I'm sorry to blast this to everyone, but I don't have Nisha's email address. My apologies.
Nisha,
I've attached a JSON version of the virtual "CARFAX" report,
a/k/a SBOM VDR that we issue with the SAG-PM T product (V 1.1.8), along with
it's SBOM at release. This serves as an attestation that we have examined
each component in the SAG-PM SBOM for vulnerabilities. Any vulnerabilities
that do appear MUST be addressed, note all of the SAG-PM components with
CVE's have an Exploitable flag = "N" and an explanation in the
AnalysisFindings element in the attachment.
This is a very different concept from CSAF VEX and CDX VEX, which are issued
when a new vulnerability report. The SBOM VDR is issued on day one and is
updated by the software vendor over time as new vulnerabilities are reported
and is downloadable from a known location by a customer, frequently on a
daily basis as part of risk management vulnerability monitoring.
Thanks,
Dick Brooks
<https://reliableenergyanalytics.com/products> Never trust software, always
verify and report! T
<http://www.reliableenergyanalytics.com/>
http://www.reliableenergyanalytics.com
Email: <mailto:[email protected]>
[email protected]
Tel: +1 978-696-1788
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4359): https://lists.spdx.org/g/Spdx-tech/message/4359
Mute This Topic: https://lists.spdx.org/mt/88883086/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
SAG-PM_VulnDisclosure_V1_1_8.json
Description: application/json
