Updated: 2024-11-16 SBOM Central
No, SBOM Central does not require a specific development process.
No, SBOM Central does not require a specific development process.
An Index page is a page listing of all occurrences of an artifact/object/type etc. relative to the selected scope.
Example: an External artifacts index page contains a list of all occurrenses of external artifacts in e.g. an SBOM, the system etc. , see External artifact tab in the SBOM documentation.
A Show page is a detailed page about an artifact/object etc.
Example: an External artifacts show page contains information and references related to one specific artifact, see External artifact show page documentation.
An artifact refers to physical files that make up a specific version of a software component. When such an artifact is registered in SBOM Central, it is assigned to a component with the same 'name,' i.e. normally a combination of type, vendor, and product name.
Example: in SBOM Central the artifact pkg gem/ruby/matrix@0.4.2 will get a corresponding component name gem:ruby/matrix. If the component already exists, the artifact will be assigned to it. If not, a new component is created prior to assigning.
When opening the component show page, a table will presents all artifacts and versions registered in the system.
An SBOM refers to a software library, application, firmware etc. When such an artifact is registered, it is assigned a Product identity, which would be the combination of group (vendor) and name.
Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.
When opening the product show page, a table presents all artifacts and versions registered by the system.
For SBOMs, the history is also controlled by the collection of Tags.
To have a reference to a previous version of any software, both identity and tag collection must correspond.
Read here about how Vcs, Homepage and Alt.Link is used
Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA/SBOMC, current, previous and future, will have the Alt. link activated.
Pages referenced in this example:
The component is openssl 1.1.1o.
Weblink is set to openssl.org with no usable API for MAIA.
No update information available.
Action 1: open the component index page by clicking the openssl/openssl link in the top the information section.
Read here about how Vcs, Homepage and Alt.Link is used
Alt. link is an alternate and manually inserted link address to a component source, superseding Vcs and Homepage. When adding the Alt. link, all versions registered in MAIA, current, previous and future, will have the Alt. link activated.
Pages referenced in this example:
The component is actioncable 6.1.5.
Weblink is set to rubyonrails.org with no usable API for MAIA/SBOMC.
No update information available.
Action 1: open the component index page by clicking the actioncable link in the top the information section.
SBOM Central can continuously examine the status of included software artifacts. If a new release is detected at the artifact source, the "Update available" tag will be set.
The information about the release status is provided by the Information Services.
Homepage is a link address to the project that produces the artifact's home page.
Vcs is a link address to the repository containing the artifact.
If one of the link addresses is:
...then SBOM Central will be able to check the version status of the external artifact.
Homepage and Vcs are automatically set by the system (if possible). The Homepage link may be manually modified, but when upgrading the artifact, the Homepage for that version will be altered, disabling the previous modifications.
Alt. link is an alternate and manually inserted link address to the source, superseding Vcs and Hompage links. When adding the Alt. link, all versions registered in SBOM Central, current, previous and future, will have the Alt. link activated. A common and helpful situation for the use of Alt. link is when the artifact source links doesn't meet the requirements 1-3 above, but has a code mirroring site that does.
SBOM Central is prioritizing the links as follows:
A Component is a unit of software identified by its name. An Artifact is a single occurrence of the component i.e. the physical files that make up a specific version of an application
An artifact refers to physical files that make up a specific version of a software component, application, etc..
An "External artifact" refers to an artifact normally not part of the internal source code development with version control, i.e. an external dependency that is downloaded and included into an application, library, etc.
There are no requirements regarding the origin of an external artifact in SBOM Central, it's more of a designation.
Currently is the SemVer system the norm, with some extensions. The Semantic Versioning (SemVer) (external link) system is a numbering system with numbers separated by dots, e.g. 1.0.2
The focus is on final releases. Pre-releases, betas, etc. will normally not be considered when examining the version status.
Examples:
Other variants may be applicable.
There could be several reasons why the new release of an external artifact doesn't get an "Update available"-tag.
For example:
There are a number of reasons why the version status cannot resolved for an external artifact, setting it to Unresolved.
First: To be able to be Unresolved, SBOM Central must be integrated with an external service providing the data, else the status will be No data.
Integration examples:
Then, if:
the verdict will be Unresolved for the version status.
SBOM Central is integrated with external services to provide users with updates on software security and health information.
The list of integrated services is continuously growing:
An SBOM is a comprehensive inventory of all components and dependencies that make up a version of a software application, library, firmware etc. When such an artifact is registered in SBOM Central, it is assigned a Product identity, i.e. the combination of group (vendor) and name.
Example: An SBOM representing the application com.t2data/epss_cloud@1.3.4 gets the product identity com.t2data/epss_cloud. If the product exists, the artifact will be assigned to it. If not, a new product is created.
In the CycloneDX standard the application is registered in the sections: metadata :: component :: group where the group often is a shortened, single name of the company or project that produced the component, or the source package or domain name & metadata :: component :: name the name of the component.
When opening the product show page, a table presents all artifacts and versions registered by the system.
For SBOMs, the history is also controlled by the collection of Tags.
To have a reference to a previous version of any software, both identity and tag collection must correspond.
Currently CycloneDX 1.3-1.6 (json) is supported.
An Active user is a user that is member of at least one Team.
A user must be Active to be able to log in and interact with SBOM Central.
As soon as an Active user is removed from all Teams the user will be deactivated, but not removed from the system. The user may later on be re-activated when added to a Team.
The licensing model sets a limit to the number of Active users.
Old users, currently not part of the daily SBOM Central workflow, are probably still an important part of the history.
An old user, when deactivated, does not affect any licensing costs but is still an important placeholder for historic activities in SBOM Central.
Are detected vulnerabilities continuously monitored regarding status changes?
The answer is yes!
Example: The notification page shows both added, removed and modified vulnerabilities .
SBOM Central assigns a Priority to all vulnerabilities: The Index page table is listing all vulnerabilities by Priority, starting with Critical at the top, and within each priority group, they are sorted by identity.
By default, the Priority is set to Priority=CVSS, i.e., Low, Medium, High, or Critical. The priority may automatically be set to None by an external information service collecting Patch data.
The Priority may in a later stage be changed in the Analysis process.
The CVSS (Common Vulnerability Scoring System) sets a score to a vulnerability, rating the severity (0-10). The overall CVSS score is composed of three sub groups of metrics (Base, Temporal, Environmental), of which each group has several subcomponents.
The value of the overall CVSS Score may depends on the context, i.e. if the score is of general type or if it is related to a specific software.
Summary: A vulnerability may have multiple CVSS scores depending on current context. One value may be valid for a set of software, and another value for another set, depending on separate analyses.
The Priority: