Merge pull request #102 from ortelius/dev

Added OSV.dev integrations

Author: TracyRagan

content/en/guides/userguide/integrations/CI-CD_Integrations.md

@@ -1,7 +1,7 @@
 ---
-title: "Using Ortelius with CI/CD"
-linkTitle: "Using Ortelius with CI/CD"
-weight: 49
+title: "CI/CD Support"
+linkTitle: "CI/CD Support "
+weight: 300
 description: >
   Integrating Ortelius into your CI/CD process.
 ---

content/en/guides/userguide/integrations/CircleCI.md

@@ -1,7 +1,7 @@
 ---
 title: "CircleCI Deployment Orb"
 linkTitle: "CircleCI Deployment Orb"
-weight: 58
+weight: 301
 description: >
   Using the CircleCI Orb with Ortelius.
 ---
@@ -20,7 +20,7 @@ The Ortelius CircleCI Orb calls Ortelius to perform:
 | **microservice_version_update_job** |  Automatically increments the version number of a microservice and the application prior to deployment.  Tracks dependency relationships between microservices and applications to create dependency maps.|
 | **deploy_job**| Deploys an application version to a specified environment. CircleCI will pass the application version name and environment to Ortelius.|
 | **envscript_job**| Generates a script that captures additional information from CircleCI, Git and Environment TOML file.  This script is used in subsequent steps for adding additional information to Ortelius. |
-| **approve_job** | Supported for DeployHub Pro users. Allows CircleCI to call Ortelius' approval process to approve an application version to be moved to the next stage of the pipeline.  The approval occurs as the UserID is passed from CircleCI to Ortelius. Depending on your Ortelius configuration, you may need to call the ApproveJob. This would happen if an approval gate is defined in Ortelius.  CircleCI will pass the application version and the 'Move' task to Ortelius.|
+
 
 You do not need to use the 'approve_job 'or 'move_job' functions. The use of these jobs is determined by how you define your CircleCI pipeline.  If you are using Approvals in CircleC, the approve_job records the approval information as part of the microservice deployment meta.  A 'Move' process tracks where the microservice and application versions are in the pipeline.  You would generally perform a 'Move' and then a 'Deploy.'  Using the microservice_version_update_job is recommended before the deploy_job.  This allows Ortelius to perform your versioning, configuration management, dependency mapping and comparisons.  The deploy_job calls on Ortelius' back in release engine to move the objects to endpoints (clusters for example.)
 

content/en/guides/userguide/integrations/Intro to Deployment Integrations.md

@@ -1,7 +1,7 @@
 ---
-title: "Ortelius Deployment Integrations"
-linkTitle: "Ortelius Deployment Integrations"
-weight: 49
+title: "Deployment Integrations"
+linkTitle: "Deployment Integrations"
+weight: 305
 description: >
   Integrating Ortelius with your Deployment Solution.
 ---

content/en/guides/userguide/integrations/OSVDev.md

@@ -0,0 +1,23 @@
+---
+title: "OSV.Dev CVE Integration"
+linkTitle: "OSV.Dev CVE Integration"
+weight: 315 
+description: >
+  Cross Referencing Packages with CVE Database
+---
+
+## OSV
+
+Ortelius uses [OSV.dev](https://osv.dev/) to cross reference packages for gathering CVE data. Every 30 minutes Ortelius performs an OSV.dev look up for every package listed in every SBOM to determine if any vulnerabilities exist. The look-up is performed using the OSV public facing APIs. SBOM generation is required to perform this scan.
+
+The CVE results are displayed at two levels, the _Component Version_ and the _Application Version_. If you have included SBOM scanning as part of your DevOps pipeline, you will pass the name of the SBOM to Ortelius using the [Ortelius CLI](/guides/userguide/integrations/ci-cd_integrations/). Ortelius supports SPDX and CycloneDX SBOM formats. If you have not added SBOM's as part of your DevOps Pipeline, you can include it through the Ortelius CLI process. The Ortelius CLI uses [Syft](/guides/userguide/integrations/spdx-cyclonedx-syft/) to generate the SBOM.
+
+> Note: Ortelius must have access to OSV.Dev in order to continuously gather the CVE data. 
+
+### Viewing Component CVE Data
+
+CVE data is associated to a particular _Component Version_ and can be seen by going to the Component Detail View. Ortelius gathers the CVE information every 30 minutes for all Components. For this reason it is possible for new CVEs to appear. If a new CVE is found by OSV.dev, Ortelius automatically updates your Component's CVEs. 
+
+### Viewing Application Level CVE Data
+
+Ortelius aggregates lower-level _Component_ data up to all consuming applications. When you view the CVEs at the _Application Version_ level, you are seeing a combination of all CVEs aggregated from the _Components_ which your _Application_ depends. Your _Applications_ CVE data can change over time based on the changes at the _Component Version_ level. 

