FAQ

General

Updated: 2024-11-21 SBOM Central
Updated: 2024-11-16 SBOM Central

No, SBOM Central does not require a specific development process.

Updated: 2024-11-21 SBOM Central

An Index page is a page listing of all occurrences of an artifact/object/type etc. relative to the selected scope.

Example: an External artifacts index page contains a list of all occurrenses of external artifacts in e.g. an SBOM, the system etc. , see External artifact tab in the SBOM documentation.

Updated: 2024-11-21 SBOM Central

A Show page is a detailed page about an artifact/object etc.

Example: an External artifacts show page contains information and references related to one specific artifact, see External artifact show page documentation.

External artifacts

Updated: 2024-11-21 SBOM Central
Updated: 2024-11-21 SBOM Central

An artifact refers to physical files that make up a specific version of a software component. When such an artifact is registered in SBOM Central, it is assigned to a component with the same 'name,' i.e. normally a combination of type, vendor, and product name.

Example: in SBOM Central the artifact pkg gem/ruby/matrix@0.4.2 will get a corresponding component name gem:ruby/matrix. If the component already exists, the artifact will be assigned to it. If not, a new component is created prior to assigning.

When opening the component show page, a table will presents all artifacts and versions registered in the system.

Updated: 2024-11-16 SBOM Central

An SBOM refers to a software library, application, firmware etc. When such an artifact is registered, it is assigned a Product identity, which would be the combination of group (vendor) and name.

Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.

When opening the product show page, a table presents all artifacts and versions registered by the system.

For SBOMs, the history is also controlled by the collection of Tags.

To have a reference to a previous version of any software, both identity and tag collection must correspond.

Updated:2024-10-29 MAIA & SBOM Central

Read here about how Vcs, Homepage and Alt.Link is used

Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA/SBOMC, current, previous and future, will have the Alt. link activated.

Example:

  • Pages referenced in this example:

    • openssl 1.1.1o (component/version) show page.
    • openssl component index page.
    • openssl component edit dialog.
  • The component is openssl 1.1.1o.

  • Weblink is set to openssl.org with no usable API for MAIA.

  • No update information available.

  • Action 1: open the component index page by clicking the openssl/openssl link in the top the information section.

  • Action 2: find the openssl component on a repository service integrated with MAIA/SBOMC.
  • Open SSL is a software that is monitored by the Release Monitoring web.
  • The Release Monitoring API is integrated with MAIA/SBOMC.
  • Action 3: Search for openssl on the releasemonitoring page.
  • There are 39 different projects for openssl. Here the first project (openssl.org) is matching our component.
  • Action 4: select and open the openssl link to open the project page.

  • Check that the openssl project page seems to match the information known for your component.
  • Action 5: copy the release-monitoring project web address, https://release-monitoring.org/project/2566/

  • Action 6: click the Edit button to change component information.

  • Action 7: paste the weblink into the Alt weblink section.
  • Action 8: save and close

  • The component index page is updated.
  • The Alt. link in the information section is updated.
  • All weblinks, for each version, in the table are updated.

  • Data in the openssl 1.1.1o show page is updated.
  • Later, when the externa artifact update job is executed, the MAIA/SBOMC services will update the version status for openssl 1.1.1o.

Updated:2024-11-16 SBOM Central

Read here about how Vcs, Homepage and Alt.Link is used

Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA, current, previous and future, will have the Alt. link activated.

Example:

  • Pages referenced in this example:

    • actioncable 6.5.1 (component/version) show page.
    • actioncable component index page.
    • actioncable component edit dialog.
  • The component is actioncable 6.1.5.

  • Weblink is set to rubyonrails.org with no usable API for MAIA/SBOMC.

  • No update information available.

  • Action 1: open the component index page by clicking the actioncable link in the top the information section.

  • Action 2: find the actioncable component on a repository service integrated with MAIA/SBOMC.
  • actioncable is a Gem so it can be found on the RubyGems web.
  • RubyGems API is integrated with MAIA.
  • Action 3: copy the actioncable web address, https://rubygems.org/gems/actioncable

  • The actioncable component index page is opened.
  • Action 4: click the Edit button to change component information.

  • Action 5: paste the weblink into the Alt weblink section.
  • Action 6: save and close

  • The component index page is updated.
  • The Alt. link in the information section is updated.
  • All weblinks, for each version, in the table are updated.

  • Data in the actioncable 6.5.1 show page is updated.
  • Later, when the externa artifact update job is executed, the MAIA/SBOMC services will update the version status for actioncable 6.5.1.

