# Packages The Packages view provides an organization-wide perspective on components across all Products and Versions. While the Components tab on a Version shows components within a single SBOM, the Packages view aggregates component data across your entire portfolio — enabling cross-product analysis, version tracking, and centralized override management. *** ## Overview Packages consolidate component data from all SBOMs in your organization. Each package record represents a unique component (identified by name and ecosystem) and tracks all versions of that component encountered across your Products. Key capabilities: * **Cross-product visibility** — see which Products use a specific package and version. * **Version tracking** — identify outdated versions and track upgrade progress across the portfolio. * **Support overrides** — set organization-wide support level overrides for specific packages. * **Enrichment data** — view package health scores, OpenSSF Scorecard results, and ecosystem insights. * **Vulnerability correlation** — identify packages with known vulnerabilities across all Products. ## Architecture ``` Organization Package Registry └── Package (unique by name + ecosystem) ├── Versions Tab │ ├── All encountered versions across Products │ ├── Products using each version │ └── Vulnerability count per version ├── Overrides Tab │ ├── Support level overrides │ └── Custom metadata └── Enrichment Data ├── OpenSSF Scorecard ├── Health Score (Age, Community, Security) ├── Package Insights (deprecation, archive, downloads) ├── Version Insights (outdated, latest available) └── Source Code Insights (repo activity, contributors) ``` *** ## Viewing Packages ### Package List 1. Navigate to the **Packages** page in the main navigation (or access via a component link from a Version). 2. The package list displays: | Column | Description | | ----------------- | -------------------------------------------------------------------------------------- | | **Name** | Package name | | **Ecosystem** | Package ecosystem (npm, PyPI, Maven, Go, etc.) | | **PURL** | Package URL identifier | | **Versions** | Number of distinct versions encountered | | **Products** | Number of Products using this package | | **Health Score** | Aggregated health score (0–100) | | **Support Level** | Maintenance status (Actively Maintained, No Longer Maintained, Abandoned, Unspecified) | ### Filtering and Search * **Search** by package name to find specific components. * **Filter** by ecosystem, support level, or health score range. * **Sort** by any column to prioritize review. *** ## Package Detail View Click on a package to open its detail view, which includes two tabs: ### Versions Tab The Versions tab shows all encountered versions of the package across your organization: | Column | Description | | ------------------- | ------------------------------------------------ | | **Version** | Component version string | | **Products** | Products using this version (with links) | | **Environments** | Environments where this version is present | | **Vulnerabilities** | Number of known vulnerabilities for this version | | **First Seen** | When this version was first encountered | | **Last Seen** | Most recent SBOM upload containing this version | Use this view to: * Identify which Products are running outdated versions. * Track upgrade progress across the organization. * Find Products affected by a vulnerable version. ### Overrides Tab The Overrides tab allows setting organization-wide overrides for the package: | Override | Description | | ----------------------- | ----------------------------------------------- | | **Support Level** | Override the automated support level assessment | | **End-of-Support Date** | Set a custom end-of-support date | | **End-of-Life Date** | Set a custom end-of-life date | Overrides apply to all instances of the package across all Products and persist across SBOM re-uploads. *** ## Component Enrichment Packages are enriched with data from open-source ecosystems: ### OpenSSF Scorecard The [OpenSSF Scorecard](https://securityscorecards.dev/) evaluates the security posture of open-source projects. Scorecard results include checks for: * Branch protection policies * Dependency update tooling * Signed releases * Vulnerability disclosure process * Code review practices ### Health Score The health score (0–100) aggregates three weighted factors: | Factor | What It Measures | | ------------- | --------------------------------------------------------------------------- | | **Age** | How recently the package was updated, whether it shows signs of abandonment | | **Community** | Number of active contributors | | **Security** | OpenSSF Scorecard results, vulnerability history, support status | For health score customization, see [Administration: Health Scoring](/administration/health-scoring.md). ### Package Insights | Insight | Description | | ---------------------- | ------------------------------------------------- | | **Deprecation status** | Whether the package is deprecated in its registry | | **Archive status** | Whether the repository is archived | | **Download counts** | Popularity indicator from the package registry | ### Version Insights | Insight | Description | | ------------------ | ------------------------------------------------------------ | | **Outdated** | Whether the installed version is behind the latest available | | **Latest version** | The most recent version available in the registry | ### Source Code Insights | Insight | Description | | ----------------------- | ----------------------------------------- | | **Repository activity** | Commit frequency and recency | | **Contributor metrics** | Number and activity level of contributors | *** ## Cross-Product Analysis The Packages view enables several cross-product analysis patterns: ### Finding All Users of a Vulnerable Package 1. Navigate to the **Packages** page. 2. Search for the affected package (e.g., `log4j`). 3. Click on the package to open the detail view. 4. On the **Versions** tab, identify the vulnerable version(s). 5. The **Products** column shows all affected Products. ### Tracking Upgrade Progress 1. Open the package detail view. 2. Compare the **Versions** tab entries against the latest available version. 3. Products still using older versions need upgrades. ### Identifying Abandoned Dependencies 1. Filter the package list by **Support Level: Abandoned**. 2. For each abandoned package, review the Products using it. 3. Plan migration to maintained alternatives. *** ## Permission Matrix | Permission | Admin | Operator | Viewer | | ------------------------------------- | :---: | :------: | :----: | | View products (includes package data) | ✓ | ✓ | ✓ | | View SBOMs (includes component data) | ✓ | ✓ | ✓ | | Edit SBOM components | ✓ | ✓ | — | | Edit support | ✓ | ✓ | — | For full permission details, see [Role Management](/administration/role-management.md). *** ## Security Warnings {% hint style="warning" %} **A single vulnerable package can affect multiple Products.** Use the Packages view to identify the full blast radius of a vulnerability across your organization. Do not assume a CVE only affects the Product where it was first discovered. {% endhint %} {% hint style="warning" %} **Packages without PURL identifiers cannot be correlated across Products.** Each SBOM will show them as separate, unrelated components. Ensure SBOM tooling produces consistent PURL identifiers for accurate cross-product analysis. {% endhint %} *** ## Common Misconfigurations | Issue | Symptom | Fix | | ---------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------- | | Same package appears as multiple entries | Inconsistent naming across SBOMs | Standardize SBOM generation tooling to produce consistent PURL identifiers | | Support overrides not applying | Automated support level still shown | Verify the override was applied to the correct package identifier | | Health score missing | No score displayed for package | Verify the package has a PURL identifier; packages without PURL cannot be enriched | | Outdated version insights missing | No "latest version" data | Package may not be in a supported registry, or registry data may be temporarily unavailable | | Cross-product search too slow | Large result sets | Use specific package names rather than broad searches; filter by ecosystem | *** ## Recommended Best Practices * **Review the Packages view regularly** for abandoned and deprecated components across your organization. * **Use cross-product analysis** when a critical CVE is published to quickly identify all affected Products. * **Track upgrade progress** by monitoring how many Products are running the latest version of critical dependencies. * **Apply support overrides** when you have internal knowledge about a component's maintenance status that differs from the automated assessment. * **Prioritize packages by blast radius.** A vulnerable package used by 20 Products is more urgent than one used by a single Product. * **Ensure consistent PURL identifiers** across all SBOM generation tools to enable accurate cross-product correlation. * **Use health scores for portfolio-level risk assessment.** Sort by health score to identify the riskiest packages in your supply chain. * **Set up policies** that target packages with low health scores or abandoned support levels to enforce supply chain standards. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.interlynk.io/product-guides/sbom-management/packages.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.