Updated 2024-12-04 SBOM Central

The permission "Create/update/destroy license types" is needed to edit license type pages.

• Open page: Main menu/License types.
• Push the Create button in top of the page to open a pop-up edit window.

• Edit texts and selections.

Updated: 2024-12-04 SBOM Central

External artifacts has a Licenses tab in their show page. Licenses are often retrieved from uploaded SBOMs, or external data sources (websites), but you can also add licenses manually.

Push Create button to open an edit pop-up window.

Edit texts and selections.

Modify the license

A manually created license may be modified by pushing the Edit button.

Updated 2025-02-03 SBOM Central

Learn about Weblink and Alt. link here.

How to connect MAIA to external repository services through Alt. link:

• Bitbucket.
• GitHub.
• GitLab.
• MavenCentral
• NPM.
• Nuget.
• PyPI.
• Release Monitoring.
• RubyGems.

Updated 2025-01-17 SBOM Central

A modern CI/CD workflow has the potential to continuously generate SBOMs; however, only a select few are crucial for purposes such as releases, deliveries, traceability, and historical records.

In SBOM Central, these significant SBOMs are highlighted by creating a Delivery Report.

Open the SBOM show page in question

... and select the Deliveries tab.

Push Create report button

... to open the create dialog and add suitable information.

Click Save and a delivery report is created.

Read more at:

• SBOM pages - deliveries tab.
• Reports pages - deliveries tab.

• Updated 2025-01-20 SBOM Central

  A Vulnerability Exploitability eXchange (VEX) is a type of security advisory, similar to those commonly issued by mature product security teams. The key distinction of the VEX model is that its reports are machine-readable, enabling seamless integration with security management tools and vulnerability tracking platforms. VEX data enhances the effective use of Software Bills of Materials (SBOM) data.

  In SBOM Central, you can generate VEX reports for specific vulnerabilities and associated SBOMs from the list of deliveries with Delivery Reports. For details, see Why is VEX generation tied to Delivery Reports.

  SBOMs are continuously monitored for newly discovered vulnerabilities, with automatic notifications triggered upon detection. Each identified vulnerability requires careful analysis and appropriate actions.

  Open the vulnerability show page and push the Generate VEX button.

  

  Select one of the analyses (or the none alternative) and then pick one or more deliveries from the list. The list content is depending on the first analysis selection. Push Save. The report will now be found in the Report section of SBOM Central.

Updated 2025-01-20 SBOM Central

A Vulnerability Exploitability eXchange (VEX) is a type of security advisory, similar to those commonly issued by mature product security teams. The key distinction of the VEX model is that its reports are machine-readable, enabling seamless integration with security management tools and vulnerability tracking platforms. VEX data enhances the effective use of Software Bills of Materials (SBOM) data.

In SBOM Central, you can generate VEX reports for specific vulnerabilities and associated SBOMs from the list of deliveries with Delivery Reports. For details, see Why is VEX generation tied to Delivery Reports.

The SBOM is actively monitored for newly discovered vulnerabilities, with notifications automatically triggered upon detection. Any detected vulnerability must be carefully analyzed, and appropriate actions decided upon. This analysis and decision-making process will be directly tied to the SBOM/Delivery Report and will form the foundation for generating a VEX report (see What are the use cases for duplicating an SBOM)

Open the SBOM show page and select the delivieries tab. Push the Generate VEX for the selected Delivery report.

Select the vulnerabilities that you want to be included into the VEX report and push Save. The report will now be found in the Report section of SBOM Central.

Updated 2025-01-20 SBOM Central

An Advisory report is a human readable version of the VEX report. When creating the advisory, content from the corresponding VEX is automatically imported.

Go to the Reports/VEX tab. Select a VEX report and push the Create advisory button.

The advisory creation dialog opens, containing a number of optional edit fields to add information to the report.

• Title of the report
• Description
• Vendor
• Equipment
• Risk evaluation
• Mitigations

Push Save. The Advisory Report is now visible in the Advisories tab.

Updated 2025-01-16 SBOM Central

You'll need appropriate permissions to do this.

1. Open Main menu/Teams page.

2. Select team.

   

Add/Remove members

Add/Remove members to/from the team.

3. In the Members tab, open Edit members pop-up window.

4. Add members to the team from the drop-down menu.

5. Remove members by clicking the member trash-cans.

6. Save

Configure team permissions

7. In the Team permissions tab, open Edit permissions pop-up window.
8. Select the permissions that will apply to all members of the team.

Configure user permissions

9. In the Members tab, edit individual permissions for any member of the team by clicking the Edit permissions for the member.

Configure components.

The Components tab is for manual component management i.e. adding/creating/deleting components to select the ones visible to the Team.

Use this page to manage components in the meaning of Products. A component in SBOM Central is a generic designation regarding various types of components where the External collection component is the SBOM Central technical term for a Product.

Products are automatically created and assigned to a Team when uploading SBOMs.

• If the SBOM is manually uploaded, the Product is created for the Team the User is logged in to.
• If uploaded through the RestAPI, the Product is created for the Team where the Token belongs.

By switching teams a user can access different subsets of information. A user can also access editing capabilities depending on the permissions of their team and the permissions they are given within the team.

10. In the Components tab,

a) open Create component and add to team pop-up window.

or

b) open Edit components pop-up window.

• Add components from drop-down menu.

• Remove components by clicking trash-cans.

Edit team.

11. Edit Team name and description.

Delete team.

12. Delete team: click the Delete button.

Updated 2025-01-16 SBOM Central

You'll need appropriate permissions to do this.

1. In the Main menu, select Teams.
2. On the Teams page, click on the Create button to open the pop-up window.
3. Edit your teams data.

1. Edit the team name.
2. Edit the description.
3. Save

4. Now the team is ready for configuring:
   1. Members
   2. Team permissions
   3. Tracker projects
   4. Components

You need the "Create/update users" permission to do this.

Create a user:

1. Open Main menu/Users.
2. Click "+Create" button to open editable pop-up window.

A user becomes Active when added to a team, and stays Active as long the user belongs to at least one team.

3. Upload avatar : select a local image file to upload as user avatar (optional)

4. Name : type a username. It is case sensitive.

   The username is matched to users in code commits.

5. Email : type email address.

   LDAP settings decides if username or email is used at MAIA login (also at local authentication when LDAP is present).

6. Inactivity timeout : type the number of seconds before session timeout (optional)

7. Local environment : i.e. select the local (private) host of the user (optional).

8. Default component tab : select the tab that will open first when a user navigates to a component page (optional).

9. Local auth : select if local authentication (optional).

   If local auth and no LDAP present : the default login user is the email address.

10. If local auth, Password : type the password.

11. Password confirmation : type the same password as in the previous step.

12. Click Save.