Signed-off-by: tracyragan <[email protected]>

ortelius · May 10, 2024 · a7fd12f · a7fd12f
1 parent 4cb785d
commit a7fd12f
Show file tree

Hide file tree

Showing 35 changed files with 269 additions and 102 deletions.
diff --git a/content/en/guides/_index.md b/content/en/guides/_index.md
@@ -0,0 +1,7 @@
+---
+title: "Ortelius User Guides"
+linkTitle: "Ortelius User Guides"
+weight: 1
+description: >
+  Guides for both Contributing and Adopting Ortleius
+---
diff --git a/content/en/guides/contributorguide/Getting Started/welcome.md b/content/en/guides/contributorguide/Getting Started/welcome.md
@@ -9,15 +9,17 @@ description: >
 
 ## Welcome to the Ortelius Project
 
-Have you ever wanted to contribute to the coolest cloud technology? Well here is your chance. The Ortelius Open Source Project's mission is to simplify the adoption of modern architecture through a world-class microservice management platform driven by a supportive and diverse global open source community. Watch this video on how to get started.
+Have you ever wanted to contribute to the coolest cloud technology? Well here is your chance. The Ortelius Open Source Project's mission is fortify the software supply chain through a world class Continuous Security Intelligence solution, driven by a supportive and diverse global open source community. Watch this video on how to get started.
 
 <div style="width:30%">
 {{< youtube Y4kR6ipipxA >}}
 </div> 
 
 ### What is Ortelius?
 
-Ortelius is a microservice catalog that centralizes everything you need to know about a microservice including: ownership, vulnerabilities, versions, dependency relationships, consuming applications and versions. Ortelius visualizes ‘logical’ application versions in a microservice architecture providing a clear view of the microservice supply chain and their consumers. 
+The Ortelius Continuous Security Intelligence solution is an open-source project focused on surveilling the DevOps pipeline collecting clues and forensics about the software you deliver to end users from Software Bills of Materials (SBOM) to deployment metadata. 
+
+The mission of the Ortelius community is to expose weak links in the software supply chain by continuously gathering and analyzing software supply chain intelligence introduced across the DevOps pipeline. Generating security insights like SBOMs is not enough to harden your software supply chain. Consumption and analysis of the data is needed to rapidly respond to supply chain threats.
 
 Ortelius is managed by the [Continuous Delivery Foundation](https://cd.foundation) a specialty foundation under the Linux Foundation.
 

diff --git a/content/en/guides/contributorguide/_index.md b/content/en/guides/contributorguide/_index.md
@@ -1,7 +1,7 @@
 ---
 title: "Ortelius Contributor Guide"
 linkTitle: "Ortelius Contributor Guide"
-weight: 2
+weight: 1
 description: >
   Guide for how to contribute to the Ortelius open source project
 ---
diff --git a/content/en/guides/userguide/First Steps/2 Defining Domains.md b/content/en/guides/userguide/First Steps/2 Defining Domains.md
@@ -1,7 +1,7 @@
 ---
 title: "Building Your Domain Catalog"
 linkTitle: "Building your Domain Catalog"
-weight: 3
+weight: 6
 description: >
   How to Create and Manage _Domains_
 ---
@@ -14,9 +14,9 @@ For this reason, it may be helpful to review how you might want to organize your
 
 ### Domains and your Domain Driven Design
 
-A Domain-Driven Design (DDD) is often used when moving from a traditional development model to a cloud-native, decoupled model. With microservices, it is often recommended that a  structured method for organizing microservices into "solution" spaces be completed to facilitate reuse across siloed teams. Ortelius _Domains_ provides this organization.
+A Domain-Driven Design (DDD) is often used when moving from a traditional development model to a cloud-native, decoupled model. With decoupled architecture, it is recommended that a  structured method for organizing shared services into "solution" spaces be completed to facilitate reuse across teams. Ortelius _Domains_ provides this organization.
 
