The view command displays CycloneDX SBOMs in a unified, hierarchical tree format that consolidates information from various SBOM sections (components, dependencies, vulnerabilities, compositions, annotations) into an intuitive view.
- Quick Start
- Command Syntax
- Display Modes
- Output Formats
- Filtering Options
- Vulnerability Filtering
- Common Use Cases
- Configuration Flags Reference
# Basic view with default settings
sbomasm view sbom.cdx.json
# Detailed view with all information
sbomasm view sbom.cdx.json --verbose
# Focus on high-severity vulnerabilities
sbomasm view sbom.cdx.json --min-severity high --only-unresolved
# License-only view
sbomasm view sbom.cdx.json --only-licenses
# Save output to file
sbomasm view sbom.cdx.json -o report.txtsbomasm view <sbom-file> [flags]
Arguments:
<sbom-file>- Path to a CycloneDX SBOM file (JSON format)
Shows component hierarchy with dependencies and vulnerabilities enabled:
sbomasm view samples/cdx/sbom-with-assemblies.jsonOutput:
SBOM: CycloneDX 1.6
Generated: 2025-11-11 16:17:24 (7 days ago)
Serial: urn:uuid:75e19ea1-cb02-40f0-bc3a-390ab80a2b89
Tools: Dependency-Track 4.13.5, Dependency-Track 4.13.5
┌─ Final product@1.2.3 [PRIMARY] (application)
│ Type: application
│ Vulnerabilities (56):
│ - CVE-2025-26519 [HIGH] (false_positive) Score: 8.1 Source: NVD
│ - CVE-2017-7507 [HIGH] (false_positive) Score: 7.5 Source: NVD
│ - CVE-2025-59375 [HIGH] Score: 7.5 Source: NVD
│ - ALPINE-CVE-2025-26519 [HIGH] (false_positive) Source: OSV
│ - ALPINE-CVE-2017-7507 [HIGH] (false_positive) Source: OSV
│ ... and 51 more
│
│ ├─ foo@1.0.0 (container)
│ │ Type: container
│ │
│ │ Assemblies (6):
│ │ ├─ gnutls@3.8.8-r0 (library)
│ │ │ Type: library
│ │ │ Dependencies (1):
│ │ │ - musl@1.2.5-r10 (library)
│ │ │
│ │ ├─ libcrypto3@3.5.1-r0 (library)
│ │ │ Type: library
│ │ │ Dependencies (1):
│ │ │ - musl@1.2.5-r10 (library)
...
Statistics:
Total Components: 22
Total Dependencies: 25
Vulnerabilities: 56 (4C, 27H, 21M, 3L, 1U)
Components by type:
library: 19
application: 1
container: 2
Shows all available fields including PURLs, licenses, hashes, properties, and compositions:
sbomasm view samples/cdx/sbom-with-assemblies.json --verboseOutput:
SBOM: CycloneDX 1.6
Generated: 2025-11-11 16:17:24 (7 days ago)
Serial: urn:uuid:75e19ea1-cb02-40f0-bc3a-390ab80a2b89
Tools: OWASP/Dependency-Track 4.13.5, OWASP/Dependency-Track 4.13.5
┌─ Final product@1.2.3 [PRIMARY] (application)
│ Type: application
│ Vulnerabilities (56):
│ - CVE-2025-26519 (false_positive) (HIGH) (NVD) (8.1)
│ - CVE-2017-7507 (false_positive) (HIGH) (NVD) (7.5)
│ - CVE-2025-59375 (HIGH) (NVD) (7.5)
│ - ALPINE-CVE-2025-26519 (false_positive) (HIGH) (OSV)
│ - ALPINE-CVE-2017-7507 (false_positive) (HIGH) (OSV)
│ - ALPINE-CVE-2025-9230 (HIGH) (OSV)
│ - CVE-2025-9230 (HIGH) (NVD) (7.5)
│ ... and 49 more
│
│ ├─ foo@1.0.0 (container)
│ │ Type: container
│ │ Description: Docker image for foo
│ │
│ │ Assemblies (6):
│ │ ├─ gnutls@3.8.8-r0 (library)
│ │ │ Type: library
│ │ │ PURL: pkg:apk/alpine/gnutls@3.8.8-r0?arch=x86_64&distro=3.22.1
│ │ │ Licenses (1):
│ │ │ - LGPL-2.1-or-later
│ │ │ Hashes (1):
│ │ │ - SHA-1: 730ae0e4abacd127c131d9b5aeccaeaa8178512a
│ │ │ Dependencies (1):
│ │ │ - musl@1.2.5-r10 (library) (pkg:apk/alpine/musl@1.2.5-r10?...) (MIT)
│ │ │ Properties (5):
│ │ │ - aquasecurity:trivy:LayerDiffID: sha256:c2d2b55d55c7e06865715b4e1e79699cc7b95a30...
