xBOM (Bill of Materials)
The xBOM dashboard provides a unified inventory of all components, cryptographic assets, and AI models discovered across your repositories. Track vulnerabilities, manage VEX statements, export compliance-ready bills of materials, and monitor component changes.
xBOM is available on Scale plan and above. It requires enabling plexicus-sbom, plexicus-cbom, or plexicus-aibom scanner bundles.
Source: /Users/jpalanco/Projects/platform/fastapi/routes/xbom.py:6, 34
Three Types of BOMs
SBOM — Software Bill of Materials
Generated by: Syft
Contains: All software dependencies across your codebase — libraries, packages, frameworks, and their versions.
What it tracks:
- Component name and version
- Software licenses (permissive, copyleft, proprietary, unknown)
- Known vulnerabilities (CVE mapping)
- File paths where component is used
- Package manager (npm, pip, Maven, Go, Cargo, etc.)
Export formats: CycloneDX JSON, SPDX JSON, CSV, PDF attestation
Use cases:
- Build compliance proofs for customers (e.g., "we use only permissively licensed software")
- Identify license conflicts in merges
- Track dependency drift between builds
- Generate SBOMs for supply chain transparency (NTIA minimum elements)
Source: i18n xbom.yml:21, 73-88
CBOM — Cryptographic Bill of Materials
Generated by: CycloneDX CBom + OpenGrep Crypto
Contains: All cryptographic algorithms, key sizes, and implementations in your codebase.
What it tracks:
- Algorithm type (AES, RSA, ECDSA, MD5, SHA-1, etc.)
- Key size / strength (256-bit, 4096-bit, etc.)
- Primitive category (encryption, hashing, signing, etc.)
- Quantum-readiness classification (NIST deadline assessment)
- Usage context (database encryption, TLS, signing, etc.)
Risk assessment:
- 🟢 Quantum-safe algorithms (post-quantum cryptography, modern RSA/ECC)
- 🟡 Deprecated weak algorithms (MD5, SHA-1, RC4, DES)
- 🔴 Known broken algorithms with deadline risk
Export formats: CycloneDX JSON, SPDX JSON, CSV, PDF attestation
Use cases:
- Demonstrate quantum-readiness for compliance frameworks (NIST SP 800-131B)
- Plan cryptographic migration (e.g., SHA-1 → SHA-256)
- Track deprecated crypto usage across monorepos
- Supply chain transparency for cryptographic supply chain risk (e.g., EU CRA BSI TR-03183-2)
Source: i18n xbom.yml:28-31, 42-46, shared/tool_bundle_params.py:23
AIBOM — AI Model Bill of Materials
Generated by: CycloneDX MLBom
Contains: All machine learning models, training datasets, and AI components in your codebase or infrastructure.
What it tracks:
- Model name and version
- Model type (LLM, classifier, regression, etc.)
- Training dataset provenance and lineage
- Model card status (documentation completeness)
- External dependencies (Hugging Face, OpenAI, Anthropic, etc.)
- Security and safety assessment
Risk flags:
- 🟡 Missing model card (undocumented training data or performance)
- 🟡 No dataset provenance (unknown training source)
- 🟡 External API dependency (supply chain risk)
- 🔴 Unsafe serialization (model injection attacks)
Export formats: CycloneDX JSON, SPDX JSON, CSV, PDF attestation
Use cases:
- Build AI supply chain transparency (EU AI Act compliance)
- Identify models with insufficient documentation
- Track AI model version dependencies (model drift)
- Supply chain risk on third-party models (e.g., fine-tuned LLMs)
Source: i18n xbom.yml:33-35, shared/tool_bundle_params.py:22
Dashboard Overview
The xBOM main view shows three tabs, each with an executive summary:
Overview KPIs:
- Total components (SBOM count)
- Repositories covered (which repos contribute to BOM)
- Coverage detail (how many SBOM, CBOM, AIBOM records exist)
- Quantum readiness (percentage of safe cryptography)
- License risk (count of copyleft, proprietary, unknown licenses)
- AI models (count of AI/ML components, risk breakdown)
Charts:
- License categories (pie: permissive, copyleft, proprietary, unknown)
- Quantum classification (pie: quantum-safe, quantum-vulnerable, weak/deprecated, unknown)
- Top vulnerable components (bar: packages with most CVEs)
- AI providers (bar: count of models per provider — OpenAI, Anthropic, Hugging Face, etc.)
