View Source SBOM Files#
When you import an SBOM, its contents are registered in FutureVuls as OS packages and dependent libraries. This page explains how to check and identify which SBOM file the registered software and vulnerabilities (tasks) were registered from.
There are two main clues for this:
- UUID: A UUID indicating the source SBOM file is appended to the end of the name of each application registered from an SBOM. Items with the same UUID were registered from the same SBOM file.
locationcolumn: Thelocationcolumn in the software list displays information such as the application containing the library, Lockfile, GitHub repository, and AWS Lambda function.
The following explanation uses the SBOM server in the image as an example.

Associating Applications and SBOM Files#
When you view the details of an application registered from an SBOM, information about the source SBOM file is displayed.

You can see that the application webapp/ruby/Gemfile.lock above was registered from an SBOM file named isucon6.
The UUID appended to the application name is an identifier used within FutureVuls to identify the SBOM file. Applications with the same UUID are registered from the same SBOM file.
In the example above, all applications registered from the SBOM file named isucon6 have the UUID c30a4802-5139-703f-79ee-ff24578633d3.
If you return to the server details screen and download the SBOM file, you can confirm the UUID from the filename.
(e.g., c30a4802-5139-703f-79ee-ff24578633d3.cyclonedx.json)
Associating Software Information and SBOM Files#
For software registered via SBOM, you can identify the source SBOM file using the following methods, depending on the software type.
Software Type: os#
Software type: os refers to OS packages. OS information and OS packages are registered only from the server SBOM. If the corresponding server is an SBOM server, all OS packages were registered from the server SBOM file.

All the OS packages listed above were registered from the server SBOM, inspector.
Software Type: library#
Software type: library refers to dependent libraries. For a dependent library, you can identify the source SBOM file from the application that contains it.

The library org.apache.tomcat:tomcat-jdbc above is included in the application Java application | e5dc48cc-09f7-c1df-f7dd-259f39eaa360, as shown in the location column.
About the location column
The location column in the software list displays information such as the application containing the library, Lockfile, GitHub repository, and AWS Lambda function.
By following the application in the location column, you can find the source SBOM file.

You can see that the application Java application | e5dc48cc-09f7-c1df-f7dd-259f39eaa360 was registered from an SBOM file named keycloak.
Associating Vulnerabilities/Tasks with SBOM Files#
In the task details, when you view the "Related Software" list, application information for libraries is displayed in the location column.
If there is no location, it is an OS package registered from the server SBOM file.

For the related software cryptography in the task above, you can identify the application from vol-0c61f6f97b2a2727d:/p1:home/ubuntu/integration/data/lockfile/poetry.lock in the location column.

You can see that the application vol-0c61f6f97b2a2727d:/p1:home/ubuntu/integration/data/lockfile/poetry.lock was registered from an SBOM file named inspector.