SBOMs

Updated:2023-07-10

Content:

  1. SBOMs index page
  2. SBOMs show page
  3. Comparison tab
  4. Deliveries tab
  5. Vulnerabilities tab
  6. External artifacts tab
  7. Licenses tab
  8. History tab


Summary:

  • A Software Bill of Materials (SBOM) is a document that lists all the software components that are used in a particular software product or application, including both proprietary and open-source components, as well as their version numbers, dependencies, and origins.
  • SBOMs (Software Bill-of-Materials) may be uploaded to the WebApp manually or through the RestAPI to be presented in the user interface.

This is the SBOM pages structure:

SBOMs index page

Updated:2023-07-11

Is a listing of all SBOMS sorted with newest on top.

The SBOMs table displays all SBOMs the current team has permission to see. If the user performs a search (filter), the table displays the results from the search.

Button

+Upload button: to manually upload an SBOM (Software Bill-of-Materials) in the CycloneDX format.

Table description
Heading Description
Name The name (label) of the build, and a link to the SBOMs show page.
Version The version of the component that was built.
Build time The time the SBOM was added.
Delivered Displays whether the SBOM has a delivery report.
Tags The tags on the build.
Compare Select button for a comparison.
Filters
Filter by Description
Search Search the Name of an artifact.
component Select component to narrow the search.
state Select state of the build to narrow the search.
deliveries Select whether a the artifact has delivery reports to narrow the search.
tags Select one or more tags to narrow the search.
start date Select a start date to narrow the search.
end date Select a end date to narrow the search.
Compare

Compare two SBOMs (of the same type) by pushing the compare select buttons in the SBOMs table.

A new windows is opened on top, specifying the SBOMs to be compared. When two SBOMs are selected: push the compare button to open a new SBOM Diff page, showing the differences.


SBOMs show page

Updated:2023-07-07

The Built artifacts show page contains information and references related to one specific build. If the build is of the Collection component type, information from related components is also aggregated into this page.

The page has the following main areas:

  1. Identity and version of the artifact.
  2. Top boxes with highlighted data.
  3. Tabs row and unique content for each tab.
    1. Comparison tab.
    2. Deliveries tab.
    3. Vulnerabilities tab.
    4. External artifacts tab.
    5. Licenses tab.
    6. History tab.
  4. Button row
  5. Information box.

Top box

Color coded status boxes:

Box Description
Build status SBOM upload Success or Failed.
Since last delivery Time since the Delivery report was created.
Licenses not decided on Number of licenses to evaluate and decide action/Total number of licenses.
Vulnerabilities not decided on Number of vulnerabilities to evaluate and decide action/Total number vulnerabilities.

Colors:

  • Light blue : Status OK
  • Red : Fail/error
  • Lilac : Warning
  • Grey : No data

Tabs

Name Description
Comparison Comparing data in this Build with data in an earlier Build and presentation of the differences.
Deliveries Create a delivery report for this build, a listing of existing reports, and a listing of deliverable artifacts.
Vulnerabilities A list of vulnerabilities detected in this SBOM.
External artifacts A list of artifacts included in/related to this SBOM.
Licenses A list of licenses included in/related to this SBOM.
History A list of manual changes of data in WebApp related to this SBOM.

Button row

  • Sync external artifacts button: Syncronize all external artifacts regarding vulnerabilities, health, patches, etc.
  • Delete button: Delete the artifact.

Information box

  • Version: Version of the component.
  • Environment: Id/Link to the environment description for which this component has been built.
  • Tags: Tags associated with this build.
  • Build time: Time when SBOM was added.
  • Uuid: Universally unique identifier for this build.

  • Previous: Id/Link to the previous version of this component.
  • Created: Time of creation.

  • Previous delivered: Id/Link to the previous version of this component that has a Delivery report.
  • Created: Time of creation.



SBOMs comparison tab

Updated:2023-07-11

Comparing data in this Build with data in an earlier Build and presentation of the differences.

Sections in the page:

  • Comparison: Select buttons to make comparisons (Previous).
  • Changes in included artifacts: Changes in included artifacts in comparison to the selected SBOM.
  • Changes in compile time artifacts: Changes in compile time artifacts in comparison to the selected SBOM.

Comparison selection

Previous buttons to select one of three standard types of Builds to compare with:

  • Previous (default): Select to show differences to the previous build of this component.
  • Previously delivered: Select to show differences to the previous build of this component that has a Delivery report.

Dependency buttons to select the amount of dependencies to visualize.:

  • Show all dependencies (default for a collection component): Show changes for all components included in the build.
  • Show closest dependencies (default for a single component): Show changes related to this component.

Advanced diff button to open a new page to compare this build with any other build, SBOM diff.

Changes in included artifacts

Header Description
Component Icon and identity of the component, and a link to component pages in MAIA. External components are described in the package url format. About package url (external link).
From Version before this build. Link to 1) a component build report with this version, or 2) a external component show page.
To Version after this build, and links.
Changes Tags describing the changes. Version (blue): Component with version change. Component removed (orange): Component is not included anymore. Component added (orange): New component included.

Changes in compile time artifacts

Same as the previous section for components that are used in compile time.



SBOMs deliveries tab

Updated:2023-07-17

Necessary permissions to create a delivery report: Create/Update delivery reports and Update issues.

When a software build has a delivery report generated by the web app, it's regarded as Delivered by SBOM Central.

