search

toolboxTools

The Tools page provides utility functions for SBOM analysis and component investigation. Two tools are available: SBOM Compare for identifying drift between Versions, and PURL Lookup for investigating individual packages by their Package URL.

hashtag
Overview

Tools complement the core SBOM management workflow with ad-hoc analysis capabilities:

  • SBOM Compare — compare two Versions side-by-side to identify added, removed, and modified components. Useful for release validation, drift detection, and change review.

  • PURL Lookup — query package metadata, vulnerability data, and ecosystem information for any Package URL. Useful for component investigation, pre-adoption review, and incident response.

hashtag
SBOM Compare

SBOM Compare analyzes the differences between two Versions of the same or different Products. The comparison identifies component-level changes to help you understand what changed between releases.

hashtag
Running a Comparison

  1. Navigate to the Tools page in the main navigation.

  2. Select the Compare tab.

  3. Select the Source Version:

    • Choose a Product.

    • Choose an Environment.

    • Choose a Version.

  4. Select the Target Version:

    • Choose a Product (can be the same or different).

    • Choose an Environment.

    • Choose a Version.

  5. Click Compare.

hashtag
Comparison Results

The comparison results display:

Category
Description

Added

Components present in the target but not in the source

Removed

Components present in the source but not in the target

Modified

Components present in both but with version or metadata changes

Unchanged

Components identical in both Versions

For each changed component, the comparison shows:

Field
Description

Component Name

Name of the affected component

Source Version

Version string in the source SBOM

Target Version

Version string in the target SBOM

Change Type

Added, Removed, or Modified

hashtag
Via MCP

The lynk-mcp server also supports version comparison:

hashtag
Use Cases

Scenario
How to Use Compare

Release validation

Compare the previous production version with the new candidate to review dependency changes

Drift detection

Compare the same version across Development and Production environments to identify drift

Incident response

Compare a known-good version with the current version to identify recently added components

Upgrade tracking

Compare before and after a dependency upgrade to confirm expected changes

Cross-product analysis

Compare two related Products to understand shared vs. unique dependencies

hashtag
PURL Lookup

PURL Lookup queries package metadata and vulnerability data for a specific Package URL (PURL). Use it to investigate components before adoption, during incident response, or for ad-hoc analysis.

hashtag
Running a Lookup

  1. Navigate to the Tools page in the main navigation.

  2. Select the PURL tab.

  3. Enter the Package URL in PURL format.

  4. Click Lookup.

hashtag
PURL Format

Package URLs follow the format: pkg:type/namespace/name@version

Component
Description
Example

type

Package ecosystem

npm, pypi, maven, golang, nuget

namespace

Package namespace (optional)

@angular, org.apache

name

Package name

express, log4j-core

version

Package version (optional)

4.18.2, 2.17.1

Examples:

hashtag
Lookup Results

The lookup returns available data for the package:

Data
Description

Package metadata

Name, version, description, homepage, repository URL

Vulnerabilities

Known CVEs affecting this package version

License

License expression from the package registry

Support status

Deprecation, archive, and maintenance indicators

Health score

Aggregated health score (age, community, security)

OpenSSF Scorecard

Security posture evaluation (if available)

Version history

Available versions and release dates

hashtag
Use Cases

Scenario
How to Use PURL Lookup

Pre-adoption review

Look up a package before adding it as a dependency to check for vulnerabilities and maintenance status

Incident response

Quickly check if a specific package version is affected by a newly published CVE

Component investigation

Research an unfamiliar component found in a vendor SBOM

License review

Check the license of a package before adding it to a project with specific license requirements

Dependency upgrade planning

Compare vulnerability counts across versions to find a safe upgrade target

hashtag
Permission Matrix

Permission
Admin
Operator
Viewer

View products (includes Tools access)

Tools are read-only. All roles with product visibility can use the Tools page.

For full permission details, see Role Management.

hashtag
Common Misconfigurations

Issue
Symptom
Fix

Compare shows no differences

Identical components in both Versions

The Versions may contain the same SBOM; verify different SBOMs were uploaded

PURL lookup returns no results

"Not found" for a valid package

Verify the PURL format is correct; the package may not be in a supported ecosystem registry

PURL format invalid

Lookup fails with validation error

Ensure the PURL follows the pkg:type/namespace/name@version format; URL-encode special characters (e.g., %40 for @ in namespaces)

Compare across Products not available

Cannot select a different Product for target

Select the target Product from the Product dropdown in the target section

hashtag
Recommended Best Practices

  • Compare Versions before every production release to validate that only expected dependency changes are included.

  • Use PURL Lookup for pre-adoption review before adding new dependencies to your projects.

  • Look up PURLs during incident response to quickly assess if your portfolio contains a vulnerable package version.

  • Compare across Environments to detect configuration drift between development and production builds.

  • Use Compare results to validate automation rules — confirm that automation rule changes produce the expected SBOM modifications.

  • URL-encode PURL namespaces that contain special characters (e.g., use %40 for @ in npm scoped packages).

PreviousAnalyticsNextOverview

Last updated