Component Management

Components are the core elements of your SBOM, representing third-party libraries, internal modules, and other software building blocks. CAST SBOM Manager provides powerful tools to categorize, edit, and manage components across all your SBOMs.

Understanding Components

A component represents a distinct software library or module detected in your scanned codebase. Each component includes:

• Identity - Name, version, and SCA identifier
• Metadata - Description, repository, references
• Legal - Licenses and copyright information
• Security - Known vulnerabilities
• Classification - Category and source
• Usage - Associated files and paths

Component Categories

Components are organized into five categories:

Open Source

Third-party open source components detected from public repositories.

Characteristics:

• Identified via SCA database
• External components
• Public licenses
• Non-modifiable category (assigned automatically)

Proprietary

Internal components developed by your organization.

Use for:

• Company-developed libraries
• Internal modules
• Proprietary code

Excluded

Components explicitly excluded from analysis.

Use for:

• Test dependencies
• Build tools
• Development-only dependencies
• Components not distributed with product

Sandbox

Components under review or pending categorization.

Use for:

• Components requiring approval
• Newly discovered components
• Items pending legal review

Undefined

Components not yet categorized.

Characteristics:

• Default for unidentified components
• Requires manual categorization
• Non-modifiable (automatic assignment)

Viewing Components

From any SBOM, navigate to the Components tab.

Category Filter

Select a category to view only those components:

• Click the category name
• The table updates to show only that category
• Badge shows component count

Components Table

See Viewing SBOMs - Components View for detailed table information.

Editing Components

To edit a component:

1. Click the component name or select Edit Component from actions
2. The Edit Component dialog opens with three tabs

Detail Tab

Basic Information:

• Name (required) - Component name
• Description - Component description
• Category - Select category from dropdown
• Repository - Source repository URL

Legal and Security:

• Licenses - Select one or more licenses
• Vulnerabilities - Add or remove vulnerabilities
• Copyright - Copyright holder information

Additional Metadata:

• References - URLs to documentation, homepages, etc.
• Topics - Tags/keywords (e.g., "web framework", "security")
• Languages - Programming languages
• Comments - Notes or explanations

Options:

• Update File Licenses - Apply license changes to all associated files
• Update Linked (Catalog only) - Propagate changes to linked SBOMs

Versions Tab

Manage all known versions of the component:

• Version - Current version (select from dropdown)
• Latest Version - Most recent available version (select from dropdown)
• Obsolescence - How current the component version is
• View version history with timestamps
• Add new versions
• Remove versions
• Track version releases

Dependencies Tab

(Only for components with SCA connection)

View component dependencies:

• Direct dependencies
• Transitive dependencies
• Dependency tree

Changing Component Categories

Single Component

1. Open the component for editing
2. Change the Category dropdown
3. Click OK

Or use the quick action:

1. Click Change Category from actions menu
2. Select new category
3. Click OK

Multiple Components

To categorize several components at once:

1. Check the boxes next to components
2. Click Actions → Change Category
3. Select the new category
4. Click OK

Component Sources

Components have different sources indicating how they were detected:

Source	Description
SCA	Identified via CAST SCA database
LOCAL	Locally cataloged or manually created
CATALOG	Referenced from central catalog
PREVIOUS	Carried over from previous SBOM version
IMPORT	Imported from external SBOM (CycloneDX)

Catalog Management

The Catalog is a central repository for sharing components across multiple SBOMs.

Adding Components to Catalog

To add components to the central catalog:

Single Component:

1. Click Add to Catalog from actions menu
2. Component is copied to catalog
3. Original SBOM maintains a reference

Multiple Components:

1. Select multiple components (checkboxes)
2. Click Actions → Add to Catalog
3. All selected components are added

Benefits:

• Reuse component definitions across SBOMs
• Centralize component metadata
• Propagate updates to multiple SBOMs

Removing from Catalog

To remove a component from the catalog:

1. Open the catalog view (not a regular SBOM)
2. Select Remove from Catalog from actions
3. Confirm removal

Linked SBOMs

Removing a catalog component doesn't delete it from SBOMs that use it. Those SBOMs convert the component to LOCAL source.

