Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt

Wed, 28 Sep 2022 05:58:32 -0700 


On 28.09.22 14:14, Dick Brooks wrote:

See response inline DB>

Thanks,

Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email:[email protected]
Tel: +1 978-696-1788

-----Original Message-----
From: Eliot Lear<[email protected]> Sent: Wednesday, September 28, 2022 8:03 AM 
To:[email protected];[email protected];[email protected]
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt

Hi Dick,

On 28.09.22 13:49, Dick Brooks wrote:

I find this material misleading and incomplete.

The title infers the ability to discover and retrieve vulnerability
information. However the text of this draft makes clear that retrieval
is not supported, ref Page 2:

    "This memo does not specify how vulnerability information may be
     retrieved directly from the endpoint.  That's because vulnerability
     information changes occur at different rates to software updates.
     However, some SBOM formats may also contain vulnerability
     information."

The information can be retrieved, but not from the endpoint. That's not 
misleading.

DB> I agree vulnerability information can be retrieved and some SBOM formats, 
i.e. SPDX Version 2.3 provide retrieval information for vulnerabilities associated 
with SBOM's:
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 
The draft could be more accurate and complete by indicating that access to 
vulnerability information at the SBOM component level may be indicated in an 
SBOM.


It says precisely that:


    System vulnerabilities may similarly be described using several data
    formats, including the aforementioned CycloneDX, Common Vulnerability
    Reporting Framework [CVRF], the Common Security Advisory Format
    [CSAF].  This information is typically used to report to
    administrators the state of a system.


If SPDX 3.0 were out, I'd add that too.





The draft makes no mention of the NIST Vulnerability Disclosure Report (VDR)
that is used to inform consumers of the vulnerability status of a software
product at the SBOM component level, ref: NIST SP 800-161 RA-5.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf

A specification would be incomplete if the reference is necessary for
implementation.  How is this reference necessary for implementation?

DB> The NIST VDR is no different from other items you reference i.e. CDX VEX 
and CSAF. Also, parties in the US subject to Executive Order 14028 and OMB memo M 
22-18 may need to implement NIST recommendations for SBOM and vulnerability 
reporting. If this draft guidance is not intended for use by the US Government 
with regard to these mandates, then you may have a point.
Those formats are mentioned because they are directly relevant to implementation. 

Eliot

Attachment: OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg

Reply via email to