│ │ │ - aquasecurity:trivy:PkgID: gnutls@3.8.8-r0
│ │ │ - aquasecurity:trivy:PkgType: alpine
│ │ │ - aquasecurity:trivy:SrcName: gnutls
│ │ │ - aquasecurity:trivy:SrcVersion: 3.8.8-r0
...
Shows only license information with minimal component details:
sbomasm view samples/cdx/sbom-with-assemblies.json --only-licensesOutput:
SBOM: CycloneDX 1.6
Generated: 2025-11-11 16:17:24 (7 days ago)
Serial: urn:uuid:75e19ea1-cb02-40f0-bc3a-390ab80a2b89
Tools: Dependency-Track 4.13.5, Dependency-Track 4.13.5
┌─ Final product@1.2.3 [PRIMARY] (application)
│ No license information
Statistics:
Total Components: 22
Total Dependencies: 25
Vulnerabilities: 56 (4C, 27H, 21M, 3L, 1U)
Components by type:
library: 19
application: 1
container: 2
Displays components in a hierarchical tree structure showing parent-child relationships and assemblies:
sbomasm view sbom.cdx.json --format treeThis is the default format and shows:
- Component hierarchies with visual tree structure
- Assembly relationships
- Dependencies for each component
- Vulnerabilities aggregated by component
- Nested structures with proper indentation
Displays all components as a flat list without hierarchy:
sbomasm view samples/cdx/sbom-with-assemblies.json --format flatOutput:
SBOM: CycloneDX 1.6
Generated: 2025-11-11 16:17:24 (7 days ago)
Serial: urn:uuid:75e19ea1-cb02-40f0-bc3a-390ab80a2b89
Tools: Dependency-Track 4.13.5, Dependency-Track 4.13.5
─── Component 1/22:
Name: libexpat
Version: 2.7.1-r0
Type: library
Parent: foo@1.0.0
PURL: pkg:apk/alpine/libexpat@2.7.1-r0?arch=x86_64&distro=3.22.1
Dependencies: 1
─── Component 2/22:
Name: libssl3
Version: 3.5.1-r0
Type: library
Parent: activemq-artemis@2.42.0-stable-0014-b05effa
PURL: pkg:apk/alpine/libssl3@3.5.1-r0?arch=x86_64&distro=3.22.1
Dependencies: 2
─── Component 3/22:
Name: libxml2
Version: 2.13.8-r0
Type: library
Parent: activemq-artemis@2.42.0-stable-0014-b05effa
PURL: pkg:apk/alpine/libxml2@2.13.8-r0?arch=x86_64&distro=3.22.1
Dependencies: 1
...