-_Domains_ publish microservices and other reusable objects (web components, DB updates, etc.) making it easier to share _Components_ across siloed teams. Domains can be structured to closely resemble the patterns of your organization. They can represent functional areas such as 'security services' or departments, teams, geographical locations and software projects.
+_Domains_ publish _Components_ (microservices, artifacts, web components, DB updates, etc.) making it easier to share _Components_ across teams. Domains can be structured to closely resemble the patterns of your organization. They can represent functional areas such as 'security services' or departments, teams, geographical locations and software projects.
 
 ### Top Down Structure
 
@@ -29,9 +29,9 @@ There are four common ways to implement _Domains_:
 | **Purpose** | Description |
 |---| --- |
 | **Site _Domain_** | This is the highest-level and default _Domain_. Your default Site _Domain_ name is 'Global.' You can rename your Site _Domain_ if needed. Anything defined to this level can be shared across all lower level _Subdomains_. For example, _Environments_ and _Tasks_ defined to the Site _Domain_ are shared by all child _Subdomains_.|
-|**Catalog _Subdomains_**| These _Domains_ are used to organize reusable _Components_, such as microservices. At this level, you create as many _Subdomains_ as needed to represent your _Component_ organization based on the "solution space" they serve. For example, you could build your Catalog as follows: <li> Security Services</li><li>Purchase Processing</li><li>Data Access<li>Ad Services</li>  A Catalog _Domain_ does not contain Life Cycle _Domains_.
+|**Catalog _Subdomains_**| These _Domains_ are used to organize reusable _Components_. At this level, you create as many _Subdomains_ as needed to represent your _Component_ organization based on the "solution space" they serve. For example, you could build your Catalog as follows: <li> Security Services</li><li>Purchase Processing</li><li>Data Access<li>Ad Services</li>  A Catalog _Domain_ does not contain Life Cycle _Domains_.
 |**Project _Subdomains_**| Use a _Subdomain_ to represent your software _Application_ and its Life Cycle. A _Subdomain_ defined for an _Application_ may need a continuous delivery life cycle. This is defined by selecting "All _Subdomains_ are Life Cycles." This means that any _Subdomains_ cannot include any additional _Subdomains_ and will be used to represent stages of the _Pipeline_ with specific _Environments_ assigned. |
-|**Life Cycle _Subdomains_**| This is the lowest level of _Subdomain_.  It is available when the parent _Domain_ has "All _Subdomains_ are Life Cycles" selected.  These _Subdomains_ map to each stage in your continuous delivery pipeline. They often have specific _Environments_ and _Tasks_ assigned for interaction with your continuous delivery orchestration engine. Ortelius can be called by your continuous delivery Engine (Jenkins, Jenkins X, CircleCI, Google CloudBuild, GitLab or GitHub Actions, etc.) to perform the continuous configuration management of your microservices and _Applications_ across all lifecyle states. In addition, you can assign Move, Approve and Request Tasks to your Life Cycle _Subdomain_ to define a continuous delivery pipeline process within Ortelius that can interact with your pipeline process. |
+|**Life Cycle _Subdomains_**| This is the lowest level of _Subdomain_.  It is available when the parent _Domain_ has "All _Subdomains_ are Life Cycles" selected.  These _Subdomains_ map to each stage in your continuous delivery pipeline. They often have specific _Environments_ and _Tasks_ assigned for interaction with your continuous delivery orchestration engine. Ortelius can be called by your continuous delivery Engine (Jenkins, Jenkins X, CircleCI, Google CloudBuild, GitLab or GitHub Actions, etc.) to perform the continuous configuration management of your _Components_ and _Applications_ across all lifecycle states. In addition, you can assign Move, Approve and Request Tasks to your Life Cycle _Subdomain_ to define a continuous delivery pipeline process within Ortelius that can interact with your pipeline process. |
 
 Below is an example of how an Online Store Company organized their _Domains_. 
 
