# Packages The Packages view provides an organization-wide perspective on components across all Products and Versions. While the Components tab on a Version shows components within a single SBOM, the Packages view aggregates component data across your entire portfolio — enabling cross-product analysis, version tracking, and centralized override management. *** ## Overview Packages consolidate component data from all SBOMs in your organization. Each package record represents a unique component (identified by name and ecosystem) and tracks all versions of that component encountered across your Products. Key capabilities: * **Cross-product visibility** — see which Products use a specific package and version. * **Version tracking** — identify outdated versions and track upgrade progress across the portfolio. * **Support overrides** — set organization-wide support level overrides for specific packages. * **Enrichment data** — view package health scores, OpenSSF Scorecard results, and ecosystem insights. * **Vulnerability correlation** — identify packages with known vulnerabilities across all Products. ## Architecture ``` Organization Package Registry └── Package (unique by name + ecosystem) ├── Versions Tab │ ├── All encountered versions across Products │ ├── Products using each version │ └── Vulnerability count per version ├── Overrides Tab │ ├── Support level overrides │ └── Custom metadata └── Enrichment Data ├── OpenSSF Scorecard ├── Health Score (Age, Community, Security) ├── Package Insights (deprecation, archive, downloads) ├── Version Insights (outdated, latest available) └── Source Code Insights (repo activity, contributors) ``` *** ## Viewing Packages ### Package List 1. Navigate to the **Packages** page in the main navigation (or access via a component link from a Version). 2. The package list displays: | Column | Description | | ----------------- | -------------------------------------------------------------------------------------- | | **Name** | Package name | | **Ecosystem** | Package ecosystem (npm, PyPI, Maven, Go, etc.) | | **PURL** | Package URL identifier | | **Versions** | Number of distinct versions encountered | | **Products** | Number of Products using this package | | **Health Score** | Aggregated health score (0–100) | | **Support Level** | Maintenance status (Actively Maintained, No Longer Maintained, Abandoned, Unspecified) | ### Filtering and Search * **Search** by package name to find specific components. * **Filter** by ecosystem, support level, or health score range. * **Sort** by any column to prioritize review. *** ## Package Detail View Click on a package to open its detail view, which includes two tabs: ### Versions Tab The Versions tab shows all encountered versions of the package across your organization: | Column | Description | | ------------------- | ------------------------------------------------ | | **Version** | Component version string | | **Products** | Products using this version (with links) | | **Environments** | Environments where this version is present | | **Vulnerabilities** | Number of known vulnerabilities for this version | | **First Seen** | When this version was first encountered | | **Last Seen** | Most recent SBOM upload containing this version | Use this view to: * Identify which Products are running outdated versions. * Track upgrade progress across the organization. * Find Products affected by a vulnerable version. ### Overrides Tab The Overrides tab allows setting organization-wide overrides for the package: | Override | Description | | ----------------------- | ----------------------------------------------- | | **Support Level** | Override the automated support level assessment | | **End-of-Support Date** | Set a custom end-of-support date | | **End-of-Life Date** | Set a custom end-of-life date | Overrides apply to all instances of the package across all Products and persist across SBOM re-uploads. *** ## Component Enrichment Packages are enriched with data from open-source ecosystems: ### OpenSSF Scorecard The [OpenSSF Scorecard](https://securityscorecards.dev/) evaluates the security posture of open-source projects. Scorecard results include checks for: * Branch protection policies * Dependency update tooling * Signed releases * Vulnerability disclosure process * Code review practices ### Health Score The health score (0–100) aggregates three weighted factors: | Factor | What It Measures | | ------------- | --------------------------------------------------------------------------- | | **Age** | How recently the package was updated, whether it shows signs of abandonment | | **Community** | Number of active contributors | | **Security** | OpenSSF Scorecard results, vulnerability history, support status | For health score customization, see [Administration: Health Scoring](https://docs.interlynk.io/administration/health-scoring). ### Package Insights | Insight | Description | | ---------------------- | ------------------------------------------------- | | **Deprecation status** | Whether the package is deprecated in its registry | | **Archive status** | Whether the repository is archived | | **Download counts** | Popularity indicator from the package registry | ### Version Insights | Insight | Description | | ------------------ | ------------------------------------------------------------ | | **Outdated** | Whether the installed version is behind the latest available | | **Latest version** | The most recent version available in the registry | ### Source Code Insights | Insight | Description | | ----------------------- | ----------------------------------------- | | **Repository activity** | Commit frequency and recency | | **Contributor metrics** | Number and activity level of contributors | *** ## Cross-Product Analysis The Packages view enables several cross-product analysis patterns: ### Finding All Users of a Vulnerable Package 1. Navigate to the **Packages** page. 2. Search for the affected package (e.g., `log4j`). 3. Click on the package to open the detail view. 4. On the **Versions** tab, identify the vulnerable version(s). 5. The **Products** column shows all affected Products. ### Tracking Upgrade Progress 1. Open the package detail view. 2. Compare the **Versions** tab entries against the latest available version. 3. Products still using older versions need upgrades. ### Identifying Abandoned Dependencies 1. Filter the package list by **Support Level: Abandoned**. 2. For each abandoned package, review the Products using it. 3. Plan migration to maintained alternatives. *** ## Permission Matrix | Permission | Admin | Operator | Viewer | | ------------------------------------- | :---: | :------: | :----: | | View products (includes package data) | ✓ | ✓ | ✓ | | View SBOMs (includes component data) | ✓ | ✓ | ✓ | | Edit SBOM components | ✓ | ✓ | — | | Edit support | ✓ | ✓ | — | For full permission details, see [Role Management](https://docs.interlynk.io/administration/role-management). *** ## Security Warnings {% hint style="warning" %} **A single vulnerable package can affect multiple Products.** Use the Packages view to identify the full blast radius of a vulnerability across your organization. Do not assume a CVE only affects the Product where it was first discovered. {% endhint %} {% hint style="warning" %} **Packages without PURL identifiers cannot be correlated across Products.** Each SBOM will show them as separate, unrelated components. Ensure SBOM tooling produces consistent PURL identifiers for accurate cross-product analysis. {% endhint %} *** ## Common Misconfigurations | Issue | Symptom | Fix | | ---------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------- | | Same package appears as multiple entries | Inconsistent naming across SBOMs | Standardize SBOM generation tooling to produce consistent PURL identifiers | | Support overrides not applying | Automated support level still shown | Verify the override was applied to the correct package identifier | | Health score missing | No score displayed for package | Verify the package has a PURL identifier; packages without PURL cannot be enriched | | Outdated version insights missing | No "latest version" data | Package may not be in a supported registry, or registry data may be temporarily unavailable | | Cross-product search too slow | Large result sets | Use specific package names rather than broad searches; filter by ecosystem | *** ## Recommended Best Practices * **Review the Packages view regularly** for abandoned and deprecated components across your organization. * **Use cross-product analysis** when a critical CVE is published to quickly identify all affected Products. * **Track upgrade progress** by monitoring how many Products are running the latest version of critical dependencies. * **Apply support overrides** when you have internal knowledge about a component's maintenance status that differs from the automated assessment. * **Prioritize packages by blast radius.** A vulnerable package used by 20 Products is more urgent than one used by a single Product. * **Ensure consistent PURL identifiers** across all SBOM generation tools to enable accurate cross-product correlation. * **Use health scores for portfolio-level risk assessment.** Sort by health score to identify the riskiest packages in your supply chain. * **Set up policies** that target packages with low health scores or abandoned support levels to enforce supply chain standards.