Updated: 2024-11-22 SBOM Central

SBOM Central can continuously examine the status of included software artifacts. If a new release is detected at the artifact source, the "Update available" tag will be set.

The information about the release status is provided by the Information Services.

Updated: 2024-11-16 SBOM Central

Homepage is a link address to the project that produces the artifact's home page.

Vcs is a link address to the repository containing the artifact.

If one of the link addresses is:

  1. to a repository hosting service, and...
  2. the hosting service has an API, and...
  3. SBOM Central is integrated with the hosting service, ...

...then SBOM Central will be able to check the version status of the external artifact.

Homepage and Vcs are automatically set by the system (if possible). The Homepage link may be manually modified, but when upgrading the artifact, the Homepage for that version will be altered, disabling the previous modifications.

Alt. link is an alternate and manually inserted link address to the source, superseding Vcs and Hompage links. When adding the Alt. link, all versions registered in SBOM Central, current, previous and future, will have the Alt. link activated. A common and helpful situation for the use of Alt. link is when the artifact source links doesn't meet the requirements 1-3 above, but has a code mirroring site that does.

SBOM Central is prioritizing the links as follows:

  1. Alt. link
  2. Vcs
  3. Homepage

References:

Updated: 2024-11-21 SBOM Central

A Component is a unit of software identified by its name. An Artifact is a single occurrence of the component i.e. the physical files that make up a specific version of an application

Updated: 2024-11-21 SBOM Central

An artifact refers to physical files that make up a specific version of a software component, application, etc..

An "External artifact" refers to an artifact normally not part of the internal source code development with version control, i.e. an external dependency that is downloaded and included into an application, library, etc.

There are no requirements regarding the origin of an external artifact in SBOM Central, it's more of a designation.

Updated:2024-11-21 SBOM Central

Currently is the SemVer system the norm, with some extensions. The Semantic Versioning (SemVer) (external link) system is a numbering system with numbers separated by dots, e.g. 1.0.2

The focus is on final releases. Pre-releases, betas, etc. will normally not be considered when examining the version status.

Examples:

  • Omitting all characters preceding the numbering series e.g. rev_1.2.3 or v1.2.3 will be considered as 1.2.3
  • Approves characters directly following the numbering series e.g. 1.2.3k or 1.2.3ac
  • Rejects all versions with characters following the numbering series, if starting with a hyphen, underscore, point, etc. E.g. 1.2.3-pre1 or 1.2.3.rc1
  • Approves underscore inside the numbering series e.g. 1_2_3 will be considered as 1.2.3

Other variants may be applicable.

Updated: 2024-11-21 SBOM Central

There could be several reasons why the new release of an external artifact doesn't get an "Update available"-tag.

For example:

  1. The artifact source address (Homepage/Vcs/Alt.link) doesn't represent a repository hosting service with an API that SBOM Central is integrated with.
  2. The Information Services has not updated the information yet (the cache is not renewed).
  3. The version number and date are ambiguous.
  4. The version number and date cannot be interpreted by SBOM Central.
Updated: 2024-11-21 SBOM Central

There are a number of reasons why the version status cannot resolved for an external artifact, setting it to Unresolved.

First: To be able to be Unresolved, SBOM Central must be integrated with an external service providing the data, else the status will be No data.

Integration examples:

  • The artifact source address is stored in SBOM Central as Homepage, Vcs, or Alt link. The links may reference a repository hosting service with an API integrated with SBOM Central.
  • Artifact information is found in a external monitoring service having an API integrated with SBOM Central.

Then, if:

  1. the artifact version you are using doesn't exist at the repository hosting service, or...
  2. you have versioning standards ambiguities, for the artifact version a) you are using or/and b) at the repository hosting service, or...
  3. there is version date ambiguities at the repository hosting service.

the verdict will be Unresolved for the version status.

Information services

Updated: 2024-11-20 SBOM Central
Updated: 2024-11-21 SBOM Central

SBOM Central is integrated with external services to provide users with updates on software security and health information.

The list of integrated services is continuously growing:

Security services:

  • NVD (National Vulnerability Database).
  • OSV (Open Source Vulnerabilities).
  • CISA Known Exploited Vulnerabilities Catalog.
  • EPSS (Exploit Prediction Scoring System).
  • AlienVault Open Source Threat Intelligence.
  • Debian (Security service).
  • Alpine (Security service).

Dictionary services:

  • NVD (National Vulnerability Database).

