Sunshine - SBOM visualization tool

Select a CycloneDX JSON file from your file system. All submitted data is processed locally within your browser, without being transmitted anywhere else.

• If you do not have a CycloneDX JSON file available, but just want to see what output is produced by the tool see a sample HTML output here with data enriched with EPSS and CISA KEV or here without enriched data.
• If your SBOM file is not in the CycloneDX JSON format, such as SPDX or CycloneDX XML, you can convert it using CycloneDX Web Tool.
• If you prefer using a standalone CLI version download it here.

Settings:

Enrich data with EPSS and CISA KEV

Show only vulnerabilities in CISA KEV Note: this setting can be used ony when data enrichment is enabled

Show only vulnerabilities with severity: Any Critical High or above Medium or above Low or above

Show only vulnerabilities with CVSS equal to or greater than: Selected CVSS: 0.0

Show only vulnerabilities with EPSS equal to or greater than: Selected EPSS: 0.00 Note: this setting can be used ony when data enrichment is enabled

Apply settings

Summary table will appear here...

This chart visualizes components and their dependencies, with each segment representing a single component. The chart provides a hierarchical view of the dependency structure, with relationships radiating outward from the core components.

• Innermost circle: represents components that are independent and not dependencies for any other components.
• Outer circles: each segment represents a dependency of the corresponding segment in the circle immediately inside it. The farther a segment is from the center, the deeper the dependency level.

Note: If there is only one circle, it means that no dependency relationships are defined in the input file.

The colors of the segments indicate the vulnerability status of the components:

• Dark red: affected by at least one critical severity vulnerability.
• Red: affected by at least one high severity vulnerability.
• Orange: affected by at least one medium severity vulnerability.
• Yellow: affected by at least one low severity vulnerability.
• Green: affected by at least one informational severity vulnerability.
• Light blue: not directly affected by vulnerabilities but has at least one vulnerable dependency.
• Grey: neither the component nor its dependencies are affected by any vulnerabilities.

The chart is interactive:

• Hovering: displays details about a component, including its name, version, and list of vulnerabilities.
• Clicking: refocuses the chart. The clicked segment becomes the center (second innermost circle), showing only that component and its dependencies. In this view, the innermost circle is always blue. Clicking the blue circle navigates back up one level in the dependency hierarchy.

---

---

Chart will appear here...

This table visualizes components, their dependencies, vulnerabilities and licenses.
The colors of the elements in columns "Component", "Depends on" and "Dependency of" indicate the vulnerability status of the components:

• Dark red: affected by at least one critical severity vulnerability.
• Red: affected by at least one high severity vulnerability.
• Orange: affected by at least one medium severity vulnerability.
• Yellow: affected by at least one low severity vulnerability.
• Green: affected by at least one informational severity vulnerability.
• Light blue: not directly affected by vulnerabilities but has at least one vulnerable dependency.
• Grey: neither the component nor its dependencies are affected by any vulnerabilities.

The colors of the elements in columns "Direct vulnerabilities" and "Transitive vulnerabilities" indicate the severity of the vulnerabilities:

• Dark red: critical.
• Red: high.
• Orange: medium.
• Yellow:low.
• Green:informational.

The "Depth" column indicates a component's position in the dependency graph:

• A "root" value means it is a root component, meaning it resides in the innermost circle of the chart.
• An integer value represents the component's depth level within the dependency chain.

Note: since a single component may be a dependency for multiple components in different places in the dependency graph, it may be associated with multiple depths.

---

Components table will appear here...

This table focuses on vulnerabilities and shows the components that are affected either directly or transitively.
The colors of the elements in column "Vulnerability" indicate the severity of the vulnerabilities:

• Dark red: critical.
• Red: high.
• Orange: medium.
• Yellow:low.
• Green:informational.

The colors of the elements in columns "Directly vulnerable components" and "Transitively vulnerable components" indicate the vulnerability status of the components:

• Dark red: affected by at least one critical severity vulnerability.
• Red: affected by at least one high severity vulnerability.
• Orange: affected by at least one medium severity vulnerability.
• Yellow: affected by at least one low severity vulnerability.
• Green: affected by at least one informational severity vulnerability.
• Light blue: not directly affected by vulnerabilities but has at least one vulnerable dependency.

---

Vulnerabilities table will appear here...

Log will appear here...

Sunshine - SBOM visualization tool | Made by Luca Capacci | Contributor Mattia Fierro | GitHub repository | License

Initializing...