Type: SoftwareComponentInstance

Software Components

SBOM

The Software Bill of Materials (SBOM) is a list of components that make up a software product. An exported SBOM contains all the information about the Software Components associated with an Artifact or Product. Each SoftwareComponentInstance is a distinct software component that has been detected or reported for a given Product or Artifact. The SoftwareComponent type contains common information about the software component that does not change from one detection to another.

The SoftwareComponentInstance model

The SoftwareComponentInstance model contains all the information about a SoftwareComponentInstance, such as its name, version, author and build information.

Querying for SoftwareComponentInstances

You can query for SoftwareComponentInstances using the allSoftwareComponentInstances query. This query takes a filter argument of type SoftwareComponentInstanceFilter that you can use to filter the returned SoftwareComponentInstances.

Example

Getting all SoftwareComponentInstances for a specific ArtifactVersion. (This is the equivalent of getting the SBOM)

query GetSoftwareComponentsForAnArtifactVersion (
  $filter: AssetVersionFilter!
) {
  allAssetVersions (
    filter: $filter
  )
  {
    id
    name
    createdAt
    createdBy {
      email
    }
    softwareComponentInstances
    {
      name
      version
      author
      buildDate
      comments {
        text
        updatedAt
        updatedBy {
          email
        }
      }
      fileName
      hashes {
        alg
        content
      }
      releaseDate
      licenses {
        name
      }
    }
  }
}

Example

Getting all SoftwareComponentInstances in a specific Business Unit. Note there are two separate example filters - one based on the Business Unit ID and the other based on the Business Unit Name.

query AllSoftwareComponentInstancesForABusinessUnitWithCriticalSeverity {
  allGroups (
    filter: {
      id: 1690
    }
  ) {
    id
    name
    products {
      assets {
        SoftwareComponentInstances (
          filter: {
            severity: CRITICAL
          }
        ){
          id
          title
          vulnIdFromTool
          severity
          assetVersion {
            id
            name
            asset {
              id
              name
              dependentProducts {
                id
                name
              }
            }
          }
        }
      }
    }
  }
}

Example

Getting details of SoftwareComponentInstances.

query GetSoftwareComponentInstanceDetails {
  allSoftwareComponentInstances {
    id
    vulnIdFromTool
    category
    comments {
      createdAt
      createdBy {
        email
      }
      text
    }
    confidence {
      rangeMin
      rangeMax
      value
    }
    createdAt
    cves {
      createdAt
      cveId
      cvssBaseMetricV3 {
        cvssv3 {
          vectorString
        }
      }
    }
    description
    SoftwareComponentInstanceClass
    origin
    riskScore
    severity
    statuses {
      status
      updatedAt
      updatedBy {
        email
      }
    }
    title
    updatedAt
  }
}

A specific instance of a detected software component. This is used to represent a specific version of a component that has been detected in a product, project, or other software artifact.

