Re: Next blog post for review - Capturing Vulnerability Data in SPDX 3.0

Thu, 12 Oct 2023 05:11:22 -0700

I agree with the separting out the ACME case and making this into two blog posts.

Robert (Bob) Martin
Sr. Software and Supply Chain Assurance Principal Eng.
Cross Cutting Solutions and Innovation Dept
Cyber Solutions Innovation Center
MITRE Labs
MITRE Corporation
781-271-3001o
781-424-4095c
On 10/12/23 8:01 AM, Phil Odence via lists.spdx.org wrote:
It’s really good and goes right at the need to position SPDX for security and convince the world we know what we are doing in this domain. I made a couple of comments. Take or leave. It’s quite a long blog. I suggest breaking the ACME case

It’s really good and goes right at the need to position SPDX for security and convince the world we know what we are doing in this domain.

 

I made a couple of comments. Take or leave.

 

It’s quite a long blog. I suggest breaking the ACME case study/example into a separate blog to post a week or so after the initial…keeping the ball rolling.

 

Take or leave that one too.

 

Phil

 

From: [email protected] <[email protected]> on behalf of Kate Stewart <[email protected]>
Date: Wednesday, October 11, 2023 at 6:18 PM
To: Gary O'Neall <[email protected]>
Cc: [email protected] <[email protected]>, Jeff Schutt (jefschut) <[email protected]>, Rose Judge <[email protected]>
Subject: Re: Next blog post for review - Capturing Vulnerability Data in SPDX 3.0

Blog looks very good and useful. +1 from me on publishing. Sooner we get this sort of information out there, the better. On Wed, Oct 11, 2023 at 3: 27 PM Gary O'Neall <gary@ sourceauditor. com> wrote: Greeting Outreach Team, The security

Blog looks very good and useful.    +1 from me on publishing. 

 

Sooner we get this sort of information out there, the better.

 

On Wed, Oct 11, 2023 at 3:27 PM Gary O'Neall <[email protected]> wrote:

Greeting Outreach Team,

 

The security profile team has written a blog post explaining some of the security features of 3.0.  It is primarily targeted for the CISA community who have a concern that SBOM’s should not be including vulnerability data since the data is updated at a different pace (e.g. SBOMs are fairly static while vulnerability information can change quickly).

 

Here’s the link: https://docs.google.com/document/d/1cLFTF1yLWy9kkRzNUC648-WshA6XslCE-cVc9o6Y-3Q/edit?usp=sharing

 

If everyone is OK with it, I can post the blog on the website after Monday.

 

Thanks,

Gary





_._,_._,_





Links:



  
    You receive all messages sent to this group.
  
  




View/Reply Online (#871) |


  Reply To Sender
  
	
    	| Reply To Group
	
  

|

  Mute This Topic


| New Topic







Your Subscription |
Contact Group Owner |

Unsubscribe

 [[email protected]]


_._,_._,_

Reply via email to