Impact Analysis

Start the sandbox

Go to demo.sbom.observer and click Open Live Demo. This launches a fresh namespace with representative SBOMs, policies, and sample findings.

Open Vulnerabilities

In the left sidebar, select Vulnerabilities. This view lists every CVE found in the imported SBOMs, with severity, affected ecosystems, and policy violations.

Use the keyboard shortcut in the top-right ⌘K / Ctrl+K to jump via the search.

Find CVE-2022-1471

Use the Quick search on the page (or press /) and type CVE-2022-1471. Press Enter to find the vulnerability.

The table shows:

• Package: org.yaml:snakeyaml version 1.33
• Severity: Critical 9.8 with exploit insights
• Link to analyze impact and view affected components.

Run impact analysis

Click Analyze in the search result table and SBOM Observer expands an Impact table listing every directly affected component.

Review the columns:

• Component shows affected artifacts (for SnakeYAML you'll see dependencytrack/bundled and quay.io/keycloak/keycloak).
• Version, Type, and Ecosystem indicate how the component is distributed.
• Internal flags whether the component is owned or external.
• Vulnerabilities and Policy Violations summarize issues to help prioritize remediation.

Visualize relationships

Open the Graph tab to see how everything connects. Projects like SaaS frontend and CI/CD appear on the left, flowing into their container images, which depend on SnakeYAML.

Use this view to check who's affected and confirm that a fix (like upgrading Keycloak) removes downstream risk. It also shows VEX status, whether you added it manually or imported a VEX document attestation, so you can include affected/not affected statements in your decisions.