Outputs the component graph as structured JSON for programmatic processing:
sbomasm view sbom.cdx.json --format json -o analysis.jsonThis format is useful for:
- Integration with other tools and pipelines
- Custom processing and analysis
- Storing enriched SBOM data
- API integrations
Control how deep the tree structure is displayed:
# Limit to 2 levels deep
sbomasm view samples/cdx/sbom-with-assemblies.json --max-depth 2Output:
SBOM: CycloneDX 1.6
Generated: 2025-11-11 16:17:24 (7 days ago)
Serial: urn:uuid:75e19ea1-cb02-40f0-bc3a-390ab80a2b89
Tools: Dependency-Track 4.13.5, Dependency-Track 4.13.5
┌─ Final product@1.2.3 [PRIMARY] (application)
│ Type: application
│ Vulnerabilities (56):
│ - CVE-2025-26519 [HIGH] (false_positive) Score: 8.1 Source: NVD
│ - CVE-2017-7507 [HIGH] (false_positive) Score: 7.5 Source: NVD
│ ... and 54 more
│
│ ├─ foo@1.0.0 (container)
│ │ Type: container
│ │
│ │ └─ (... 6 nested components - use --max-depth to expand)
│ └─ activemq-artemis@2.42.0-stable-0014-b05effa (container)
│ Type: container
│ Dependencies (6):
│ - javax.json@1.0.4 (library)
│ - netty-codec@4.1.121.Final (library)
│ ... and 4 more
│
│ └─ (... 13 nested components - use --max-depth to expand)
Filter components by type (library, container, operating-system, application, etc.):
# Show only library components
sbomasm view sbom.cdx.json --filter-type library
# Show multiple types
sbomasm view sbom.cdx.json --filter-type "library,container"
# Show containers and operating systems
sbomasm view sbom.cdx.json --filter-type "container,operating-system"Valid component types:
applicationlibraryframeworkcontaineroperating-systemdevicefirmwarefile
Control how disconnected component graphs (islands) are displayed:
# Hide disconnected components (islands)
sbomasm view sbom.cdx.json --hide-islands
# Show only the primary component tree
sbomasm view sbom.cdx.json --only-primaryWhat are islands? Islands are groups of components that are not connected to the primary component tree through dependency relationships. They often represent:
- Metadata-only components
- Disconnected dependency graphs
- Components referenced in compositions but not in dependencies
Filter vulnerabilities by minimum severity level:
# Show only high and critical severity vulnerabilities
sbomasm view sbom.cdx.json --min-severity high
# Show critical vulnerabilities only
sbomasm view sbom.cdx.json --min-severity critical
# Show medium and above
sbomasm view sbom.cdx.json --min-severity mediumOutput:
┌─ Final product@1.2.3 [PRIMARY] (application)
│ Type: application
│ Dependencies (2):
│ - foo@1.0.0 (container)
│ - activemq-artemis@2.42.0-stable-0014-b05effa (container)
│ Vulnerabilities (22):
│ - CVE-2025-59375 [HIGH] Score: 7.5 Source: NVD
│ - ALPINE-CVE-2025-9230 [HIGH] Source: OSV
│ - CVE-2025-9230 [HIGH] Score: 7.5 Source: NVD
│ - CVE-2025-58056 [HIGH] Score: 7.5 Source: NVD
│ - CVE-2025-58057 [HIGH] Score: 7.5 Source: NVD
│ ... and 17 more
Severity levels (from highest to lowest):
critical- Critical vulnerabilities (CVSS 9.0-10.0)high- High severity (CVSS 7.0-8.9)medium- Medium severity (CVSS 4.0-6.9)low- Low severity (CVSS 0.1-3.9)
Show only vulnerabilities that require action (excludes false positives, not affected, and resolved):
sbomasm view sbom.cdx.json --only-unresolved
# Combine with severity filtering
sbomasm view sbom.cdx.json --min-severity high --only-unresolvedThis filters out vulnerabilities with these analysis states:
false_positive- Confirmed false positivenot_affected- Component not affectedresolved- Vulnerability resolvedresolved_with_patchable_fix- Resolved with patch
And shows vulnerabilities in these states:
exploitable- Confirmed exploitablein_triage- Under investigationrequires_response- Requires action- (empty/unknown states are considered unresolved)
Identify all critical and high severity unresolved vulnerabilities:
sbomasm view sbom.cdx.json \
--min-severity high \
--only-unresolved \
--verbose \
-o security-audit.txtExtract all license information for compliance review:
sbomasm view sbom.cdx.json \
--only-licenses \
-o license-report.txtUnderstand component dependencies without vulnerability noise:
sbomasm view sbom.cdx.json \
--dependencies \
--vulnerabilities=false \
--annotations=false \
--max-depth 3Get a high-level overview of the SBOM:
sbomasm view sbom.cdx.json \
--max-depth 2 \
--hide-islands \
--dependencies=falseFocus on container and OS components:
sbomasm view sbom.cdx.json \
--filter-type "container,operating-system" \
--verbose \
--licensesGenerate a comprehensive report with all available information:
sbomasm view sbom.cdx.json \
--verbose \
-o full-report.txtExport SBOM analysis as JSON for automated processing:
sbomasm view sbom.cdx.json \
