SPDX V 2.3 provides guidance with regard to vulnerability reporting for SBOM's.
A NIST Vulnerability Disclosure Report (VDR) is a single file that serves as an attestation showing the vulnerability status of each component listed in an SBOM. The SBOM contains a link to the "living" VDR, which can change over time. https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 Here is a real world example: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SBOMVDR_JSON/VDR_118.json SPDX also supports the listing of individual vulnerabilities which may affect a product, which is a set of entries pointing to Security Advisories: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k12-linking-to-a-csaf Here is a real world example: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000150-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch I recommend referring to the SPDX V2.3 spec Appendix K as a methods to communicate the relationship between SBOM's and Vulnerability reporting. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <[email protected]> On Behalf Of Eliot Lear Sent: Friday, April 28, 2023 6:44 AM To: [email protected] Subject: [OPSAWG] draft-ietf-opsawg-sbom-access During the IESG evaluation, I received a query from the AD about using leaf-lists instead of leafs for SBOM and vulnerability data. Before we publish this document, I think it's probably worth reviewing those nodes. Right now, everything is a leaf. For SBOMs at least, to me this makes sense, since the SBOM should be a description of the system to which the schema refers. Having multiple descriptions introduces the need for potential conflict resolution between those descriptions, and complicates processing in a way that could cause interoperability problems. For vulnerability information, I feel differently. It may be desirable to update the description by vulnerability, rather than to have one large file of vulnerabilities. It may also be undesirable, in that it means you have to get description updates when vulnerabilities are updated, rather than just updating one file. But I see no harm in allowing both methods. Therefore, my suggestion is that we change vuln-url to be a leaf-list. Are there any objections? Eliot _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
