Match components against
OSV.dev
(PackageURL) and
NVD
(CPE)
OSV
NVD
NVD options
· bundled index· live lookup
NVD source
Use a pre-indexed local NVD snapshot (fast) or query NVD live (slower).
This product uses data from the
NVD
but is not endorsed or certified by the NVD. CVE is a registered trademark of MITRE. See
the
NVD Terms of Use.
No additional vulnerabilities were found online for this SBOM's components.
Referenced files in this SBOM
Link the source files CVEs name to Files in this SBOM (inferred by path, shown as dashed
edges on the graph). Uses a bundled CVE index when available (offline, all CVEs), otherwise fetches records from cve.org.
Severity
Source
KEV
A VEX statement clears for
. Any files listed below are linked for reference only.
Jump to
Summary
Description
Risk assessment
Known exploited
Source: this SBOM's risk assessment
Loading CVE details…
Files referenced by this CVE
in
Files are matched to this SBOM by path from the CVE record, not declared by the
SBOM itself. A file tagged “Not affected” or “Fixed” is cleared by a VEX
statement: it's linked here for reference, not as an open issue.
Functions referenced by this CVE
Modules referenced by this CVE
Source: CVE Program · cve.org
Online match
Not endorsed or certified by the NVD.
VEX assessments
No VEX status recorded for this vulnerability.
No vulnerabilities match your filters
No known vulnerabilities were found in the SBOM or online.
This SBOM carries no vulnerability data.
Use “Check public databases” above to look up known CVEs by PackageURL and CPE.
Configures:
Summary
Description
Compiler Flags
Optimization Warnings Features Machine Standard Debug
Preprocessor Defines
Configured Targets
Full Compile Command
No build configurations found
Try a different search or load an SPDX file with build info
Build
Build ID
Created
Build steps
Environment entries
Parameters
Config Sources
Build Parameters
Raw value
Build Steps
/
Outputs:
Inputs:
Params:
Tools:
Summary
Description
None
None
Command
Raw value
Build Tools
Generated Artifacts
People, organizations, and software agents referenced across the document — and everything they
created, supplied, originated, or manufactured.
Summary
Description
SPDX ID
Email
Note
Identifiers
→
Not linked to any elements in the loaded document(s).
No agents match your filter.
·· syntax highlighting off for large file
This file is too large to display inline ().
Statistics
Quality, structure, and relationship signals for this SBOM.
/ 100
SBOM Quality Score
A completeness score across this document's
packages, weighted over five categories based on the NTIA "minimum elements" baseline.
It is not a security or license-compliance measure; see the breakdown below for what to
fix first.
Relationship Repartition
Graph-visible relationship edges by type. Switch scope to isolate lifecycle layers.
No graph-visible relationships in this document.
Click a slice to open the graph focused on that relationship type and scope.
NTIA Minimum Elements
Cross-checked with
spdx/ntia-conformance-checker in CI
0) && openRemediation(remediationCategoryFor(el.key))"
:title="(el.level === 'component' && el.missing.total > 0) ? 'Review these in Remediation' : ''"
>
(document level)Remediation →
Category Breakdown
Categories with nothing to measure in this document (e.g. no files) are excluded and the
remaining weights are renormalized.
License Family Exposure
Best-effort classification by license id — a heuristic, not legal advice.
Supply-Chain Concentration
Packages the most other packages depend on — the highest-impact links if compromised.
External Reference Resolution
Elements this document references but doesn't define (SPDX ExternalMap imports).
Resolved
Unresolved
Vulnerability Triage
How much of this document's known vulnerabilities have a resolved VEX status.
Resolved
Still open
Unknown
Remediation
Triage concrete SBOM data gaps and open risk findings.
Category
Severity
score
Evidence
Affected examples
Recommended action
Related IDs
No remediation findings
The loaded SBOM does not currently produce actionable remediation findings.
No findings match these filters
Impact
Pick one element to trace why it is present and what would be affected by a change.
Find an element
Search packages, files, and other dependency-graph nodes.
elementsedgesroots
Search for a specific element, or open one of the highest-reach elements on the right.
No matching dependency-graph elements.
Highest reach
transitive dependents
No dependency relationships to rank.
Vulnerable × blast radius
CVSS present
Ranked by reach, not severity: a Medium in a
widely-used library can outrank a Critical in a leaf. Severity is the worst of each
package's CVEs.
Reachability
Direct dependents
Total dependents
Why it is here
This is a document root. Nothing else pulls it in.
No dependency or containment path from a document root reaches this element.
optional
What depends on it
Nothing depends on this element in the dependency graph.
Downstream graph
selected + dependents
selected depends on
it
Online scan finding
This vulnerability was found by a public-database scan, not carried by the loaded SBOM.
Everything else about it is shown just like an in-SBOM vulnerability.
Matched components
External referencenot loaded
This element is defined outside the loaded document(s).
Load the source below to resolve its full details.
Location hint
Defining artifact
Imported by
Asserted integrity
Manufacturer
Safety status
Evaluation
Version
Size
Summary
Description
Homepage
Download location
Identifiers
Copyright
Note
Key Flags
Defines
Build ID
Build Type
Command
Environment
Build Parameters
Raw value
Verification
Loading CVE details…
Affected files
Links are inferred by matching file paths, not declared in this SBOM.
Affected functions
Affected modules
Source: CVE Program · cve.org
VEX assessments
Why it's here
Top-level element — a document root.
Not reachable from a document root.
What depends on it
direct·transitively
Vulnerabilities (VEX)
Email
→
Not linked to any elements in the loaded document(s).