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:1-19
Software Components (SBOM) Tab
Browsing Components
-
Navigate to xBOM → Software (SBOM) tab
-
Filter by:
- Repository — Narrow to specific repos
- License category — Permissive, copyleft, proprietary, unknown
- Language — Python, JavaScript, Java, etc.
- Has vulnerabilities — Show only components with known CVEs
- Risk flags — Restricted license, external API, unpinned version, etc.
-
Search by component name or Package URL (PURL)
Component Details
Click a component to see:
- PURL (Package URL) — Standardized component identifier
- Hashes — SHA-256, SHA-1 for integrity verification
- File paths — Where in repositories this component appears
- Supplier — Package maintainer or organization
- Source tool — Which scanner discovered it (Syft, Grype, etc.)
VEX (Vulnerability Exploitability Exchange)
Mark how your organization handles specific vulnerabilities in specific components. This proves to auditors that you've assessed and decided on remediation.
VEX Statement Statuses:
- Affected — You use the vulnerable component and are working on a fix
- Fixed — You've patched to a non-vulnerable version
- Not Affected — Component doesn't use the vulnerable code path
- Under Investigation — You're still assessing impact
Example: CVE-2024-12345 in log4j → Status: "Not Affected" + Justification: "We only use specific appenders that aren't vulnerable"
To set a VEX statement:
- Filter to the component and CVE
- Click Set VEX
- Select status and enter justification (required for "Not Affected")
- Save — statement is recorded in your xBOM and compliance tracking
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:101-118, fastapi/routes/xbom.py:46-54
Watchlists
Monitor components of interest. Get notified when matching components appear in future scans.
Create a watchlist:
- Go to xBOM → Watchlists (or click Watch component from component detail)
- Enter pattern (component name or PURL, e.g., "log4j" or "pkg:npm/lodash")
- Choose type: Name (substring match) or PURL (exact Package URL match)
- Check Notify to receive alerts when component is discovered in new scans
- Save
Use cases:
- Monitor deprecated libraries (e.g., "node-uuid" → renamed to "uuid")
- Track supply chain risks (e.g., "xz-utils" — watch for compromised versions)
- Maintain inventory of first-party components (e.g., "acme-internal-*")
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:119-135
Cryptographic Assets (CBOM) Tab
Browsing Algorithms
-
Navigate to xBOM → Cryptographic Assets (CBOM) tab
-
Filter by:
- Primitive type — Encryption, hashing, signing, key agreement, etc.
- Algorithm name — AES, RSA, ECDSA, MD5, SHA-1, etc.
- Key size — Search by strength (256-bit, 4096-bit, etc.)
- Quantum classification — Safe, vulnerable, unknown
- Repository — Narrow by repo
-
See "Classification Reasons" explaining why algorithm is rated quantum-safe or vulnerable
Risk Assessment
Quantum-Safe (🟢):
- Post-quantum cryptography (Kyber, Dilithium, Sphincs+)
- Modern RSA with sufficient key size (≥2048-bit)
- ECC P-256, P-384, P-521
- SHA-256, SHA-384, SHA-512
Quantum-Vulnerable (🔴) — NIST Deadline:
- RSA < 2048-bit
- ECC curves < P-256
- Any reliance on discrete log assumptions
Weak/Deprecated (🟡):
- MD5 (broken since ~2005; do not use for security)
- SHA-1 (deprecated for signatures; sunset 2025+)
- RC4, DES, 3DES
- Unsupported TLS versions (< 1.2)
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:42-46
AI Models (AIBOM) Tab
Browsing AI Models
- Navigate to xBOM → AI Models (AIBOM) tab
- Filter by:
- Provider — OpenAI, Anthropic, Hugging Face, local models, etc.
