This section introduces you to the Components tab in Kiuwan Insights.
Components Inventory
Kiuwan Insight analyzes your application software, discovers all external dependencies, and builds a components inventory that lets you track any external piece of code that could be part of your application.
Go to Insights > Components to access the components inventory.
The Components Inventory section shows the following information:
- Overall Information on Components – aggregated information on the number and type of components
- List of Components – detailed listing of components
- Component detail – detailed information on the selected component
Overall Information on Components
- Number of components by language
- Number of components by Security Risk level (High, Medium, Low, and None)
- Alerts :
- Components with High-Security Risk
- Components being used with different versions that might cause conflicts
- Etc.
List of Components
Kiuwan Insights provides a full list of all the components your application uses.
For every 3rd party component, you will have access to detailed component information such as:
| Name | Description |
| Component name | Name of the component |
| Version | The version(s) in use |
| Filename | The physical container (.jar, .dll, .js, etc) |
| Language | The programming language it is written in. |
| Obsolescence risk |
A component’s Obsolescence Risk is a measure of the risk level relative to:
Both values are combined in the Obsolescence Risk to provide a value of the risk associated with using outdated or “dead” components. Please visit Obsolescence Risk for further information. |
| License risk |
A component’s License Risk is a measure of the risk level relative to the legal implications of used components’ licenses. Please visit Insights Licenses for further information. |
| Security risk |
A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:
|
Component details
By clicking on a component, you will have access to the following information:
- The description of the component
- The license of the component
- Found vulnerabilities of the selected component:
- CVE identifier, and link to NIST National Vulnerability Database desc page
- CWE type, and link to MITRE Common Weakness Enumeration desc page
- Vulnerability description
- Severity (more on this at Security Risk )
Duplicated components
With Kiuwan Insights you can identify different versions of the same component your application uses.
The example below shows that the analyzed application incorporates two different versions of ZKoss common library: 8.0.1 and 6.0.0
Most probably, this component duplication is not intended, and it’s something that would produce maintainability headaches when upgrading to a newer version of the library.
Software Bill of Materials (SBOM)
A Software Bill of Materials (SBOM) report is an inventory of package dependencies within your application. SBOMs provide detailed information about your application’s dependencies, including licensing, version numbers, and transitive dependencies, allowing teams to maintain compliance with licensing and regulatory requirements, respond to vulnerability reports and incidents, and improve transparency and trust with partners and customers.
Kiuwan also supports exporting your components as a Software Bill of Materials (SBOM) report. To export the report, open the menu next to Components and select SBOM - JSON or SBOM - XML
This export will follow the CycloneDX specification and include all required fields. These exports are also available via the Kiuwan API.
Below is an example of the output you will receive:
{
"bomFormat" : "CycloneDX",
"specVersion" : "1.6",
"serialNumber" : "urn:uuid:94bcce8b-8c09-45b8-9d27-000f02394af6",
"version" : 1,
"metadata" : {
"timestamp" : "2025-08-08T14:36:17.470Z",
"component" : {
"name" : "App-1",
"type" : "application"
}
},
"components" : [ {
"name" : "jackson-annotations",
"type" : "library",
"version" : "2.14.2",
"description" : "Core annotations used for value types, used by Jackson data binding package.\n ",
"group" : "com.fasterxml.jackson.core",
"licenses" : [ {
"license" : {
"id" : "Apache-2.0",
"url" : "https://spdx.org/licenses/Apache-2.0.html"
}
} ],
"purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.2"
}, …
],
"dependencies" : [ {
"ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.2"
}, …
]
}