Eliot,
I’ve made my points, will leave it up to those with authority to decide where this goes. FYI: SPDX V 2.3 is out and it supports linking to NIST VDR info; I’m sure Jeff can tell you all about how difficult it was to get this work completed in SPDX V 2.3: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 I was surprised by Cisco’s objections to including the NIST VDR reference in SPDX V 2.3 and that same bias is on display in this draft document. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Eliot Lear <[email protected]> Sent: Wednesday, September 28, 2022 8:58 AM To: [email protected]; [email protected] Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt On 28.09.22 14:14, Dick Brooks wrote: See response inline DB> Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 -----Original Message----- From: Eliot Lear <mailto:[email protected]> <[email protected]> Sent: Wednesday, September 28, 2022 8:03 AM To: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt Hi Dick, On 28.09.22 13:49, Dick Brooks wrote: I find this material misleading and incomplete. The title infers the ability to discover and retrieve vulnerability information. However the text of this draft makes clear that retrieval is not supported, ref Page 2: "This memo does not specify how vulnerability information may be retrieved directly from the endpoint. That's because vulnerability information changes occur at different rates to software updates. However, some SBOM formats may also contain vulnerability information." The information can be retrieved, but not from the endpoint. That's not misleading. DB> I agree vulnerability information can be retrieved and some SBOM formats, i.e. SPDX Version 2.3 provide retrieval information for vulnerabilities associated with SBOM's: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 The draft could be more accurate and complete by indicating that access to vulnerability information at the SBOM component level may be indicated in an SBOM. It says precisely that: System vulnerabilities may similarly be described using several data formats, including the aforementioned CycloneDX, Common Vulnerability Reporting Framework [CVRF], the Common Security Advisory Format [CSAF]. This information is typically used to report to administrators the state of a system. If SPDX 3.0 were out, I'd add that too. The draft makes no mention of the NIST Vulnerability Disclosure Report (VDR) that is used to inform consumers of the vulnerability status of a software product at the SBOM component level, ref: NIST SP 800-161 RA-5. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf A specification would be incomplete if the reference is necessary for implementation. How is this reference necessary for implementation? DB> The NIST VDR is no different from other items you reference i.e. CDX VEX and CSAF. Also, parties in the US subject to Executive Order 14028 and OMB memo M 22-18 may need to implement NIST recommendations for SBOM and vulnerability reporting. If this draft guidance is not intended for use by the US Government with regard to these mandates, then you may have a point. Those formats are mentioned because they are directly relevant to implementation. Eliot
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
