Hi Nicolas: Thank you for your review.
On 20.12.21 02:16, Niclas Comstedt via Datatracker wrote:
- I realize the point about vulnerabilities info having a different change rate than software but why not include support to retrieve vulnerabilities from the endpoint? Part of this question is driven by that I find the document inconsistent and slightly confusing in the retrieval distinction
The issue here is the nature of the information and who publishes it. The SBOM itself is intimately bound to what is on the device, and the SBOM cannot change unless the underlying software changes. So it may make sense in some circumstances for the device to offer the SBOM.
On the other hand, vulnerability information can be sourced by anyone, and may change without the software on the device changing. That is, “I, Joe Shmo, found a vulnerability in the ACME automated widget peeler”, or ACME could say that without the software on the device having changed. Also, I really don't know anyone who is going to implement vulnerability information on the device. If you do, I could be convinced to make a change.
- What is the reason for not having a well known endpoint for the vulnerability info? I can see that it sometimes is not as clear and useful as the SBOM, especially with the endpoint retrieval not supported, but wondering if there is more to it than that?
See above, but also some mechanisms are already defining .well-known ports. I think CSAF is one such, although I think they need more work. That effort is happening over in OASIS.
- In the security section is firmware and software used somewhat interchangeably? Trying to understand if something specific is meant with the current wording that I'm not seeing. Also I'm not sure the skewing example makes sense. I would think it would be very common that a mfr updates the SBOM on it's server and hence you would often get this mismatch unless you query the device in question before applying anything to it
Yes, this was confusing. I've removed the word firmware. It's not that this stuff COULDN'T be firmware. Firmware is just burnt software.
Eliot Thanks again for your review. Eliot
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