content/en/guides/userguide/integrations/OpenMake Meister.md

@@ -1,7 +1,7 @@
 ---
 title: "OpenMake Meister Binary Repository"
 linkTitle: "OpenMake Meister"
-weight: 71
+weight: 320
 description: >
   Referencing binaries from the OpenMake Meister Build System.
 ---

content/en/guides/userguide/integrations/SBOM Support.md

@@ -1,7 +1,7 @@
 ---
-title: "Passing Your SBOMs to Ortelius"
-linkTitle: "Passing Your SBOMs to Ortelius"
-weight: 71
+title: "SBOMs and Ortelius"
+linkTitle: "SBOMs and Ortelius"
+weight: 307
 description: >
   Passing Your SBOMs to Ortelius
 ---

content/en/guides/userguide/integrations/SPDX-CycloneDX-Syft.md

@@ -0,0 +1,49 @@
+---
+title: "SPDX, CycloneDX and Syft"
+linkTitle: "SPDX, CycloneDX and Syft"
+weight: 310
+description: >
+  Collecting SBOM data with SPDX, CycloneDX and Syft.
+---
+
+Ortelius can consume any SPDX and CycloneDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to Ortelius as shown below. If you are not generating SBOMs as part of your pipeline process, you will need to add SBOM generation to collect the lower dependency data. Following is how to add Syft to your workflow to include the collection of SBOM data. 
+
+## Adding Syft to your Pipeline Automation
+
+[Syft SBOM tool](https://github.com/anchore/syft) will generate Software Bill of Material Reports for popular coding languages and package managers, including Docker images. 
+
+The following code example scans a Docker Image to generate the SBOM.  See [Syft Options](https://github.com/anchore/syft#supported-sources) to scan other objects and coding languages.
+
+```bash
+# install Syft
+curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $PWD
+
+# create the SBOM
+./syft packages $DOCKERREPO:$IMAGE_TAG --scope all-layers -o cyclonedx-json > cyclonedx.json
+
+# display the SBOM
+cat cyclonedx.json
+```
+
+## Passing the Name of the SBOM Results
+
+>Note: To complete the process you will need to install the Ortelius CLI where your CI/CD server is running. Refer to the [Ortelius GitHub CLI Documentation](https://github.com/Ortelius/cli/blob/main/doc/dh.md) for installation instructions. 
+
+Execute the following calls to the Ortelius CLI as part of your workflow. It should be called after the build and SBOM generation:
+
+With CycloneDX SBOM
+
+```bash
+dh updatecomp --rsp component.toml --deppkg "cyclonedx@name of your SBOM file"
+
+Example:
+dh updatecomp --rsp component.toml --deppkg "cyclonedx@cyclonedx.json"
+```
+With SPDX SBOM
+
+```bash
+dh updatecomp --rsp component.toml --deppkg "spdx@name of your SBOM file. "
+
+Example:
+dh updatecomp --rsp component.toml --deppkg "spdx@spdx.json"
+```