Hi,For those of you who don’t know, Common Security Advisory Format (CSAF) is an evolution on Common Vulnerability Reporting Framework. Such an object could easily be delivered with an SBOM. It has a slightly different characteristic in terms of update frequency. CSAF changes may happen independently of software updates, and generally would*not* be hosted on individual devices (at least, I don’t see the use case).
CSAF files indicate what products and versions are vulnerable (and what are not), and what if any remediations are available, not unlike a classic PSIRT advisory.
My proposal is to add into the draft an optional URL that indicates the CSAF object for This device, a’la:
container sbom {
…
leaf csaf-location {
type inet:uri;
description “Location of CSAF file”;
}
I would add some descriptive text similar to the above in as well. Does this raise any concerns? Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
