# SBOM Explorer

Purpose
- Browse SBOM catalogs and component inventories.
- Apply overlays for vulnerabilities, reachability, and runtime usage.
- Export deterministic SBOM bundles with evidence.

Routes and scopes
- /console/sbom and /console/sbom/:digest
- sbom.read required; sbom.export for large exports; findings:read for explain.

Key views
- Catalog: searchable list of SBOMs with badges (attested, delta, snapshot).
- Inventory: components with severity, supplier, license, and tags.
- Usage: runtime usage overlays and entrypoint mapping.
- Components: provenance timeline and evidence links.
- Overlays: vulnerability, runtime, and vendor overlays with precedence metadata.
- Explain: policy explanation and VEX references.
- Exports: CycloneDX, SPDX, delta bundles, evidence bundles.

Graph overlays
- Dependency graph and optional runtime call graph overlays.
- Depth controls and node limits for performance.
- Exports to GraphML or JSON Lines when graph.export is granted.

Offline posture
- Reads from Offline Kit snapshots with staleness banners.
- Exports queue locally and produce signed bundles.

Related references
- ui/sbom-graph-explorer.md
- ui/reachability-overlays.md