Hi Eliot, I agree, both approaches are in order to support current practice in this area linking SBOM's and vulnerabilities.
I wrote an article describing NIST's VDR: https://energycentral.com/c/pip/what-nist-sbom-vulnerability-disclosure-report-vdr Here is an excerpt from the summary: In summary, a NIST Vulnerability Disclosure Report (VDR) is an attestation by a software vendor showing that the vendor has checked each component of a software product SBOM for vulnerabilities and reports on the details of any vulnerabilities reported by a NIST NVD search. The VDR is a living document which the software vendor updates as needed when new vulnerabilities have been discovered and reported. A VDR is published whenever a software vendor issues a new or updated SBOM, including initial product release, making it available online, all the time, to all customers of the product described in the VDR. This gives software consumers that ability to answer the question “What is the vulnerability status of my software product from Vendor V, as of NOW?”. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Eliot Lear <[email protected]> Sent: Friday, April 28, 2023 9:32 AM To: [email protected]; [email protected] Subject: Re: [OPSAWG] draft-ietf-opsawg-sbom-access Hi Dick, Thanks for your comments. Please see below. On 28.04.23 15:13, Dick Brooks wrote: > SPDX V 2.3 provides guidance with regard to vulnerability reporting for > SBOM's. > > A NIST Vulnerability Disclosure Report (VDR) is a single file that serves as > an attestation showing the vulnerability status of each component listed in > an SBOM. Sure. And that was the sort of model I had in mind, but I don't think it's the only one. > > SPDX also supports the listing of individual vulnerabilities which may affect > a product, which is a set of entries pointing to Security Advisories: > https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k12-linking-to-a-csaf > Here is a real world example: > https://search.abb.com/library/Download.aspx?DocumentID=8DBD000150-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch Ok, that does indeed argue for a leaf-list. Eliot _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
