# SBOM Doctor SBOM Doctor runs a suite of quality checks against an SBOM's components and flags structural problems — malformed identifiers, version mismatches, missing licenses, and unresolvable PURLs — before they affect vulnerability correlation or compliance scoring. *** ## Overview Doctor results appear on the **Doctor** tab of any uploaded SBOM's detail page, with filters, per-component findings, and project-scoped suppressions. Results are cached and recomputed when the SBOM changes. Authenticated users unlock a broader set of checks that require external registry lookups. *** ## Checks Doctor runs checks across two domains: * **Identifier checks** — validate CPE and PURL syntax, cross-consistency between identifiers, version alignment, and whether components are missing identifiers entirely. * **License checks** — validate SPDX expression syntax and whether components have a license declared. Authenticated users unlock an additional set of checks that perform external lookups — verifying CPEs against the NVD dictionary, resolving PURLs against package registries, and confirming license IDs are recognized SPDX identifiers. *** ## Dashboard UI Doctor results appear on the **Doctor** tab of any SBOM's detail view. ### Viewing Results 1. Open a Product and navigate to a Version. 2. Click the **Doctor** tab on the SBOM detail page. 3. The table shows one row per finding, with columns for the affected component, version, check code, severity, domain, and a human-readable summary. ### Filtering Use the sub-header controls to narrow findings: | Filter | Options | | -------------- | ------------------------------------- | | **Search** | Filter by component name | | **Domain** | `identifier`, `license` | | **Severity** | `critical`, `high`, `medium`, `low` | | **Check Code** | Filter to one or more specific checks | Click a row to open the component drawer for full component detail and editing. ### Stats Badge The Doctor tab label shows a badge with the count of `critical` and `high` findings for quick triage without opening the tab. ## Suppressions Suppress specific checks per project to avoid noise from checks that don't apply to your context — for example, suppressing `IDT-MISSING-001` for a project that intentionally ships internal-only components without PURLs. ### Configuring Suppressions 1. Navigate to the Product page. 2. Open **Settings** and select the **Doctor Checks** section. 3. Toggle any check off to suppress it for all SBOMs in this project. Suppressed checks do not generate findings and are excluded from stats. The toggle is on by default (suppressed = off). Suppression changes are audit-logged. ### Permission Suppression configuration requires the `edit_product_settings` permission within `view_product_group`. *** ## Common Findings and Fixes | Finding | What it means | | -------------- | ----------------------------------------------------------------------------------------- | | `IDT-CPE-001` | CPE is not in valid CPE 2.3 format — regenerate from your SBOM tool or correct the string | | `IDT-PURL-001` | PURL is malformed — regenerate from your build tool | For help interpreting other findings, contact . --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.interlynk.io/product-guides/sbom-management/doctor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.