Sections in the tab:

  • Create report button
  • Delivery reports table

Create report

When pushing the Create report button a pop-up window with a form for report editing.

  • Label: A free-text field, labelling the delivery report.
  • Project: Select or create a project name for the delivery or select an existing project.
  • Notify on vulnerabilities: Select if alterations in vulnerability status for artifacts included in the delivery shall generate a notification.
  • Reason for delivery: Delivery notes.
  • Contact info: Name/email/phone to contact.
  • Included changes: If an existing project is selected above, a select dropdown is opened (not present in the image below). The dropdown includes all previously made delivery reports created in this project. Make the selection to include all changes from the selected report up until now.
Delivery reports

The table lists all reports created for this build. Heading:

  • Title: The label of the report including a link to the report.
  • Published: Date and time.
  • SBOM: The label of the SBOM.
  • Project: Delivery project.
  • Notify on Vulnerability: If set, the number defines the minimum Priority score to send a notification on status changes.

Open the report page by clicking the label. The page has three sections:

  • Reason for delivery.
  • Revisions.
  • Information box, with an edit button.

Revisions

Table containing all versions of the delivery report. Heading:

  • Revision: Version number, including a link to the report.
  • Published: Date and time.
  • Change: Change comment.
  • User: created/updated by User.

Edit and update the report by pushing the edit button.

A modified report form is opened with two new sections.

  • Cancelled: to cancel the report.
  • Notify on Vulnerabilities: activate notifications regarding vulnerability status changes, and the minimum priority level.
  • Change comment: comment the reason for update.

The resulting full delivery report:



SBOMs vulnerabilities tab

Updated:2023-07-24

The Vulnerabilities tab contains an index page listing all vulnerabilities detected for this build. The information is continuously updated through the MAIA Information Services (MIS).

Sections in the page:

  • Filter row
  • Filter buttons
  • Summary
  • Vulnerabilities table

Filter row

Filter by Description
Search Search the Name of an artifact or CVE-id.
Backend Filter by backend data provider: NVD or OSV.
Decided Filter on: have a decision/no decision
Action Filter on decided action: Must be fixed/Has been fixed/Will not be fixed
Due date Filter on due dates: 1Month/2 Months/3 Months

Filter buttons

  • Only vulnerable (default): Show all Vulnerabilities with a priority. A vulnerability analysis and decision resulting in "Not vulnerable", "Fixed", etc. should be set to Priority = "None".
  • All: Show all vulnerabilities regardless of priority.

Summary

Shows the number of Vulnerabilities for each Priority.

  • Grey = None
  • Light blue = Low
  • Green = Medium
  • Orange = High
  • Red = Critical

Vulnerabilities table

A listing of all vulnerabilities identified in this build.

Header Description
Identifier Vulnerability identity, CVE-id or other, and a link to the local vulnerability show page containing detailed information and analysis tools.
Priority Priority set by a manual decision or by an automated rule.
Added date Date when the vulnerability was added to the WebApp.
Decision The result of a decision.
Due date The due date (if any)
Artifact Name of the artifact and link to the detailed artifact info , in package url format. About package url (external link).
Artifact status Health status for the artifact.



SBOMs external artifacts tab

Updated:2023-07-11

Lists all external artifacts included in this build.

Filter

Filter by Description
Search Search artifact name(s).
Type Filter by type of artifact e.g. generic, gem, npm, etc.
License approval Filter on has approved, disapproved, etc.
License Filter on has license/has no license
Vulnerabilities Filter to show vulnerable artifacts within priority categories.
Usage Filter on usage Deliverable/Compile time/Real time/Test.
Status tags Filter on a set of status tags.

Buttons

  • Deep (dependencies) Show all dependency artifacts related to the build.
  • Shallow (dependencies) Show the direct dependencies for current component.

Table description

Header Description
Name Name and version of the artifact and link to detailed artifact info, in package url format. About package url (external link).
Status Artifact status described with a set of tags (see below).
Vulnerabilities A colored text indicating the highest priority on an existing vulnerability detected for the artifact. Link to open an inline table with a list of vulnerabilities.
Licenses Licenses identified for the artifact. Light blue icon= approved, Grey=to be analyzed, Red=not approved
Used in Deliverable/Compile time/Real time/Test
By artifact Used by artifact.
Vulnerability inline table
Header Description
Identifier Vulnerability identity, CVE-id or other, and a link to the local [vulnerability show page]() containing detailed information and analysis tools.
Priority Priority set by a manual decision or by an automated rule.
Added date Date when the vulnerability was added to the WebApp.
Decision The result of a decision.
Due date The due date (if any)

plugin:content-inject



SBOMs licenses tab

Updated:2023-07-11

The Licenses tab contains a list of all artifacts sorted on license type.

Filter Buttons groups

  • Type of Artifact buttons: filter on Deliverable / Compile time type of artifacts.
  • License type buttons: one filter button for each license type present in the build.
  • Usage button: filter on usage
  • Approval status button: filter on approved/disapproved/undecided status.

License table

One table for each license type

Header Description
Artifact Name of the artifact and link to the detailed artifact info , in package url format. About package url (external link).
Approval Approval status: Approved/Disapproved/undecided with icons.
Source License source: SBOM/Link/Manual ... from an SBOM/downloaded through a link/manually created
Present in Deliverable / Compile time



SBOMs history tab

Updated:2023-07-11

The History tab is a list of changes performed in the WebApp UI.