Swipe the thumbnail strip, then tap an item to show it above.
SBOMs are easy to generate and painful to read as JSON. I wrote depsee to map a CycloneDX file into a graph: who depends on whom, where CVEs land, and which nodes matter most by blast radius and dependents, not a platform, just a sharp local utility.
It is a single Go binary with an embedded frontend: parse the SBOM, build the directed graph, enrich from SBOM CVE data and optionally the NVD API (with PURL to CPE matching, caching, and sane rate limits). The UI is plain JS/CSS plus D3.js: zoom, search, a detail panel, and file upload with async progress on the server.
The hard parts were trustworthy package matching for NVD, not drowning the user in raw CVE lists, and keeping the graph legible when the tree gets dense. It was good practice in gluing backend parsing to a UI people can actually use.