@@ -60,7 +60,7 @@ When scrolling up or down the _Domain_ hierarchy using the Sunburst map, the det
 
 #### Access Control
 
- _Users_ within the designated _Groups_ of "User" or "Admin" can update the _Domain_ in various ways. To add a _Group_ to one of the access lists, drag and drop the _Group_ from the Available _Groups_ list onto the desired access list. All _Users_ who belong to a _Group_ in one of the Access lists will be granted access to the _Domain_.  Access control for _Domains_ include:
+ There are two User Groups, _Users_ and "Admins" You can define high-level security to these _Domains_ for these two Groups.:
 
 | Access | Description |
 | --- | --- |

diff --git a/content/en/guides/userguide/First Steps/2 Intro to Set Up.md b/content/en/guides/userguide/First Steps/2 Intro to Set Up.md
@@ -1,7 +1,7 @@
 ---
-title: "Get Started by Adding Ortelius to Your Pipeline"
-linkTitle: "Get Started by Adding Ortelius to Your Pipeline"
-weight: 1
+title: "Adding Ortelius to Your Pipeline"
+linkTitle: "Adding Ortelius to Your Pipeline"
+weight: 10
 description: >
   Get Started by Adding Ortelius to Your Pipeline
 ---

diff --git a/content/en/guides/userguide/First Steps/Basic Concepts.md b/content/en/guides/userguide/First Steps/Basic Concepts.md
@@ -1,7 +1,7 @@
 ---
 title: "Overview of Ortelius Objects and Concepts"
 linkTitle: "Overview of Ortelius Objects and Concepts"
-weight: 2
+weight: 1
 description: >
   Understanding Core Objects and Concepts.
 ---

