Ctrlk

SBOM Doctor

SBOM Doctor runs a suite of quality checks against an SBOM's components and flags structural problems — malformed identifiers, version mismatches, missing licenses, and unresolvable PURLs — before they affect vulnerability correlation or compliance scoring.

Overview

Doctor results appear on the Doctor tab of any uploaded SBOM's detail page, with filters, per-component findings, and project-scoped suppressions.

Results are cached and recomputed when the SBOM changes. Authenticated users unlock a broader set of checks that require external registry lookups.

Checks

Doctor runs checks across two domains:

  • Identifier checks — validate CPE and PURL syntax, cross-consistency between identifiers, version alignment, and whether components are missing identifiers entirely.

  • License checks — validate SPDX expression syntax and whether components have a license declared.

Authenticated users unlock an additional set of checks that perform external lookups — verifying CPEs against the NVD dictionary, resolving PURLs against package registries, and confirming license IDs are recognized SPDX identifiers.

Dashboard UI

Doctor results appear on the Doctor tab of any SBOM's detail view.

Viewing Results

  1. Open a Product and navigate to a Version.

  2. Click the Doctor tab on the SBOM detail page.

  3. The table shows one row per finding, with columns for the affected component, version, check code, severity, domain, and a human-readable summary.

Filtering

Use the sub-header controls to narrow findings:

Filter
Options

Search

Filter by component name

Domain

identifier, license

Severity

critical, high, medium, low

Check Code

Filter to one or more specific checks

Click a row to open the component drawer for full component detail and editing.

Stats Badge

The Doctor tab label shows a badge with the count of critical and high findings for quick triage without opening the tab.

Suppressions

Suppress specific checks per project to avoid noise from checks that don't apply to your context — for example, suppressing IDT-MISSING-001 for a project that intentionally ships internal-only components without PURLs.

Configuring Suppressions

  1. Navigate to the Product page.

  2. Open Settings and select the Doctor Checks section.

  3. Toggle any check off to suppress it for all SBOMs in this project.

Suppressed checks do not generate findings and are excluded from stats. The toggle is on by default (suppressed = off). Suppression changes are audit-logged.

Permission

Suppression configuration requires the edit_product_settings permission within view_product_group.

Common Findings and Fixes

Finding
What it means

IDT-CPE-001

CPE is not in valid CPE 2.3 format — regenerate from your SBOM tool or correct the string

IDT-PURL-001

PURL is malformed — regenerate from your build tool

For help interpreting other findings, contact [email protected].

PreviousRequestsNextTLP Classification

Last updated