Configuring SBOM and VEX Reports

This page explains how to configure key settings for SBOM (Software Bill of Materials) and VEX reports in Black Duck SCA. You can set a default license for unmatched components and control the inclusion of Black Duck Security Advisory (BDSA) IDs in VEX reports through system settings.

Configuring the default license for unmatched components

The licence for auto-created unmatched components found when uploading a report file on the Scans page can be configured from the SBOM page in the System Settings.

Important: This license will exclusively apply to components where the SBOM license value is NOASSERTION. It will not add the default license to components where license has no value.

To set the default license:

  1. Log in to Black Duck as a System Administrator.

  2. Click Admin button and select System Settings.

  3. Select SBOM from the lefthand menu.

  4. Select the desired license from the License Name dropdown box. By default, the selected license is Unknown License.

Toggle Exclusion of BDSA IDs in VEX Reports

You can toggle the exclusion of BDSA IDs in VEX (Vulnerability Exploitability eXchange) reports. This setting helps manage which vulnerability identifiers are included in your VEX exports.

To Configure the Toggle:

  1. Log in to Black Duck as a System Administrator.

  2. Click Admin button and select System Settings.

  3. Select SBOM from the left-hand menu.

  4. Locate the setting labeled Exclude BDSA IDs in VEX reports.

  5. Toggle the setting On or Off as desired. The default value is Off (BDSA IDs are included by default).