diff --git a/content/en/guides/userguide/Installation and Support/Orteliustutorial.md b/content/en/guides/userguide/Installation and Support/Orteliustutorial.md
@@ -0,0 +1,218 @@
+---
+title: "Free SaaS Signup and Tutorial"
+linkTitle: "Free SaaS Signup and Tutorial"
+weight: 2
+description: >
+  Signup and Learn How to Gather Continuous Security Intelligence
+---
+This tutorial uses the Ortelius project to walk you through the basic concepts of Continuous Security Intelligence. DeployHub Team is based on the [Ortelius](https://ortelius.io) Open-Source project, incubating at the [Continuous Delivery Foundation](https://cd.foundation). This free SaaS version of Ortelius is hosted by DeployHub, and is also referred to as DeployHub Team. 
+
+## Signing Up and Getting Started
+
+When you [signup for DeployHub Team](https://www.deployhub.com/deployhub-team/), you are asked for basic information, your UserID/Password, Company and Project names. Your UserID/Password and Company name are unique.  Your Project will be a _Subdomain_ under your Company _Domain_.
+
+DeployHub Team is accessible through the following url:
+
+[https://console.deployhub.com/dmadminweb/Home](https://console.deployhub.com/dmadminweb/Home)
+
+Login using the UserID and Password you used when you signed up for DeployHub. Check your email for your login information. 
+
+Upon logging into DeployHub, you will be given an option to select your Company Name Domain, or the Open Source Domain. The Open Source Domain is prepopulated with data so you can take a tour.  Select the Open Source Domain to start exploring. 
+
+![Sign into a Domain](/guides/userguide/images/domainsignin.jpg)
+
+## Explore Domains
+
+_Domains_ serve as the basic structure of organizing Continuous Security Intelligence. Developers use _Domains_ to catalog their _Components_ based on 'solution spaces.' Organizing your software supply chain in this way allows for _Components_ to be easily shared.
+
+_Domains_ are not folders. They serve as a method for creating fully qualified names of Objects within DeployHub to keep things organized.  _Domains_ also manage security and Tasks.  When you assign security options and Tasks at the _Domain_ level, any child _Subdomain_ inherits the value. A child _Subdomain_ can override a parent _Domain_ value. 
+
+You can explore the _GLOBAL.open source_ Domain to learn how Continuous Security Intelligence is organized.  In DeployHub terminology, the _GLOBAL.open source_ Domain has multiple _Subdomains_.
+
+### Take a Tour of _Domains_:
+
+1) From the left hand side menu, select _Domains_ to see the child _Subdomains_. You will see Linux Foundation, NPM, Golang, Maven as a few of the options. Click on Linux Foundation to expand the chart to view further _Subdomains_.
+
+2) You will see the Linux Foundation includes the CDF and OpenSSF as _Subdomains_. Under the CDF, you will see the child _Subdomain_ Ortelius. Select Ortelius to see the _Subdomains_ associated to the Ortelius project. These _Subdomains_ represent different releases of Ortelius.
+
+For More information on Domains see - [Building _Domains_](/userguide/first-steps/2-defining-domains/)
+
+## Explore Components
+
+_Components_ are artifacts, binaries, database SQL, files or any deployable artifact. _Components_ are assigned to _Applications_. This assignment allows for the aggregation of data from the _Components_ to the _Applications_ that consume them, providing unified Software Bill of Materials reports and Application Security Posture reports.  
+
+### Take a Tour of _Components_
+
+<strong>1) View Components</strong>
+
+From the left hand side menu, select "_Components_". Using the filter option, choose _GLOBAL.Open Source.Linux Foundation.CDF.Ortelius_ to view all of the _Components_ consumed by the Ortelius open source project. 
+
+![Ortelius Domain](/guides/userguide/images/OrteliusDomainSelection.jpg)
+
+<p><br></p>
+
+<strong>2) Component Lists </strong>
+
+Notice that the first item in the list is _ms-compitem-crud;main_. "Main" indicates the base version of this _Component_. The subsequent items in the list shows the changes from the "Main" branch.
+
+![Components](/guides/userguide/images/OrteliusComponentMain.jpg)
+
+<p><br></p>
+
+<strong> 3) Historical Comparisons</strong>
+
+Generate a Comparison Report between two _Component_ versions. Checkmark any two versions and select the _Compare_ option from the list menu  to see their differences.
+
+![Compare Components](/guides/userguide/images/componentlist.jpg)
+
+<p><br></p>
+
+<strong> 4) Software Bill of Materials</strong>
+
+View a _Component_ Software Bill of Materials (SBOM) Report. When your _Component_ build executes, Ortelius will generate an Software Bill of Material using the tool of your choice. DeployHub then cross references the known vulnerabilities to the packages. The report shows a timestamp to record the point in time the vulnerabilities were found. This is a static view of the known vulnerabilities at build time. 
+
+![Component SBOM](/guides/userguide/images/SBOM-component.jpg)
+
+<p><br></p>
+
+<strong> 5) Sorting Components</strong>
+
+Sort Components by "Completed." "Completed" indicates the _Component_ has been deployed to end users. From the _Component_ list view, click on "Completed" to sort. Select a _Component_ in the completed list to view its Security Posture and current vulnerabilities. DeployHub provides updates to vulnerabilities every 30 minutes. 
+
+![CompletedComponents](/guides/userguide/images/completed.jpg)
+
+<p><br></p>
+
+<strong>6) Component Details</strong>
+
+View the _Components_ details including the OpenSSF Scorecard Results, current known vulnerabilities, and Overall _Component_ Security Posture. 
+
+![Components Scorecard](/guides/userguide/images/componentOpenSSFSC.jpg)
