This query takes a filter argument of type SoftwareComponentInstanceFilter that you can use to filter the returned SoftwareComponentInstances.

Example

Getting all SoftwareComponentInstances for a specific ArtifactVersion. (This is the equivalent of getting the SBOM)

query GetSoftwareComponentsForAnArtifactVersion (
  $filter: AssetVersionFilter!
) {
  allAssetVersions (
    filter: $filter
  )
  {
    id
    name
    createdAt
    createdBy {
      email
    }
    softwareComponentInstances
    {
      name
      version
      author
      buildDate
      comments {
        text
        updatedAt
        updatedBy {
          email
        }
      }
      fileName
      hashes {
        alg
        content
      }
      releaseDate
      licenses {
        name
      }
    }
  }
}

Example

Getting all SoftwareComponentInstances in a specific Business Unit. Note there are two separate example filters - one based on the Business Unit ID and the other based on the Business Unit Name.

query AllSoftwareComponentInstancesForABusinessUnitWithCriticalSeverity {
  allGroups (
    filter: {
      id: 1690
    }
  ) {
    id
    name
    products {
      assets {
        SoftwareComponentInstances (
          filter: {
            severity: CRITICAL
          }
        ){
          id
          title
          vulnIdFromTool
          severity
          assetVersion {
            id
            name
            asset {
              id
              name
              dependentProducts {
                id
                name
              }
            }
          }
        }
      }
    }
  }
}

Example

Getting details of SoftwareComponentInstances.

query GetSoftwareComponentInstanceDetails {
  allSoftwareComponentInstances {
    id
    vulnIdFromTool
    category
    comments {
      createdAt
      createdBy {
        email
      }
      text
    }
    confidence {
      rangeMin
      rangeMax
      value
    }
    createdAt
    cves {
      createdAt
      cveId
      cvssBaseMetricV3 {
        cvssv3 {
          vectorString
        }
      }
    }
    description
    SoftwareComponentInstanceClass
    origin
    riskScore
    severity
    statuses {
      status
      updatedAt
      updatedBy {
        email
      }
    }
    title
    updatedAt
  }
}

A specific instance of a detected software component. This is used to represent a specific version of a component that has been detected in a product, project, or other software artifact.





Properties

NameTypeDescription
_commentsMeta_QueryMeta

Comments made on this component.

_componentStatusMeta_QueryMeta

The history of statuses related to this software component instance.

_copyrightsMeta_QueryMeta

Copyright information that applies to this software component instance. When present, these are to be treated as 'overrides' for the copyrights listed on the underlying SoftwareCompoent.

_cursorString

Provides a value that can be supplied to the after argument for pagination. Depends on the value of the orderBy argument.

_destRelationshipsMeta_QueryMeta

The relationships to other components where this component is the "dest"

_externalReferencesMeta_QueryMeta

The external references of this component

_filesMeta_QueryMeta

Files associated with this software component instance

_findingsMeta_QueryMeta

The findings associated with this software component instance.

_hashesMeta_QueryMeta

Independently reproducible mechanisms for identifying specific contents of a component or package based on the actual files

_licenseExceptionsMeta_QueryMeta

License exceptions that apply to this software component instance. When present, these are to be treated as 'overrides' for the license exceptions listed on the underlying SoftwareCompoent.

_licenseExpressionsMeta_QueryMeta
_licensesMeta_QueryMeta

Software licenses that apply to this software component instance. When present, these are to be treated as 'overrides' for the licenses listed on the underlying SoftwareCompoent.

_originalComponentsCommentsMeta_QueryMeta

The aggregated list of comments for all component instances that are merged into this component instance

_originalComponentsComponentStatusesMeta_QueryMeta

The aggregated list of statuses for all component instances that are merged into this component instance

_originalComponentsDestRelationshipsMeta_QueryMeta

The aggregated list of all dest relationships for all original component instances that led to the creation of this merged component instance.

_originalComponentsMeta_QueryMeta

If this Finding is a 'merged finding', this list contains the underlying component instances that this component instance represents

_originalComponentsSourceRelationshipsMeta_QueryMeta

The aggregated list of all source relationships for all original component instances that led to the creation of this merged component instance.

_originalComponentsSourcesMeta_QueryMeta

The collection of test tools associated with original components that led to the creation of this merged component

_processingStatusesMeta_QueryMeta

Any kind of processing currently occurring on this component instance

_propertiesMeta_QueryMeta

The properties associated with this component

_revisionID

An identifier that is updated automatically on each update of this root entity (but not on relation changes)

_sourceRelationshipsMeta_QueryMeta

The relationships to other components where this component is the "source"

absoluteRiskScoreFloat

Absolute Risk Score

assetVersionAssetVersion

The asset version this component is associated with

assetVersionRefIdID

The asset version id this component is associated with

assigneeUser

The user who is assigned to this component. This is an experimental field and subject to change.

authorString

The author of this component. When present, this is to be treated as an 'override' for the author listed on the underlying SoftwareCompoent.

buildDateDateTime

The build date of this component

comments[SoftwareComponentComment]

Comments made on this component.

componentStatus[SoftwareComponentStatus]

The history of statuses related to this software component instance.

confidenceSoftwareComponentInstanceConfidence

The confidence value that Finite State analysis has assigned to this component.

