FAQ

General

Updated: 2024-11-16 MAIA
Updated: 2024-11-16 MAIA

No, MAIA Software does not require a specific development process, but...

there are activities that are fundamental to implement cross-tool traceability and the necessary “one source of truth” so that everyone has a common view of the development pipeline.

  1. Use an Issue Tracking tool (ITS) for planning and follow-up of work items like Stories, Sub-tasks, Bugs, etc.
  2. Commit code with a traceable reference in the commit comment to a work item in an ITS.

Activities

Updated: 2024-11-20 MAIA

An activity pipeline is a series of activities performed in a predetermined order to deliver a final result.

Create a pipeline by chaining the activities with links between the activities.

Example: to dynamically link a checkout activity to a build activity:

In the MAIA Agent client software :

  1. Generate a uuid (universally unique identifier) from the environment.
  2. Check out a component (here OpenSSL) and initiate an activity in the WebApp.
  3. Save uuid as parent-uuid and generate a new uuid.
  4. Start building the component providing both the new uuid and the parent-uuid to initiate an activity and link to the previous activity - creating a basic pipeline.
uuid=$(cat /proc/sys/kernel/random/uuid)
bundle exec maia checkout --component openssl --track main --activity-uuid $uuid
parent_uuid=$uuid; uuid=$(cat /proc/sys/kernel/random/uuid)
bundle exec maia build --component openssl --parent-activity-uuid $parent_uuid --activity-uuid $uuid

External artifacts

Updated: 2024-11-21 MAIA
Updated: 2024-11-16 MAIA

An 'external artifact' refers to any software component or module that is not developed in-house but is used in the system. When such an artifact is registered, it is assigned to a component with the same 'name,' which could be a combination of type, vendor, and product name.

Example: the artifact pkg gem/ruby/matrix@0.4.2 gets the component name gem:ruby/matrix. If the component exists, the artifact will be assigned to it. If not, a new component is created.

When opening the component show page, a table presents all artifacts and versions registered by the system.

Updated: 2024-11-16 MAIA

An SBOM refers to a software library, application, firmware etc. When such an artifact is registered, it is assigned a Product identity, which would be the combination of group (vendor) and name.

Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.

When opening the product show page, a table presents all artifacts and versions registered by the system.

For SBOMs, the history is also controlled by the collection of Tags.

To have a reference to a previous version of any software, both identity and tag collection must correspond.

Updated:2024-10-29 MAIA & SBOM Central

Read here about how Vcs, Homepage and Alt.Link is used

Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA/SBOMC, current, previous and future, will have the Alt. link activated.

Example:

  • Pages referenced in this example:

    • openssl 1.1.1o (component/version) show page.
    • openssl component index page.
    • openssl component edit dialog.
  • The component is openssl 1.1.1o.

  • Weblink is set to openssl.org with no usable API for MAIA.

  • No update information available.

  • Action 1: open the component index page by clicking the openssl/openssl link in the top the information section.

  • Action 2: find the openssl component on a repository service integrated with MAIA/SBOMC.
  • Open SSL is a software that is monitored by the Release Monitoring web.
  • The Release Monitoring API is integrated with MAIA/SBOMC.
  • Action 3: Search for openssl on the releasemonitoring page.
  • There are 39 different projects for openssl. Here the first project (openssl.org) is matching our component.
  • Action 4: select and open the openssl link to open the project page.

  • Check that the openssl project page seems to match the information known for your component.
  • Action 5: copy the release-monitoring project web address, https://release-monitoring.org/project/2566/

  • Action 6: click the Edit button to change component information.

  • Action 7: paste the weblink into the Alt weblink section.
  • Action 8: save and close

  • The component index page is updated.
  • The Alt. link in the information section is updated.
  • All weblinks, for each version, in the table are updated.

  • Data in the openssl 1.1.1o show page is updated.
  • Later, when the externa artifact update job is executed, the MAIA/SBOMC services will update the version status for openssl 1.1.1o.

Updated:2024-11-16 MAIA

Read here about how Vcs, Homepage and Alt.Link is used

Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA, current, previous and future, will have the Alt. link activated.

Example:

  • Pages referenced in this example:

    • actioncable 6.5.1 (component/version) show page.
    • actioncable component index page.
    • actioncable component edit dialog.
  • The component is actioncable 6.1.5.

  • Weblink is set to rubyonrails.org with no usable API for MAIA/SBOMC.

  • No update information available.

  • Action 1: open the component index page by clicking the actioncable link in the top the information section.

  • Action 2: find the actioncable component on a repository service integrated with MAIA/SBOMC.
  • actioncable is a Gem so it can be found on the RubyGems web.
  • RubyGems API is integrated with MAIA.
  • Action 3: copy the actioncable web address, https://rubygems.org/gems/actioncable

  • The actioncable component index page is opened.
  • Action 4: click the Edit button to change component information.