+
+<p><br></p>
+
+![Components Swagger](/guides/userguide/images/readme-swagger.jpg)
+
+<p><br></p>
+
+![Components Vulnerabilities](/guides/userguide/images/newvulnerabilities.jpg)
+
+<p><br></p>
+
+<strong>7) Blast Radius </strong>
+
+View the Blast Radius of a _Component_. The Blast Radius shows you what 'logical' applications are impacted by a vulnerability, anomaly, or update. From the _Component_ detail screen, scroll to the bottom to see the Dependency Map. You will see this map shows the versions of the Ortelius "logical" _Application_ that are using this version of the _Component_. 
+
+
+![Component Map](/guides/userguide/images/component-map.jpg)
+
+<br>
+
+For More information on Components see - [Publishing _Components_](/guides/userguide/publishing-components/)
+
+## Explore Applications
+
+An _Application_ is a collection of _Components_ that make up a complete software solution.  DeployHub manages the Logical _Application_ aggregating _Component_ data up to the application-level. 
+
+### Take a Tour of _Applications_
+
+<strong>1) Application Lists </strong>
+
+From the left hand side menu, select "_Applications"_. If you have completed the above steps, you will still be in the _GLOBAL.Open Source.Linux Foundation.CDF.Ortelius_ Domain. Notice that the first item in the list is _ortelius_ without a assigned Version number. This indicates the main branch of the Ortelius _Application_. Select "Completed" from the list menu options to sort by all versions of Ortelius that have been released. 
+
+![Application List](/guides/userguide/images/app-list.jpg)
+
+<p><br></p>
+
+<strong> 2) Compare Versions </strong>
+
+Generate a Comparison Report between two _Application_ versions. Checkmark any two versions and select the _Compare_ option from the list menu  to see their differences.
+
+![Compare Applications](/guides/userguide/images/app-compare-select.jpg)
+
+<p><br></p>
+
+Results:
+
+![Compare Application Results](/guides/userguide/images/app-compare.jpg)
+
+<p><br></p>
+
+<strong>4) Aggregated Software Bill of Materials</strong>
+
+View an aggregated _Application_ Software Bill of Material report. An _Application_ SBOM is a report that shows all of the _Application's_ _Component_ SBOM data, with duplicates removed. When a _Component_ is updated, DeployHub automatically creates a new version of all _Applications_ consuming the _Component_, with a new aggregated SBOM. DeployHub then cross references all of the _Application's_ _Components_ packages with the known vulnerabilities. The report shows a timestamp to record the point in time the vulnerabilities were found. This is a static view of the known vulnerabilities at build time for the _Application_ with SBOM details. If you are required to produce an SBOM for governance purposes, you can provide your consumers with access to the DeployHub platform allowing them to 'self serve' and track your _Application's_ security posture.  
+
+<p><br></p>
+
+![Export SBOM](/guides/userguide/images/exportSBOM.jpg)
+
+<p><br></p>
+
+<strong>5) Application Details</strong>
+
+View the _Application_ details including:
+- List of _Components_ the _Application Consumes
+- List of OS packages from the SBOM report
+- List of current vulnerabilities 
+
+![Application details](/guides/userguide/images/application-detials.jpg)
+
+<p><br></p>
+
+<strong>6) Application Security Posture</strong>
+
+View the _Applications_ overall security posture. This report shows the security activities that are associated with the DevSecOps pipeline. 
+
+![Compliance Run](/guides/userguide/images/run-compliance.jpg)
+
+<p><br></p>
+
+Results:
+
+![Compliance Results](/guides/userguide/images/compliance-results.jpg)
+
+<p><br></p>
+
+Learn More at  [Packaging _Applications_](/guides/userguide/packaging-applications/)
+
+
+## Explore Open-Source Inventory
+
+DeployHub allows you to search your entire inventory of _Components_ for open-source packages. Rapidly responding to vulnerabilities requires you know precisely where your exposure to the vulnerability is running, and what _Components_ need to remediated. 
+
+### Take a Tour of Open-Source Inventory
+
+<strong> 1) Open Source Package Search</strong>
+
+Search for Package using the "Package Search" menu option from the _Application_ list view. 
+
+![Package Search Menu](/guides/userguide/images/packagesearchmenu.jpg)
+
+<p><br></p>
+
+<strong> 2) Enter the Package Name</strong>
+
+Enter the package you wish to search for such as "Spring." 
+
+![Package Search Menu](/guides/userguide/images/spring-search.jpg)
+
+<p><br></p>
+
+Results:
+
+![Package Search Menu](/guides/userguide/images/spring-results.jpg)
+
+
+
+## Conclusion
+
+There are many other features of DeployHub that we did not get to cover on this short test drive. However, you should have the basic understanding of the major Objects and concepts needed to get you started.  What we did not cover that you may want to view are:
+
+[Environments and Endpoints](/userguide/first-steps/2-define-your-credentials/) - Environments and Endpoints can be used to:
+-  execute deployments using DeployHub's internal agentless deployment engine
+-  associate an artifact repo to your _Application_ 
+-  connect your external deployment tools, called from your CI/CD deployment step, to DeployHub. 
+
+Another important topic is integrating with your CD pipeline.  See [Using DeployHub with CI/CD](/userguide/integrations/ci-cd_integrations/) on how you can include gathering all DevSecOps data.
+
+We will leave you with how to setup DeployHub for your installation.  See [First Steps](/userguide/first-steps/), for getting your setup completed. Once you have your setup complete you can start continuously gathering your software supply chains security intelligence.