Hi Dick, Thanks for your comments. Please see below.
On 28.04.23 15:13, Dick Brooks wrote:
SPDX V 2.3 provides guidance with regard to vulnerability reporting for SBOM's. A NIST Vulnerability Disclosure Report (VDR) is a single file that serves as an attestation showing the vulnerability status of each component listed in an SBOM.
Sure. And that was the sort of model I had in mind, but I don't think it's the only one.
SPDX also supports the listing of individual vulnerabilities which may affect a product, which is a set of entries pointing to Security Advisories: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k12-linking-to-a-csaf Here is a real world example: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000150-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch
Ok, that does indeed argue for a leaf-list. Eliot _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
