Skip to main content

Cyber Asset Management

SBOM & data exports

Not everything you need to share is a formatted report. This page covers the two kinds of raw output ThreatWeaver produces: a software bill of materials (SBOM) for an application, and data exports — findings and asset inventory downloaded as spreadsheets or machine-readable files.

What it's for

  • See what's inside an app — the components discovered during an application assessment, and which ones have known advisories.
  • Hand the SBOM to a standard tool — export it as JSON, CSV, or CycloneDX.
  • Pull the raw data — export assets, vulnerabilities, and inventory datasets for your own spreadsheets and pipelines.

Software bill of materials

A software bill of materials is the component inventory found inside an application. It lives on an individual assessment in AppSec: open an assessment and go to its Software Bill of Materials tab.

A Generated at {timestamp} line above the table shows when the SBOM was last built.

The SBOM tab — summary cards above a table of discovered components

Summary cards

Four cards summarize the inventory:

CardWhat it counts
Total ComponentsEvery component discovered in the assessment.
VulnerableComponents whose detected version has known advisories.
CleanComponents whose detected version had no advisories.
UnknownComponents with a missing version or where the advisory check couldn't run.

Advisory status comes from a public vulnerability advisory database (OSV), matched against each component's detected version.

The component inventory

The table lists each component with its version and where it was found. Use the status buttons above the table — All, Vulnerable, No advisories, and Version unknown — to narrow the list.

ColumnWhat it shows
ComponentThe component name and detected version, its ecosystem, a confidence percentage for the detection, its package URL (purl) when known, and which detection source(s) found it.
StatusWhether the detected version is vulnerable, clean, or unknown.
SeverityThe highest advisory severity affecting the component.
AdvisoriesEach known advisory affecting the component — its CVE ID, severity, a short summary, and, when known, a Fixed in line naming the version(s) that resolve it.
Found AtThe file paths and source URLs the component was detected in, plus a Linked findings count when the component ties back to specific findings.

Exporting the SBOM

Three export buttons sit at the top of the tab. Each downloads the full component inventory:

ButtonWhat it produces
Export JSONA machine-readable JSON file.
Export CSVA spreadsheet-friendly CSV file.
Export CycloneDXA standards-based CycloneDX SBOM file for use in other tools.

Data exports

Data exports give you the underlying rows — assets, vulnerabilities, and other datasets — as files rather than formatted reports.

Exports from findings and asset pages

You can start an export from the Vulnerabilities and Cyber Asset Management pages. Each export runs in the background and, when ready, appears in the Reports → Results list under the Exports type, where you can download it. See Generating reports for how Results works.

Cyber Asset Management dataset exports

Cyber Asset Management has its own Reports hub with a set of ready-made Excel dataset exports over your unified asset inventory.

The Cyber Asset Management Reports hub — dataset exports listed as rows

The available datasets include:

DatasetWhat it contains
Asset inventoryEvery asset with identity, operating system, ownership, and per-source columns.
Coverage gapsExpected endpoints missing one or more required agents.
Source diffAssets seen by one source but not another, for any two connected sources.
Policy complianceThe latest coverage-policy result for every asset in scope.
ReconciliationPending reviews, identity conflicts, and applied merges.
Source healthConnected sources with their sync schedule, last run status, and errors.
Coverage trendCoverage numbers over time, one row per captured snapshot.
Coverage point-in-timeThe exact assets in a past coverage snapshot.

Each dataset row offers:

ControlWhat it does
FormatChooses the output format — XLSX, CSV, or JSON.
GenerateStarts the export now; it appears on the hub's Results tab when ready.
ScheduleSets the export up to run and deliver on a repeating cadence.
Open builder…(Point-in-time and other datasets that need a choice.) Opens a builder to pick a snapshot or options before exporting.

Source diff shows two source pickers — Source A and Source B — inline on its row; pick two different sources before generating. Picking the same source for both shows the validation message Pick two different sources to compare.

Use the toolbar's Search, category chips (All / Excel / PDF / Evidence), and Refresh to find a dataset, and the Results tab to download finished files.

Common workflows

Workflow: export a CycloneDX SBOM for an app

  1. Open the application's assessment in AppSec and go to its Software Bill of Materials tab.

    Step 1 — the SBOM tab for an assessment
  2. Review the summary cards and, if you like, filter the table to Vulnerable components.

    Step 2 — the component inventory filtered to vulnerable components
  3. Click Export CycloneDX. The SBOM downloads to your device.

Workflow: export the asset inventory as a spreadsheet

  1. Open Reports in Cyber Asset Management and stay on the Templates tab.
  2. Find the Asset inventory dataset, set its Format to XLSX, and click Generate.
  3. Switch to the Results tab and download the file once it finishes.