ASPM v1.5.1
I. Highlights
FPT Smart Cloud introduces SBOM Inventory in AppSec v1.5.1 as part of the FPT Security Platform (FSP).
SBOM Inventory (Software Bill of Materials) provides visibility into all software components (dependencies) discovered in the source code and container images of integrated assets. AppSec and DevSecOps Lead teams can quickly identify supply chain risks, CVE vulnerabilities, and determine each component's impact scope across the organization. SBOM data is automatically aggregated from the most recent scan, combining source code and container image scans.
II. Released Features
1. SBOM Inventory
a. Description
SBOM Inventory provides a comprehensive view of software components (dependencies) in use across the system, including supply chain risks, vulnerabilities, and asset impact coverage. Access it from SBOM → SBOM Inventory and drill down into each component across three tabs: Supply Chain Attacks, Vulnerabilities, and Affected Assets.
b. Features
SBOM Inventory — Component List:
- Software components discovered through SCA scans (source code and container image)
- Supply chain attacks, CVEs by severity (Critical / High / Medium / Low), license, and affected asset count per component
- Filter by Ecosystem and License; search by component name
- Sort by Supply Chain Attacks, Vulnerabilities, and Affected Assets
- Filter by team scope (Org Admin sees all; User sees assigned teams)
- Pagination support
Component Detail — Supply Chain Attacks tab:
- Supply chain attack campaigns related to the component
- Campaign details: name, recommended fix, registry, malicious dependency, publication date
- Filter by Registry; search by campaign name or malicious dependency
- Click Campaign Name to view references (external link)
Component Detail — Vulnerabilities tab:
- CVEs related to the component with severity (CVSS score), CVE ID, description, fix version, Exploited In The Wild status, and Public PoC
- Filter by Severity, Exploited status, and Public PoC; search by CVE ID or description
- Click CVE ID to view details (external link)
Component Detail — Affected Assets tab:
- Assets (repositories and container images) using the component
- Asset name, integration type (GitHub / GitLab / GitLab Server / Harbor / FPT Container Registry), and most recent scan time
- Filter by Integration Type; search by asset name
c. Capacity
- Components from multiple assets and scan types (source code + container image)
- Team scope management: Org Admin sees all; User sees assigned teams
- Multiple ecosystems: Debian, npm, PyPI, Maven, and others
- Components identified uniquely by Name + Version + Ecosystem
d. Performance
- Fast component list load with default pagination of 10 items per page
- Filters and search applied instantly (AND logic)
- Data automatically aggregated from the most recent scan — no manual action required
- Large CVE counts (1–999,999) displayed with abbreviated formatting