copyrights[Copyright]

Copyright information that applies to this software component instance. When present, these are to be treated as 'overrides' for the copyrights listed on the underlying SoftwareCompoent.

createdAtDateTime

The instant this object has been created

createdByUser

The user who created this component. If is user created.

ctxRelationEntityCtx

Context contains fields that are accesible to the permissions profile. This is an internal field related to user permissions.

currentStatusSoftwareComponentStatus

The current status for this software component instance.

dateDateTime

The date the software component was first discovered.

dedupeHashString

A hash that is used for deduplication against other software component instances.

deletedAtDateTime

Timestamp of when this software component instance was deleted

destRelationships[SoftwareComponentInstanceRelationship]

The relationships to other components where this component is the "dest"

detailedDescriptionString

The detailed description of this component

downloadLocationString

The download URL, or a specific location within a version control system (VCS) for the component or package

externalReferences[ExternalReference]

The external references of this component

fileNameString

The actual file name of the component or package, or path of the directory being treated as a package.

files[File]

Files associated with this software component instance

filesAnalyzedBoolean

Indicated whether the files were analyzed for this package

findings[Finding]

The findings associated with this software component instance.

firstOrThirdPartySoftwareComponentInstanceSource

First or third party source

groupString

The grouping name or identifier associated with this component. When present, this is to be treated as an 'override' for the group listed on the underlying SoftwareCompoent.

hashes[Hash]

Independently reproducible mechanisms for identifying specific contents of a component or package based on the actual files

idID

An auto-generated string that identifies this root entity uniquely among others of the same type

licenseExceptions[LicenseException]

License exceptions that apply to this software component instance. When present, these are to be treated as 'overrides' for the license exceptions listed on the underlying SoftwareCompoent.

licenseExpressions[LicenseExpression]
licenses[License]

Software licenses that apply to this software component instance. When present, these are to be treated as 'overrides' for the licenses listed on the underlying SoftwareCompoent.

mergedComponentSoftwareComponentInstance

If populated, this field points to the 'merged component instance' that represents this component instance. This field is related to deduplicating multiple instances of the same component that may be detected by different tests.

mergedComponentRefIdID

If populated, this field points to the 'merged component id' that represents this component instance. This field is related to deduplicating multiple instances of the same component that may be detected by different tests.

mimeTypeString

The mime-type of this component. Must match regular expression - ^[-+a-z0-9.]+/[-+a-z0-9.]+$

nameString

The name of the software component instance

originComponentOrigin

The origin of this software component instance (e.g. test, user-added, generated by an automated or user merge, etc.)

originalComponents[SoftwareComponentInstance]

If this Finding is a 'merged finding', this list contains the underlying component instances that this component instance represents

originalComponentsComments[SoftwareComponentComment]

The aggregated list of comments for all component instances that are merged into this component instance

originalComponentsComponentStatuses[SoftwareComponentStatus]

The aggregated list of statuses for all component instances that are merged into this component instance

originalComponentsDestRelationships[SoftwareComponentInstanceRelationship]

The aggregated list of all dest relationships for all original component instances that led to the creation of this merged component instance.

originalComponentsSourceRelationships[SoftwareComponentInstanceRelationship]

The aggregated list of all source relationships for all original component instances that led to the creation of this merged component instance.

originalComponentsSources[TestingTool]

The collection of test tools associated with original components that led to the creation of this merged component

originatorString

Identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third part than the Package Supplier of the package

patchedBoolean

The boolean aggregated patches of all Findings associated with this SoftwareComponentInstance True if there are patches that are not null

processingStatuses[ProcessingStatus]

Any kind of processing currently occurring on this component instance

properties[KeyValuePair]

The properties associated with this component

publisherString

The publisher of this component. When present, this is to be treated as an 'override' for the publisher listed on the underlying SoftwareCompoent.

referenceIdString

The original tool-specific ID of the component. This ID is specific to the test tool itself, such as a bom-ref from a CycloneDX document or an SPDXRef from an SPDX SBOM.

releaseDateDateTime

The release date of this component

releaseNotesReleaseNotes

The notes associated with the software component release

scopeComponentScope

Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM

softwareComponentSoftwareComponent

The Software Component associated with this instance. The Software Component contains common information about the component that is not specific to a particular instance.

softwareIdentifiersSoftwareIdentifiers

The software identifiers associated with this software component instance.

sourceRelationships[SoftwareComponentInstanceRelationship]

The relationships to other components where this component is the "source"

summaryDescriptionString

The summary description of this component

supplierOrganizationalEntity

The supplier associated with this component. When present, this is to be treated as an 'override' for the supplier listed on the underlying SoftwareCompoent.

supportEolDateTime

The support end-of-life for this component

testTest

The test that detected or reported the presence of this software component instance

totalRiskFloat

The aggregated risk score of all Findings associated with this SoftwareComponentInstance

typeSoftwareComponentType

The type of software component instance (e.g. application, library, framework, etc)

updatedAtDateTime

The instant this object has been updated the last time (not including relation updates)

updatedByUser

The user who updated the component instance

urlString

The URL to the homepage of the provider of the software component instance

versionString

The version of the software component instance


This page was generated: 2024-05-17