Re: [OPSAWG] csaf addition to draft-ietf-opsawg-sbom-access

Thu, 27 May 2021 22:04:14 -0700 

>
> >
> >      > My proposal is to add into the draft an optional URL that
> indicates the
> >      > CSAF object for This device, a’la:
> >
> >      >> container sbom { …     leaf csaf-location {       type inet:uri;
> >
> > So, would this be an alternative to an actual SBOM?
>
> Patrick can say more here, but one could easily imagine an extension of
> CycloneDX that would contain CSAF info, and if that is the case, you
> wouldn't include this separate element in the MUD extension.
>

We have support for external references to security advisory information in
the core spec. We aren't prescriptive about the format used. Although we
recommend CSAF.

On Fri, May 28, 2021 at 7:36 AM Eliot Lear <[email protected]> wrote:

>
> On 27.05.21 05:33, Michael Richardson wrote:
> > Eliot Lear <[email protected]> wrote:
> >      > For those of you who don’t know, Common Security Advisory Format
> (CSAF)
> >      > is an evolution on Common Vulnerability Reporting Framework.
> Such an
> >      > object could easily be delivered with an SBOM.  It has a slightly
> >      > different characteristic in terms of update frequency.  CSAF
> changes
> >
> > It's not an SBOM, but it would be associated with a specific instance of
> an
> > SBOM, right?
>
> I think the relationship varies on format.  They CAN be independent or
> related.
>
> >
> >      > My proposal is to add into the draft an optional URL that
> indicates the
> >      > CSAF object for This device, a’la:
> >
> >      >> container sbom { …     leaf csaf-location {       type inet:uri;
> >
> > So, would this be an alternative to an actual SBOM?
>
> Patrick can say more here, but one could easily imagine an extension of
> CycloneDX that would contain CSAF info, and if that is the case, you
> wouldn't include this separate element in the MUD extension.
>
> > Would the CSAF instead point to the SBOM indirectly?
> Yes.
> > Or would this be in addition to an SBOM?
> And yes.  Depending on how the SBOM is constructed, and whether it's
> there at all.
>
>
> Clear as mud?
>
>
> _______________________________________________
> OPSAWG mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/opsawg
>

_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg

Reply via email to