Remko and Ralph,
I’m currently providing materials to NIST on updates to the
draft C-SCRM standard SP 800-161 R2 Appendix F
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>
to meet Cybersecurity Executive Order 14028
<https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity>
. The final version of SP 800-161 is expected to be published in early
February 2022 with implementations starting in late Summer 2022. One of the
requirements of EO 14028 is to provide the US Govt with NTIA compliant SBOM’s
and vulnerability reports.
During discussions within the NTIA SBOM initiative the topic of
vulnerability reporting was discussed, but was considered out of scope for the
SBOM charter. The Vulnerability Exchange (VEX) initiative was discussed as a
possible vulnerability reporting solution and a VEX profile was added to the
OASIS CSAF initiative. The problem with VEX is that it reports vulnerabilities
at the product level, i.e. Log4j-core but there is no direct correlation to
SBOM’s that contain this component.
That’s when I began to work on an open-source SBOM Vulnerability Disclosure
Report (VDR) XML schema that lists CVE’s at the component level of a product
SBOM. This will enable government entities to automate the processing of
Vulnerability Disclosure Reports based on SBOM component level vulnerabilities
in order to meet EO 14028 requirements.
The open source SBOM VDR XML schema and an example VDR report are available
online:
https://www.einpresswire.com/article/559309448/updated-open-source-sbom-vulnerability-disclosure-report-format-for-rapid-risk-assessment-and-response?ref=email
<https://www.einpresswire.com/article/559309448/updated-open-source-sbom-vulnerability-disclosure-report-format-for-rapid-risk-assessment-and-response?ref=email&code=Kg7BjRgTJ3VzyWI6&utm_source=NewsletterPR&utm_medium=email&utm_campaign=All+Featured+Press+Releases&utm_content=article>
&code=Kg7BjRgTJ3VzyWI6&utm_source=NewsletterPR&utm_medium=email&utm_campaign=All+Featured+Press+Releases&utm_content=article
NOTE: There is a possibility that NIST will choose another vulnerability
reporting format in the final release of SP 800-161 in 2/2022, however, the
SBOM VDR is currently the only open source option available that reports CVE’s
at the SBOM component level, to my knowledge.
Thanks,
Dick Brooks
<https://reliableenergyanalytics.com/products> Never trust software, always
verify and report! ™
<http://www.reliableenergyanalytics.com/>
http://www.reliableenergyanalytics.com
Email: <mailto:[email protected]>
[email protected]
Tel: +1 978-696-1788
From: Remko Popma <[email protected]>
Sent: Thursday, December 30, 2021 5:46 PM
To: Apache Logging Developers List <[email protected]>; Dick Brooks
<[email protected]>
Subject: Re: Forwarding email per Matt Sicker suggestion
On Tue, Dec 21, 2021 at 2:41 AM Ralph Goers <[email protected]
<mailto:[email protected]> > wrote:
Thanks Dick,
I am totally unfamiliar with this. Is there somewhere to read about what this
is all about?
Ralph
Resending, including Dick in the recipients.
> On Dec 20, 2021, at 7:18 AM, Dick Brooks <[email protected]
> <mailto:[email protected]> > wrote:
>
> Hello,
>
> This sort of suggestion would be better sent to our development mailing list
> ([email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]> >). I’ll note
> that we use Apache Maven for our build system, and a quick search shows that
> <https://github.com/CycloneDX/cyclonedx-maven-plugin
> <https://github.com/CycloneDX/cyclonedx-maven-plugin>> might be a useful
> plugin to propose for generating the SBOM as part of our standard release
> process. I do think it’s a good idea, but this topic should be discussed in
> our public list and not on the private list.
> --
> Matt Sicker
>
>
> On Dec 19, 2021, at 12:48, Dick Brooks <[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]> >> wrote:
>
> I’ve created an SPDX SBOM for Log4j V 2.17.0-core along with a companion
> baseline vulnerability disclosure report (VDR), based on NIST NVD search
> results:
> https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase
> <https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase>
>
> Please read the README.md first to understand the limitations of this info.
>
> I encourage the Log4j team to consider updating the FixStatus and
> AnalysisFindings elements for each reported CVE. I’m happy to assist in this
> effort.
>
> Thanks,
>
> Dick Brooks
> <image001.png>
> Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products> ™
> http://www.reliableenergyanalytics.com
> <http://www.reliableenergyanalytics.com/>
> Email: [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]> >
> Tel: +1 978-696-1788
>
>
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products> ™
> http://www.reliableenergyanalytics.com
> <http://www.reliableenergyanalytics.com/>
> Email: [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]> >
> Tel: +1 978-696-1788
