Thanks, Gary.
REA has also been working on methods to correlate VEX artifacts to specific product SBOM's, with help from Thomas Schmidt in the CSAF universe. I see a path to correlating a VEX to a Product SBOM using the NTIA "unique identifier" SupplierName+ProductName+ProductVersion as both VEX and SBOM formats contain these elements, at the package/product level. Ideally a VEX would enumerate each SupplierName+ProductName+ProductVersion making it very easy to correlate with an SBOM Primary Component (the product level). At present, I do not see a means to correlate a specific component level object expressed in a File SPDX object with a VEX object, due to the lack of version information within the SPDX File data structure. I'm uncertain if this will become an issue going forward, but I think it would be prudent to add a FileVersion element to the File data structure to address this potential issue. I continue to believe that a software consumer would greatly benefit by having a software vendor provide an SBOM based Vulnerability Disclosure Report (VDR) showing vulnerability information for each listed component within an SBOM, that can be updated independent of the SBOM as a separate downloadable object. This allows newly discovered vulnerabilities to be reported for a product SBOM, without any change to an SBOM itself. Thanks, Dick Brooks Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Gary O'Neall Sent: Sunday, December 26, 2021 5:11 PM To: 'SPDX-list' <[email protected]> Subject: [spdx-tech] Proof of Concept: SPDX to Open Source Vulnerability Utility Greetings SPDX Community, I just finished a proof of concept utility which translates an SPDX document in any of the supported formats (JSON, YAML, RDF/XML, tag/value) into a JSON report produced by the Open Source Vulnerabilities service <https://osv.dev/> . The project home page is on Github at goneall/spdx-to-osv <https://github.com/goneall/spdx-to-osv> . The runtime can be downloaded from the release page <https://github.com/goneall/spdx-to-osv/releases> . If you are looking for an example file with some known vulnerabilities, you can use one of the test SPDX files <https://github.com/goneall/spdx-to-osv/blob/main/test-resources/spdx-test-e xternalref.json> from the repo. My primary motivation for writing the utility was to understand any deficiencies in the SPDX spec when it came to correlating vulnerabilities. Based on this experience, I came to two conclusions relative to the SPDX 2.2 spec: * It is pretty straightforward to translate External Refs/References (not to be confused with External Document References) into a format consumable by vulnerability databases. The biggest challenge was parsing CPE's (one of the External Ref formats). Fortunately, Steve Springett wrote an excellent Java based CPE parser and open sourced it under the Apache-2.0 license which is used by this utility. * Package URL's (PURLs) seem to be an increasingly standardize package identification format - something we plan on promoting to a first class package property in SPDX 3.0. Many of the external refs are converted to PURL in the utility. It turns out that most external refs can be translated to purls in a lossless fashion. A few interesting features: * There is an external ref parser the converts SPDX external refs into a format which can be consumed by OSV. This parser may also be useful in other use cases. * There is a Java API which interfaces to the OSV rest API. * There is a download location parser which looks for patterns that gives hints for package name and versions. Feel free to file any issues you find in the repo issues page <https://github.com/goneall/spdx-to-osv/issues> . If you think this might be useful for the SPDX community, I can transfer it to the SPDX repo. Regards, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4302): https://lists.spdx.org/g/Spdx-tech/message/4302 Mute This Topic: https://lists.spdx.org/mt/87969246/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