  • Action 5: paste the weblink into the Alt weblink section.
  • Action 6: save and close

  • The component index page is updated.
  • The Alt. link in the information section is updated.
  • All weblinks, for each version, in the table are updated.

  • Data in the actioncable 6.5.1 show page is updated.
  • Later, when the externa artifact update job is executed, the MAIA/SBOMC services will update the version status for actioncable 6.5.1.

Updated: 2024-11-21 MAIA

MAIA can continuously examine the status of included software artifacts. If a new release is detected, the "Update available" tag will be set.

The information about the release status is provided by the Information Services.

Updated: 2024-11-16 MAIA

Homepage is a link address to the project that produces the artifact's home page.

Vcs is a link address to the repository containing the artifact.

If one of the link addresses is:

  1. to a repository hosting service, and...
  2. the hosting service has an API, and...
  3. MAIA is integrated with the hosting service, ...

...then MAIA will be able to check the version status of the external artifact.

Homepage and Vcs are automatically set by the system (if possible). The Homepage link may be manually modified, but when upgrading the artifact, the Homepage for that version will be altered, disabling the previous modifications.

Alt. link is an alternate and manually inserted link address to the source, superseding Vcs and Hompage links. When adding the Alt. link, all versions registered in MAIA, current, previous and future, will have the Alt. link activated. A common and helpful situation for the use of Alt. link is when the artifact source links doesn't meet the requirements 1-3 above, but has a code mirroring site that does.

MAIA is prioritizing the links as follows:

  1. Alt. link
  2. Vcs
  3. Homepage

References:

Updated: 2024-11-16 MAIA

A Component is a unit of software identified by its name. An Artifact is a single occurrence of the component i.e. a version of a component.

Updated:2024-11-21 MAIA

Currently is the SemVer system the norm, with some extensions. The Semantic Versioning (SemVer) (external link) system is a numbering system with numbers separated by dots, e.g. 1.0.2

The focus is on final releases. Pre-releases, betas, etc. will normally not be considered when examining the version status.

Examples:

  • Omitting all characters preceding the numbering series e.g. rev_1.2.3 or v1.2.3 will be considered as 1.2.3
  • Approves characters directly following the numbering series e.g. 1.2.3k or 1.2.3ac
  • Rejects all versions with characters following the numbering series, if starting with a hyphen, underscore, point, etc. E.g. 1.2.3-pre1 or 1.2.3.rc1
  • Approves underscore inside the numbering series e.g. 1_2_3 will be considered as 1.2.3

Other variants may be applicable.

Updated: 2024-11-21 MAIA

An artifact refers to physical files that make up a specific version of a software component, application, etc..

An "External artifact" refers to an artifact normally not part of the internal source code development with version control, i.e. an external dependency that is downloaded and included into an application, library, etc.

There are no requirements regarding the origin of an external artifact in MAIA, it's more of a designation.

Updated: 2024-11-21 MAIA

There could be several reasons why the new release of an external artifact doesn't get an "Update available"-tag.

For example:

  1. The artifact source address (Homepage/Vcs/Alt.link) doesn't represent a repository hosting service with an API that MAIA is integrated with.
  2. The Information Services has not updated the information yet (the cache is not renewed).
  3. The version number and date are ambiguous.
  4. The version number and date cannot be interpreted by MAIA.
Updated: 2024-10-29 MAIA

There are a number of reasons why the version status cannot resolved for an external artifact, setting it to Unresolved.

First: To be able to be Unresolved, MAIA must be integrated with an external service providing the data, else the status will be No data.

Integration examples:

  • The artifact source address is stored in MAIA as Homepage, Vcs, or Alt link. The links may reference a repository hosting service with an API integrated with MAIA.
  • Artifact information is found in a external monitoring service having an API integrated with MAIA.

Then, if:

  1. the artifact version you are using doesn't exist at the repository hosting service, or...
  2. you have versioning standards ambiguities, for the artifact version a) you are using or/and b) at the repository hosting service, or...
  3. there is version date ambiguities at the repository hosting service.

the verdict will be Unresolved for the version status.

Information services

Updated: 2024-11-20 MAIA
Updated: 2024-06-25

MAIA and SBOMC are integrated with external services to provide users with updates on software security and health information.

The list of integrated services is continuously growing:

Security services:

  • NVD (National Vulnerability Database).
  • OSV (Open Source Vulnerabilities).
  • CISA Known Exploited Vulnerabilities Catalog.
  • EPSS (Exploit Prediction Scoring System).
  • AlienVault Open Source Threat Intelligence.
  • Debian (Security service).
  • Alpine (Security service).