--format json \
-o sbom-analysis.json
# Suppress warnings for cleaner CI/CD output
sbomasm view sbom.cdx.json \
--format json \
--quiet \
-o sbom-analysis.jsonView large SBOMs efficiently:
sbomasm view large-sbom.cdx.json \
--max-depth 3 \
--hide-islands \
--only-unresolved \
--min-severity medium| Flag | Short | Default | Description |
|---|---|---|---|
--verbose |
-V |
false | Show all available fields (overrides individual flags) |
--dependencies |
true | Show dependencies section | |
--vulnerabilities |
-v |
true | Show vulnerabilities section |
--annotations |
-a |
true | Show annotations section |
--compositions |
-c |
false | Show compositions section |
--properties |
-p |
false | Show custom properties |
--hashes |
false | Show component hashes (SHA-1, SHA-256, etc.) | |
--licenses |
-l |
false | Show license information |
--only-licenses |
false | Show only licenses (minimal component details) |
| Flag | Default | Description |
|---|---|---|
--max-depth <int> |
0 | Maximum tree depth to display (0 = unlimited) |
--filter-type <types> |
"" | Filter by component type (comma-separated) |
--hide-islands |
false | Don't show disconnected components |
--only-primary |
false | Only show primary component tree |
| Flag | Default | Description |
|---|---|---|
--min-severity <level> |
"" | Minimum vulnerability severity (low|medium|high|critical) |
--only-unresolved |
false | Only show unresolved vulnerabilities |
| Flag | Short | Default | Description |
|---|---|---|---|
--format <format> |
tree | Output format: tree, flat, json | |
--output <file> |
-o |
stdout | Write output to file instead of stdout |
--no-color |
false | Disable colored output | |
--quiet |
-q |
false | Suppress all warnings |
When multiple flags are used, the following precedence applies:
--only-licenses- Overrides all other detail flags--verbose- Enables all detail flags (except only-licenses)- Individual flags - Applied when neither only-licenses nor verbose is set
Examples:
# verbose is ignored, only-licenses takes precedence
sbomasm view sbom.cdx.json --verbose --only-licenses
# verbose enables all flags, individual flag values are ignored
sbomasm view sbom.cdx.json --verbose --dependencies=false
# (dependencies will still be shown because verbose overrides)
# Individual flags work when neither verbose nor only-licenses is set
sbomasm view sbom.cdx.json --licenses --hashes --propertiesThe view command automatically detects terminal color support and adjusts output accordingly.
# Explicitly disable colors (useful for file output or non-color terminals)
sbomasm view sbom.cdx.json --no-color
# Colors are auto-disabled when outputting to file
sbomasm view sbom.cdx.json -o report.txtColor coding in terminal output:
- Green - Component names and versions
- Yellow - Warnings and important metadata
- Red - Critical and high severity vulnerabilities
- Blue - Links, PURLs, and references
- Cyan - Section headers
For large SBOMs, consider these options to improve performance and readability:
# Use max-depth to limit tree traversal
sbomasm view large-sbom.cdx.json --max-depth 3
# Hide islands to reduce clutter
sbomasm view large-sbom.cdx.json --hide-islands
# Filter to specific component types
sbomasm view large-sbom.cdx.json --filter-type library
# Disable verbose output for faster rendering
sbomasm view large-sbom.cdx.json --verbose=false
# Use flat format for simpler processing
sbomasm view large-sbom.cdx.json --format flatThe viewer may show warnings about graph structure issues:
Warning: Graph validation found issues:
- dangling dependency reference: Final product@1.2.3 -> foo@1.0.0:672de6c2...
These warnings indicate:
- Dangling dependency references: Dependencies that reference components not in the SBOM
- Missing components: Components referenced but not defined
- Circular dependencies: Components that form dependency cycles
These are informational and don't prevent viewing, but may indicate SBOM quality issues.
To suppress these warnings, use the --quiet or -q flag:
sbomasm view sbom.cdx.json --quietIf the view shows no components after filtering:
# Check what component types exist
sbomasm view sbom.cdx.json --format json | jq '.components[].type' | sort -u
# Remove filters to see all components
sbomasm view sbom.cdx.json --filter-type ""
# Check if only-primary is hiding islands
sbomasm view sbom.cdx.json --only-primary=false- assemble - Merge multiple SBOMs
- edit - Modify SBOM metadata
- enrich - Enrich SBOMs with missing information
- Package Documentation - For developers using the view package as a library
More examples are available in the samples/ directory:
# View various sample SBOMs
sbomasm view samples/cdx/sbom-with-assemblies.json
sbomasm view samples/cdx/product.json