SBOM Manager

Appearance

Creating New Components

You can manually create new components in any SBOM. This is useful for adding proprietary components, internal libraries, or other dependencies not automatically detected by scanners.

When to Use This Feature

Most components are detected automatically by scanners. Use manual creation for internal proprietary libraries, custom-built components, or other dependencies that cannot be automatically detected.

How to Create a Component

Step 1: Navigate to Components

  1. Open your SBOM or Catalog
  2. Navigate to the Components tab
  3. Ensure you have write permissions

Step 2: Click New Component

Click the New Component button in the top-right corner of the Components view.

Step 3: Fill in Component Details

The Create Component dialog opens with the following fields:

Required Fields

Name (required)

  • The component name or identifier
  • Must be unique within the SBOM
  • Examples:
    • my-company-core-library
    • internal-authentication-module
    • custom-data-processor

Optional Fields

Version

  • Component version following semantic versioning
  • Examples: 1.0.0, 2.3.1-beta, 0.5.0-rc1
  • Leave blank if version is unknown or not applicable

Description

  • Brief description of the component's purpose
  • Helpful for understanding the component's role
  • Example: "Internal library for data encryption and key management"

Category

  • Select the appropriate category from dropdown
  • Default: Sandbox (for new components under review)
  • Options:
    • Proprietary - For internal organization components
    • Sandbox - For components under review or pending approval
    • Excluded - For test/build dependencies not distributed
  • See Component Categories for details

Repository

  • Source repository type where the component is published
  • Default: None
  • Options:
    • None - No specific repository
    • Maven - Java/JVM components
    • npm - JavaScript/Node.js packages
    • PyPI - Python packages
    • NuGet - .NET packages
    • RubyGems - Ruby gems
    • Packagist - PHP packages
    • Crates.io - Rust crates
    • GitHub - GitHub-hosted projects

SCA ID Generation

When you select a repository type, the system automatically generates an appropriate SCA ID suffix:

  • npm → .npm
  • PyPI → .py
  • NuGet → .NET
  • RubyGems → .rb
  • Packagist → .php
  • Crates.io → .rs

Licenses

  • Select one or more licenses from the dropdown
  • Choose from SPDX standard licenses
  • Multiple licenses can be selected for dual-licensed components
  • Example: Select both MIT and Apache-2.0

Step 4: Create

Click Create to save the component.

After Creation

Once the component is created:

Automatic Actions

  • Component appears in the selected category
  • Component is assigned LOCAL as its source type
  • A snippet is automatically created to represent the component identity
  • The SBOM status is updated to reflect the change
  • SBOM KPIs are recalculated in the background

What You Can Do Next

  1. Edit Additional Details - Click the component name to add:

    • Copyright information
    • References and documentation links
    • Topics and keywords
    • Programming languages
    • Comments and notes

  2. Add Versions - Navigate to the Versions tab to:

    • Define version history
    • Set the latest version
    • Track release dates

  3. Assign Files - If the component has associated files:

  4. Add to Catalog - For reusable proprietary components:

    • Click ActionsAdd to Catalog
    • Share the component across multiple SBOMs
    • See Catalog Management for details

Example: Creating a Proprietary Component

Let's walk through creating an internal authentication library:

Scenario: Your company has an internal authentication library that should be tracked in your SBOMs.

Step-by-Step

  1. Open your SBOM and go to Components tab

  2. Click New Component

  3. Fill in the form:

    • Name: acme-auth-core
    • Version: 2.1.0
    • Description: ACME Corporation internal authentication and authorization library
    • Category: Proprietary
    • Repository: None (internal component)
    • Licenses: Select Proprietary (if available) or leave blank

  4. Click Create

  5. After creation, click the component name to add more details:

    • Copyright: Copyright © 2025 ACME Corporation
    • References: Add internal GitLab URL
    • Topics: authentication, security, internal
    • Languages: Java, Kotlin
    • Comments: Maintained by Security Team - contact security@acme.com

  6. Click ActionsAdd to Catalog to make it reusable

Validation and Errors

Duplicate Component Names

Error: "A component with this name already exists in the current BOM version"

Cause: Component names must be unique within an SBOM.

Solution:

  • Use a different name, or
  • Use version numbers to differentiate: my-lib-v1, my-lib-v2
  • Consider if you should edit the existing component instead

Missing Required Fields

Error: "Component name is required"

Cause: The Name field cannot be empty.

Solution: Provide a component name before creating.

No Valid SBOM

Warning: "Cannot create a component: no valid BOM version available"

Cause: You must have a valid SBOM selected.

Solution: Create or select a valid SBOM first.

Permissions

To create components, you need:

  • BOM Write permission
  • Access to the specific SBOM

If the New Component button is disabled, check with your administrator about permissions.

Copyright © 2025 CAST SOFTWARE.