Propagating Changes

When you edit a catalog component, you can propagate changes:

Update Linked Components:

• Enable Update Linked checkbox when editing
• Changes apply to all SBOMs using this component
• Maintains consistency across projects

Keep SBOMs Independent:

• Disable Update Linked checkbox
• Linked SBOMs convert to LOCAL source
• Each SBOM manages its own copy

See Propagating Component Changes for details.

Advanced Component Operations

Splitting Components

Split a component into multiple components based on criteria:

When to Split:

• Component files have different licenses
• Files use different extensions
• Files are in different paths

How to Split:

1. Select component(s) to split
2. Click Split Components
3. Choose split criterion:
   • By Extension - Group by file extension
   • By License - Group by license
   • By Path - Group by directory path
   • By Version - Group by version
4. Click Split

Result:

• New components created for each group
• Files distributed to appropriate components
• Original component removed

Requires Multiple Files

You can only split components with 2+ associated files.

Merging Components

Combine multiple components into one:

When to Merge:

• Duplicate component entries
• Related components that should be one
• Consolidating split components

How to Merge:

1. Select 2 or more components (checkboxes)
2. Click Actions → Merge Components
3. Optionally select which component to keep as base
4. Optionally move merged component to SANDBOX
5. Click Merge

Result:

• Single component contains all files
• Licenses and vulnerabilities combined
• Source components removed

Deleting Components

Remove components from an SBOM:

Requirements:

• Component must have no associated files
• Use for cleanup of empty components

How to Delete:

1. Select Delete Component from actions
2. Confirm deletion

Cannot Delete with Files

Components with associated files cannot be deleted. First remove or reassign the files.

Finding Component Usage

To see which SBOMs use a component (catalog only):

1. Click Find Usages from actions menu
2. Modal displays all SBOMs containing this component
3. Click any SBOM to open it

Use Cases:

• Impact analysis before updating
• Understanding component adoption
• Tracking component usage

Propagating Changes Across SBOMs

When catalog components are edited, changes can cascade to linked SBOMs.

How Propagation Works

Step 1: Edit Catalog Component

• Open component in catalog
• Make changes (licenses, description, etc.)

Step 2: Choose Propagation

Option A: Update Linked (Recommended)

• Enable Update Linked checkbox
• All SBOMs using this component receive updates
• Maintains centralized control

Option B: Don't Update Linked

• Disable Update Linked checkbox
• For major changes: Linked SBOMs convert component to LOCAL and become independent
• For minor changes: No unlinking occurs

Step 3: Save

• Click OK
• Changes apply based on selection

What Gets Propagated

When updating linked components:

• Name and description
• Repository and references
• Licenses
• Vulnerabilities
• Copyright
• Topics and languages
• Comments

Propagating License Changes to Files

Additional option: Update File Licenses

When enabled:

• All files associated with the component
• Have their licenses updated to match component licenses
• Useful for bulk license corrections

Configuration

Default Behavior: Set your preferred default in Preferences:

1. Navigate to Configuration → SBOM/Catalog
2. Catalog Preferences section
3. Enable/disable Apply changes to linked BOM components by default

Component Metadata

Below are examples of how component metadata fields are typically used:

SCA ID

Unique identifier from CAST SCA database. Links component to external vulnerability and license databases.

Obsolescence

Indicates how current the component version is:

Level	Description
Up to Date	Running latest version
Low	1-2 minor versions behind
Medium	Several versions behind
High	Significantly outdated
Outdated	Very old, many versions behind
Unknown	Version status cannot be determined

Repository

Source code repository URL such as GitHub, GitLab, or Bitbucket.

References

Links to external resources such as project homepage, documentation, release notes, or issue tracker.

Topics

Keywords describing the component's purpose or domain, such as "web-framework", "database", "authentication", or "visualization".

Languages

Programming languages used in the component, such as JavaScript, Python, Java, or C++.