Dictionary services:

  • NVD (National Vulnerability Database).

Health information services:

  • Github.
  • RubyGems.
  • PyPi.
  • npm.
  • nuget.
  • GitLab.
  • Bitbucket.
  • release-monitoring.
  • Debian.
  • Alpine.

Products

Updated: 2024-11-16 MAIA & SBOM Central
Updated: 2024-11-16 MAIA & SBOM Central

An SBOM is a comprehensive inventory of all components and dependencies that make up a version of a software application, library, firmware etc. When such an artifact is registered in MAIA/SBOMC, it is assigned a Product identity, i.e. the combination of group (vendor) and name.

Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.

In the CycloneDX standard the application is registered in the sections: metadata :: component :: group where the group often is a shortened, single name of the company or project that produced the component, or the source package or domain name & metadata :: component :: name the name of the component.

When opening the product show page, a table presents all artifacts and versions registered by the system.

For SBOMs, the history is also controlled by the collection of Tags.

To have a reference to a previous version of any software, both identity and tag collection must correspond.

SBOMs

Updated: 2024-11-22 MAIA
Updated: 2024-11-22 MAIA

Currently CycloneDX 1.3-1.6 (json) is supported.

Security

Updated: 2024-11-20 MAIA
Updated:2024-06-25

Are detected vulnerabilities continuously monitored regarding status changes?

The answer is yes!

Example: The notification page shows both added and removed vulnerabilities .

  1. MAIA/SBOMC detects a new vulnerability affecting a component that is included in several deliveries.
  2. All deliveries that have monitoring activated generate a notification message and email.
  3. When opening the NVD page, a undergoing reanalysis message is presented.

  1. We decide to wait for the result of the reanalysis before making any evaluations on the vulnerability.
  2. Ticking off the notification.
  3. A new notification message appears. Removed vulnerability messages this time. What does that mean?

  1. A previously detected vulnerability has been rejected, and all affected deliveries monitored in MAIA/SBOMC have been updated.
Updated:2024-11-20

MAIA assigns an internal Priority parameter to all vulnerabilities. The table that contains vulnerabilities for the Built artifact is sorting them by Priority, starting with Critical at the top, and within each group, the vulnerabilities are sorted by identity.

By default, the Priority is set to Priority=CVSS, i.e., Low, Medium, High, or Critical. The priority may automatically be set to None by an external information service collecting Patch data.

The Priority may in a later stage be changed in the Analysis process.

Updated: 2024-11-21 MAIA

The CVSS (Common Vulnerability Scoring System) sets a score to a vulnerability, rating the severity (0-10). The overall CVSS score is composed of three sub groups of metrics (Base, Temporal, Environmental), of which each group has several subcomponents.

The value of the overall CVSS Score may depends on the context, i.e. if the score is of general type or if it is related to a specific software.

  1. General type -- the CVSS score may be composed of:
    • Base metrics and Temporal metrics.
    • If a vulnerability Analysis, with modified Environmental metrics, is saved without a Tag, then the decision affects all "un-tagged" variants of the vulnerable software and environments. Here is Environmental metrics a part of the overall CVSS score.
  2. Build type -- i.e. related to a specific software (or Build/SBOM): the CVSS score may be composed of:
    • If a vulnerability Analysis, with modified Environmental metrics, is saved with a collection of Tags: All Builds/SBOMs labeled with one of the Tags will have the related Environmental metrics as part of the overall CVSS score.

Summary: A vulnerability may have multiple CVSS scores depending on current context. One value may be valid for a set of software, and another value for another set, depending on separate analyses.

Updated: 2024-11-21 MAIA

The Priority:

  1. is initially set to the same value as the overall CVSS score.
  2. is automatically modified by an Analysis modifying the CVSS environmental score, and the resulting overall CVSS score.
  3. may manually be set to any value in the Analysis, overriding the "standard" CVSS priority.
  4. may have multiple values, each associated with a separate analysis containing a unique set of tags.

Users & Teams

Updated: 2024-11-22 MAIA
Updated: 2024-11-22 MAIA

An Active user is a user that is member of at least one Team.

A user must be Active to be able to log in and interact with SBOM Central.

As soon as an Active user is removed from all Teams the user will be deactivated, but not removed from the system. The user may later on be re-activated when added to a Team.

The licensing model sets a limit to the number of Active users.

TODO...

IMPORTED THROUGH THE VERSION CONTROL

Updated: 2024-11-22 MAIA

Old users, currently not part of the daily MAIA workflow, are probably still an important part of the history.

An old user, when deactivated, does not affect any licensing costs but is still an important placeholder for historic activities in MAIA.

Results