- Model type — LLM, classifier, embedder, etc.
- Risk flags — Missing model card, no dataset provenance, external API, unsafe serialization
Model Details
Click a model to see:
- Model name & version — Full identifier
- Provider — Vendor or organization
- Training datasets — Lineage and provenance
- Model card — Documentation status
- Dependencies — External APIs or model dependencies
- Compliance risk — Security/safety assessment
Export Bill of Materials
Generate shareable BOMs for audits, customer requests, or supply chain transparency.
Export Formats
-
Go to xBOM → Export
-
Choose format:
- CycloneDX JSON — Industry standard (NTIA minimum elements, recommended)
- SPDX JSON — Linux Foundation standard (ISO/IEC 5230 certified)
- CSV — Spreadsheet-friendly inventory
- PDF Attestation — Human-readable compliance report with signature
-
For PDF attestations, select Compliance Profile:
- EU CRA (BSI TR-03183-2) — EU Cyber Resilience Act proof of cryptography review
- CISA 2025 — US government supply chain requirements
- PCI DSS 6.3.2 — Payment card security
- EU AI Act — AI governance and risk
-
Click Download
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:73-89
CycloneDX vs SPDX
| Aspect | CycloneDX | SPDX |
|---|---|---|
| Focus | Supply chain security & vulnerability tracking | License and dependency disclosure |
| Metadata | Rich (VEX, crypto, vulnerabilities, ML models) | Comprehensive (licenses, file hashes) |
| Adoption | NTIA minimum element standard; recommended by CISA | Linux Foundation standard; preferred by open-source projects |
| Compliance | EU CRA, PCI DSS, FedRAMP | SBOM Act (US), ISO/IEC 5230 |
| Best for | Vendors proving security posture to enterprises | Open-source projects licensing transparency |
Import Supplier SBOM
Ingest BOMs from third-party vendors or dependencies to build a comprehensive supply chain map.
- Go to xBOM → Import
- Upload a CycloneDX or SPDX JSON file
- Enter supplier name (e.g., "Acme Corp", "AWS SDK")
- Click Import
Results appear in the SBOM tab with supplier attribution. Enables:
- Transitive dependency tracking (dependencies of your dependencies)
- Supplier vulnerability correlation
- End-to-end supply chain visibility
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:90-101
Scan History & Diff
View how components changed between scans:
- Go to xBOM main view
- Look for Changes vs previous scan section
- See:
- Added — New components discovered
- Removed — Components no longer present
- Changed — Version bumps, license updates, etc.
This helps you:
- Spot unexpected dependencies added by merges
- Confirm dependency cleanup worked
- Track cryptographic upgrade progress
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:137-142
Compliance Integration
xBOM data flows into the Compliance Dashboard:
- License risk maps to compliance controls (GPL disclosure, proprietary terms)
- Quantum readiness maps to cryptographic compliance (NIST, EU CRA)
- VEX statements reduce audit risk by proving assessment of vulnerabilities
- SBOM exports satisfy customer security questionnaires and audits
Troubleshooting
"No components yet"
Enable at least one BOM scanner (plexicus-sbom, plexicus-cbom, or plexicus-aibom) on your application and run a scan.
"Missing model card" warning on AIBOM
Your AI models lack documentation. Provide Hugging Face model cards, OpenAI model IDs, or internal model descriptions.
"Unpinned version" on dependencies
Some dependencies don't have locked versions. Use lock files (package-lock.json, poetry.lock, Gemfile.lock) to pin versions and improve reproducibility.
"External API" risk flag
Your code uses external APIs (e.g., OpenAI API, third-party LLM services). Ensure you've assessed vendor security and data handling practices.
See Also
- Security Scanners — Configure plexicus-sbom, plexicus-cbom, plexicus-aibom
- Compliance Dashboard — Map BOM data to compliance frameworks
- Findings — Remediate vulnerabilities discovered in SBOM