Properties

Name	Type	Description
_commentsMeta	_QueryMeta	Comments made on this component.
_componentStatusMeta	_QueryMeta	The history of statuses related to this software component instance.
_copyrightsMeta	_QueryMeta	Copyright information that applies to this software component instance. When present, these are to be treated as 'overrides' for the copyrights listed on the underlying SoftwareCompoent.
_cursor	String	Provides a value that can be supplied to the `after` argument for pagination. Depends on the value of the `orderBy` argument.
_destRelationshipsMeta	_QueryMeta	The relationships to other components where this component is the "dest"
_externalReferencesMeta	_QueryMeta	The external references of this component
_filesMeta	_QueryMeta	Files associated with this software component instance
_findingsMeta	_QueryMeta	The findings associated with this software component instance.
_hashesMeta	_QueryMeta	Independently reproducible mechanisms for identifying specific contents of a component or package based on the actual files
_licenseExceptionsMeta	_QueryMeta	License exceptions that apply to this software component instance. When present, these are to be treated as 'overrides' for the license exceptions listed on the underlying SoftwareCompoent.
_licenseExpressionsMeta	_QueryMeta
_licensesMeta	_QueryMeta	Software licenses that apply to this software component instance. When present, these are to be treated as 'overrides' for the licenses listed on the underlying SoftwareCompoent.
_originalComponentsCommentsMeta	_QueryMeta	The aggregated list of comments for all component instances that are merged into this component instance
_originalComponentsComponentStatusesMeta	_QueryMeta	The aggregated list of statuses for all component instances that are merged into this component instance
_originalComponentsDestRelationshipsMeta	_QueryMeta	The aggregated list of all dest relationships for all original component instances that led to the creation of this merged component instance.
_originalComponentsFilesMeta	_QueryMeta	The aggregated list of all files for the original component instances that led to the creation of this merged component instance.
_originalComponentsMeta	_QueryMeta	If this Finding is a 'merged finding', this list contains the underlying component instances that this component instance represents
_originalComponentsSourceRelationshipsMeta	_QueryMeta	The aggregated list of all source relationships for all original component instances that led to the creation of this merged component instance.
_originalComponentsSourcesMeta	_QueryMeta	The collection of test tools associated with original components that led to the creation of this merged component
_processingStatusesMeta	_QueryMeta	Any kind of processing currently occurring on this component instance
_propertiesMeta	_QueryMeta	The properties associated with this component
_revision	ID	An identifier that is updated automatically on each update of this root entity (but not on relation changes)
_sourceRelationshipsMeta	_QueryMeta	The relationships to other components where this component is the "source"
absoluteRiskScore	Float	Absolute Risk Score
assetVersion	AssetVersion	The asset version this component is associated with
assetVersionRefId	ID	The asset version id this component is associated with
assignee	User	The user who is assigned to this component. This is an experimental field and subject to change.
author	String	The author of this component. When present, this is to be treated as an 'override' for the author listed on the underlying SoftwareCompoent.
buildDate	DateTime	The build date of this component
comments	[SoftwareComponentComment]	Comments made on this component.
componentStatus	[SoftwareComponentStatus]	The history of statuses related to this software component instance.
confidence	SoftwareComponentInstanceConfidence	The confidence value that Finite State analysis has assigned to this component.
copyrights	[Copyright]	Copyright information that applies to this software component instance. When present, these are to be treated as 'overrides' for the copyrights listed on the underlying SoftwareCompoent.
createdAt	DateTime	The instant this object has been created
createdBy	User	The user who created this component. If is user created.
ctx	RelationEntityCtx	Context contains fields that are accessible to the permissions profile. This is an internal field related to user permissions.
currentStatus	SoftwareComponentStatus	The current status for this software component instance.
date	DateTime	The date the software component was first discovered.
dedupeHash	String	A hash that is used for deduplication against other software component instances.
deletedAt	DateTime	Timestamp of when this software component instance was deleted
destRelationships	[SoftwareComponentInstanceRelationship]	The relationships to other components where this component is the "dest"
detailedDescription	String	The detailed description of this component
downloadLocation	String	The download URL, or a specific location within a version control system (VCS) for the component or package
externalReferences	[ExternalReference]	The external references of this component
fileName	String	The actual file name of the component or package, or path of the directory being treated as a package.
files	[File]	Files associated with this software component instance
filesAnalyzed	Boolean	Indicated whether the files were analyzed for this package
findings	[Finding]	The findings associated with this software component instance.
firstOrThirdParty	SoftwareComponentInstanceSource	First or third party source