Health information services:

  • Github.
  • RubyGems.
  • PyPi.
  • npm.
  • nuget.
  • GitLab.
  • Bitbucket.
  • release-monitoring.
  • Debian.
  • Alpine.

Products

Updated: 2024-11-16 SBOM Central
Updated: 2024-11-21 SBOM Central

An SBOM is a comprehensive inventory of all components and dependencies that make up a version of a software application, library, firmware etc. When such an artifact is registered in SBOM Central, it is assigned a Product identity, i.e. the combination of group (vendor) and name.

Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.

In the CycloneDX standard the application is registered in the sections: metadata :: component :: group where the group often is a shortened, single name of the company or project that produced the component, or the source package or domain name & metadata :: component :: name the name of the component.

When opening the product show page, a table presents all artifacts and versions registered by the system.

For SBOMs, the history is also controlled by the collection of Tags.

To have a reference to a previous version of any software, both identity and tag collection must correspond.

Reports

Updated: 2024-11-20 SBOM Central

SBOMs

Updated: 2024-11-22 SBOM Central
Updated: 2024-11-22 SBOM Central

Currently CycloneDX 1.3-1.6 (json) is supported.

Users & Teams

Updated: 2024-11-22 SBOM Central
Updated: 2024-11-22 SBOM Central

An Active user is a user that is member of at least one Team.

A user must be Active to be able to log in and interact with SBOM Central.

As soon as an Active user is removed from all Teams the user will be deactivated, but not removed from the system. The user may later on be re-activated when added to a Team.

The licensing model sets a limit to the number of Active users.

Updated: 2024-11-22 SBOM Central

Old users, currently not part of the daily SBOM Central workflow, are probably still an important part of the history.

An old user, when deactivated, does not affect any licensing costs but is still an important placeholder for historic activities in SBOM Central.

Vulnerabilities

Updated: 2024-11-21 SBOM Central
Updated:2024-06-25 SBOM Central

Are detected vulnerabilities continuously monitored regarding status changes?

The answer is yes!

Example: The notification page shows both added, removed and modified vulnerabilities .

  1. SBOM Central detects a new vulnerability affecting a component that is included in several deliveries.
  2. All deliveries that have monitoring activated generate a notification message and email.
  3. When opening the NVD page, a undergoing reanalysis message is presented.

  1. We decide to wait for the result of the reanalysis before making any evaluations on the vulnerability.
  2. Ticking off the notification.
  3. A new notification message appears. Removed vulnerability messages this time. What does that mean?

  1. A previously detected vulnerability has been rejected, and all affected deliveries monitored in SBOM Central have been updated.
Updated:2024-11-21 SBOM Central

SBOM Central assigns a Priority to all vulnerabilities: The Index page table is listing all vulnerabilities by Priority, starting with Critical at the top, and within each priority group, they are sorted by identity.

By default, the Priority is set to Priority=CVSS, i.e., Low, Medium, High, or Critical. The priority may automatically be set to None by an external information service collecting Patch data.

The Priority may in a later stage be changed in the Analysis process.

Updated: 2024-11-21 SBOM Central

The CVSS (Common Vulnerability Scoring System) sets a score to a vulnerability, rating the severity (0-10). The overall CVSS score is composed of three sub groups of metrics (Base, Temporal, Environmental), of which each group has several subcomponents.

The value of the overall CVSS Score may depends on the context, i.e. if the score is of general type or if it is related to a specific software.

  1. General type -- the CVSS score may be composed of:
    • Base metrics and Temporal metrics.
    • If a vulnerability Analysis, with modified Environmental metrics, is saved without a Tag, then the decision affects all "un-tagged" variants of the vulnerable software and environments. Here is Environmental metrics a part of the overall CVSS score.
  2. SBOM type -- i.e. related to a specific software (or SBOM): the CVSS score may be composed of:
    • If a vulnerability Analysis, with modified Environmental metrics, is saved with a collection of Tags: All SBOMs labeled with one of the Tags will have the related Environmental metrics as part of the overall CVSS score.

Summary: A vulnerability may have multiple CVSS scores depending on current context. One value may be valid for a set of software, and another value for another set, depending on separate analyses.

Updated: 2024-11-21 SBOM Central

The Priority:

  1. is initially set to the same value as the overall CVSS score.
  2. is automatically modified by an Analysis modifying the CVSS environmental score, and the resulting overall CVSS score.
  3. may manually be set to any value in the Analysis, overriding the "standard" CVSS priority.
  4. may have multiple values, each associated with a separate analysis containing a unique set of tags.
Results