During the IESG evaluation, I received a query from the AD about using
leaf-lists instead of leafs for SBOM and vulnerability data. Before we
publish this document, I think it's probably worth reviewing those nodes.
Right now, everything is a leaf. For SBOMs at least, to me this makes
sense, since the SBOM should be a description of the system to which the
schema refers. Having multiple descriptions introduces the need for
potential conflict resolution between those descriptions, and
complicates processing in a way that could cause interoperability problems.
For vulnerability information, I feel differently. It may be desirable
to update the description by vulnerability, rather than to have one
large file of vulnerabilities. It may also be undesirable, in that it
means you have to get description updates when vulnerabilities are
updated, rather than just updating one file. But I see no harm in
allowing both methods.
Therefore, my suggestion is that we change vuln-url to be a leaf-list.
Are there any objections?
Eliot
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