group	String	The grouping name or identifier associated with this component. When present, this is to be treated as an 'override' for the group listed on the underlying SoftwareCompoent.
hashes	[Hash]	Independently reproducible mechanisms for identifying specific contents of a component or package based on the actual files
id	ID	An auto-generated string that identifies this root entity uniquely among others of the same type
isEndOfLife	Boolean	Deprecated. See supportEol for EOL data.
licenseExceptions	[LicenseException]	License exceptions that apply to this software component instance. When present, these are to be treated as 'overrides' for the license exceptions listed on the underlying SoftwareCompoent.
licenseExpressions	[LicenseExpression]
licenses	[License]	Software licenses that apply to this software component instance. When present, these are to be treated as 'overrides' for the licenses listed on the underlying SoftwareCompoent.
mergedComponent	SoftwareComponentInstance	If populated, this field points to the 'merged component instance' that represents this component instance. This field is related to deduplicating multiple instances of the same component that may be detected by different tests.
mergedComponentRefId	ID	If populated, this field points to the 'merged component id' that represents this component instance. This field is related to deduplicating multiple instances of the same component that may be detected by different tests.
mimeType	String	The mime-type of this component. Must match regular expression - `^[-+a-z0-9.]+/[-+a-z0-9.]+$`
name	String	The name of the software component instance
origin	ComponentOrigin	The origin of this software component instance (e.g. test, user-added, generated by an automated or user merge, etc.)
originalComponents	[SoftwareComponentInstance]	If this Finding is a 'merged finding', this list contains the underlying component instances that this component instance represents
originalComponentsComments	[SoftwareComponentComment]	The aggregated list of comments for all component instances that are merged into this component instance
originalComponentsComponentStatuses	[SoftwareComponentStatus]	The aggregated list of statuses for all component instances that are merged into this component instance
originalComponentsDestRelationships	[SoftwareComponentInstanceRelationship]	The aggregated list of all dest relationships for all original component instances that led to the creation of this merged component instance.
originalComponentsFiles	[File]	The aggregated list of all files for the original component instances that led to the creation of this merged component instance.
originalComponentsSourceRelationships	[SoftwareComponentInstanceRelationship]	The aggregated list of all source relationships for all original component instances that led to the creation of this merged component instance.
originalComponentsSources	[TestingTool]	The collection of test tools associated with original components that led to the creation of this merged component
originator	String	Identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third part than the Package Supplier of the package
patched	Boolean	The boolean aggregated patches of all Findings associated with this SoftwareComponentInstance True if there are patches that are not null
processingStatuses	[ProcessingStatus]	Any kind of processing currently occurring on this component instance
properties	[KeyValuePair]	The properties associated with this component
publisher	String	The publisher of this component. When present, this is to be treated as an 'override' for the publisher listed on the underlying SoftwareCompoent.
referenceId	String	The original tool-specific ID of the component. This ID is specific to the test tool itself, such as a bom-ref from a CycloneDX document or an SPDXRef from an SPDX SBOM.
releaseDate	DateTime	The release date of this component
releaseNotes	ReleaseNotes	The notes associated with the software component release
scope	ComponentScope	Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM
softwareComponent	SoftwareComponent	The Software Component associated with this instance. The Software Component contains common information about the component that is not specific to a particular instance.
softwareIdentifiers	SoftwareIdentifiers	The software identifiers associated with this software component instance.
sourceRelationships	[SoftwareComponentInstanceRelationship]	The relationships to other components where this component is the "source"
summaryDescription	String	The summary description of this component
supplier	OrganizationalEntity	The supplier associated with this component. When present, this is to be treated as an 'override' for the supplier listed on the underlying SoftwareCompoent.
supportEol	DateTime	The support end-of-life date for this component. Timestamp '1970-01-01T00:00:00Z' indicates an unknown end-of-life date that has already passed.
test	Test	The test that detected or reported the presence of this software component instance
totalRisk	Float	The aggregated risk score of all Findings associated with this SoftwareComponentInstance
type	SoftwareComponentType	The type of software component instance (e.g. application, library, framework, etc)
updatedAt	DateTime	The instant this object has been updated the last time (not including relation updates)
updatedBy	User	The user who updated the component instance
url	String	The URL to the homepage of the provider of the software component instance
version	String	The version of the software component instance

This page was generated: 2024-11-06