I just want you to know that your work on defects for V 2.3 is indeed important and useful. Here is what Chris had to say about vulnerability reporting in a recent email exchange:
SBOMs are mostly static for a given build (yeah I know there are edge conditions here, but lets just go with this idea) VEXs are highly dynamic. QED SBOMs and VEXs cannot occupy the same artifact as they have two different time domains! WRONG! We were so wrapped up in the 'device delivers the SBOM' model, that we never thought far enough to realize, that 'NO' there are going to be online databases that can distribute SBOMs with VEXs that can change every minute. So while I was a huge proponent of CSAF, I have come to believe that the real answer is bundling them together such as CycloneDX v1.4 has done. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4374): https://lists.spdx.org/g/Spdx-tech/message/4374 Mute This Topic: https://lists.spdx.org/mt/89092050/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
