search

boxes-stackedPackages

The Packages view provides an organization-wide perspective on components across all Products and Versions. While the Components tab on a Version shows components within a single SBOM, the Packages view aggregates component data across your entire portfolio — enabling cross-product analysis, version tracking, and centralized override management.

hashtag
Overview

Packages consolidate component data from all SBOMs in your organization. Each package record represents a unique component (identified by name and ecosystem) and tracks all versions of that component encountered across your Products.

Key capabilities:

  • Cross-product visibility — see which Products use a specific package and version.

  • Version tracking — identify outdated versions and track upgrade progress across the portfolio.

  • Support overrides — set organization-wide support level overrides for specific packages.

  • Enrichment data — view package health scores, OpenSSF Scorecard results, and ecosystem insights.

  • Vulnerability correlation — identify packages with known vulnerabilities across all Products.

hashtag
Architecture

Organization Package Registry
  └── Package (unique by name + ecosystem)
        ├── Versions Tab
        │     ├── All encountered versions across Products
        │     ├── Products using each version
        │     └── Vulnerability count per version
        ├── Overrides Tab
        │     ├── Support level overrides
        │     └── Custom metadata
        └── Enrichment Data
              ├── OpenSSF Scorecard
              ├── Health Score (Age, Community, Security)
              ├── Package Insights (deprecation, archive, downloads)
              ├── Version Insights (outdated, latest available)
              └── Source Code Insights (repo activity, contributors)

hashtag
Viewing Packages

hashtag
Package List

  1. Navigate to the Packages page in the main navigation (or access via a component link from a Version).

  2. The package list displays:

Column
Description

Name

Package name

Ecosystem

Package ecosystem (npm, PyPI, Maven, Go, etc.)

PURL

Package URL identifier

Versions

Number of distinct versions encountered

Products

Number of Products using this package

Health Score

Aggregated health score (0–100)

Support Level

Maintenance status (Actively Maintained, No Longer Maintained, Abandoned, Unspecified)

hashtag
Filtering and Search

  • Search by package name to find specific components.

  • Filter by ecosystem, support level, or health score range.

  • Sort by any column to prioritize review.

hashtag
Package Detail View

Click on a package to open its detail view, which includes two tabs:

hashtag
Versions Tab

The Versions tab shows all encountered versions of the package across your organization:

Column
Description

Version

Component version string

Products

Products using this version (with links)

Environments

Environments where this version is present

Vulnerabilities

Number of known vulnerabilities for this version

First Seen

When this version was first encountered

Last Seen

Most recent SBOM upload containing this version

Use this view to:

  • Identify which Products are running outdated versions.

  • Track upgrade progress across the organization.

  • Find Products affected by a vulnerable version.

hashtag
Overrides Tab

The Overrides tab allows setting organization-wide overrides for the package:

Override
Description

Support Level

Override the automated support level assessment

End-of-Support Date

Set a custom end-of-support date

End-of-Life Date

Set a custom end-of-life date

Overrides apply to all instances of the package across all Products and persist across SBOM re-uploads.

hashtag
Component Enrichment

Packages are enriched with data from open-source ecosystems:

hashtag
OpenSSF Scorecard

The OpenSSF Scorecardarrow-up-right evaluates the security posture of open-source projects. Scorecard results include checks for:

  • Branch protection policies

  • Dependency update tooling

  • Signed releases

  • Vulnerability disclosure process

  • Code review practices

hashtag
Health Score

The health score (0–100) aggregates three weighted factors:

Factor
What It Measures

Age

How recently the package was updated, whether it shows signs of abandonment

Community

Number of active contributors

Security

OpenSSF Scorecard results, vulnerability history, support status

For health score customization, see Administration: Health Scoring.

hashtag
Package Insights

Insight
Description

Deprecation status

Whether the package is deprecated in its registry

Archive status

Whether the repository is archived

Download counts

Popularity indicator from the package registry

hashtag
Version Insights

Insight
Description

Outdated

Whether the installed version is behind the latest available

Latest version

The most recent version available in the registry

hashtag
Source Code Insights

Insight
Description

Repository activity

Commit frequency and recency

Contributor metrics

Number and activity level of contributors

hashtag
Cross-Product Analysis

The Packages view enables several cross-product analysis patterns:

hashtag
Finding All Users of a Vulnerable Package

  1. Navigate to the Packages page.

  2. Search for the affected package (e.g., log4j).

  3. Click on the package to open the detail view.

  4. On the Versions tab, identify the vulnerable version(s).

  5. The Products column shows all affected Products.

hashtag
Tracking Upgrade Progress

  1. Open the package detail view.

  2. Compare the Versions tab entries against the latest available version.

  3. Products still using older versions need upgrades.

hashtag
Identifying Abandoned Dependencies

  1. Filter the package list by Support Level: Abandoned.

  2. For each abandoned package, review the Products using it.

  3. Plan migration to maintained alternatives.

hashtag
Permission Matrix

Permission
Admin
Operator
Viewer

View products (includes package data)

View SBOMs (includes component data)

Edit SBOM components

Edit support

For full permission details, see Role Management.

hashtag
Security Warnings

circle-exclamation

A single vulnerable package can affect multiple Products. Use the Packages view to identify the full blast radius of a vulnerability across your organization. Do not assume a CVE only affects the Product where it was first discovered.

circle-exclamation

Packages without PURL identifiers cannot be correlated across Products. Each SBOM will show them as separate, unrelated components. Ensure SBOM tooling produces consistent PURL identifiers for accurate cross-product analysis.

hashtag
Common Misconfigurations

Issue
Symptom
Fix

Same package appears as multiple entries

Inconsistent naming across SBOMs

Standardize SBOM generation tooling to produce consistent PURL identifiers

Support overrides not applying

Automated support level still shown

Verify the override was applied to the correct package identifier

Health score missing

No score displayed for package

Verify the package has a PURL identifier; packages without PURL cannot be enriched

Outdated version insights missing

No "latest version" data

Package may not be in a supported registry, or registry data may be temporarily unavailable

Cross-product search too slow

Large result sets

Use specific package names rather than broad searches; filter by ecosystem

hashtag
Recommended Best Practices

  • Review the Packages view regularly for abandoned and deprecated components across your organization.

  • Use cross-product analysis when a critical CVE is published to quickly identify all affected Products.

  • Track upgrade progress by monitoring how many Products are running the latest version of critical dependencies.

  • Apply support overrides when you have internal knowledge about a component's maintenance status that differs from the automated assessment.

  • Prioritize packages by blast radius. A vulnerable package used by 20 Products is more urgent than one used by a single Product.

  • Ensure consistent PURL identifiers across all SBOM generation tools to enable accurate cross-product correlation.

  • Use health scores for portfolio-level risk assessment. Sort by health score to identify the riskiest packages in your supply chain.

  • Set up policies that target packages with low health scores or abandoned support levels to enforce supply chain standards.

PreviousVersionsNextRequests

Last updated