Hi Dick, On 28.09.22 13:49, Dick Brooks wrote:
I find this material misleading and incomplete.The title infers the ability to discover and retrieve vulnerability information. However the text of this draft makes clear that retrieval is not supported, ref Page 2: "This memo does not specify how vulnerability information may be retrieved directly from the endpoint. That's because vulnerability information changes occur at different rates to software updates. However, some SBOM formats may also contain vulnerability information."
The information can be retrieved, but not from the endpoint. That's not misleading.
The draft makes no mention of the NIST Vulnerability Disclosure Report (VDR) that is used to inform consumers of the vulnerability status of a software product at the SBOM component level, ref: NIST SP 800-161 RA-5. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
A specification would be incomplete if the reference is necessary for implementation. How is this reference necessary for implementation?
Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
