I find this material misleading and incomplete. The title infers the ability to discover and retrieve vulnerability information. However the text of this draft makes clear that retrieval is not supported, ref Page 2:
"This memo does not specify how vulnerability information may be retrieved directly from the endpoint. That's because vulnerability information changes occur at different rates to software updates. However, some SBOM formats may also contain vulnerability information." The draft makes no mention of the NIST Vulnerability Disclosure Report (VDR) that is used to inform consumers of the vulnerability status of a software product at the SBOM component level, ref: NIST SP 800-161 RA-5. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf "Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR. Enterprises should also consider establishing a separate notification channel for customers in cases where vulnerabilities arise that are not disclosed in the VDR. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation's Cybersecurity." Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <[email protected]> On Behalf Of [email protected] Sent: Wednesday, September 28, 2022 3:03 AM To: [email protected] Cc: [email protected] Subject: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operations and Management Area Working Group WG of the IETF. Title : Discovering and Retrieving Software Transparency and Vulnerability Information Authors : Eliot Lear Scott Rose Filename : draft-ietf-opsawg-sbom-access-10.txt Pages : 21 Date : 2022-09-28 Abstract: To improve cybersecurity posture, automation is necessary to locate what software is running on a device, whether that software has known vulnerabilities, and what, if any recommendations suppliers may have. This memo specifies a model to provide access to this information. It may optionally be discovered through manufacturer usage descriptions. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-10 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-sbom-access-10 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
