I also forgot to mention; regarding 3rd party databases to distribute SBOM’s and Vulnerability Reports per Chris G’s observation.
REA has completed integration testing with Jitsuin/rkvst for CycloneDX SBOM’s and is waiting for rkvst to add support for SPDX SBOM so that we can finish testing the NTIA SBOM capabilities in rkvst. Rkvst is also planning to host/distribute SBOM VDR’s and CycloneDX VEX objects. We are currently coding in support for CycloneDX VEX into SAG-PM and will support whatever the SPDX team decides to adopt for vulnerability reporting. Thanks, Dick Brooks Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: Saturday, February 12, 2022 7:32 AM To: [email protected]; [email protected]; 'Kate Stewart' <[email protected]>; 'Gary O'Neall' <[email protected]> Subject: [spdx-defects] FYI: Insights from an NTIA colleague, Chris Gates, re: vulnerability reporting I just want you to know that your work on defects for V 2.3 is indeed important and useful. Here is what Chris had to say about vulnerability reporting in a recent email exchange: SBOMs are mostly static for a given build (yeah I know there are edge conditions here, but lets just go with this idea) VEXs are highly dynamic. QED SBOMs and VEXs cannot occupy the same artifact as they have two different time domains! WRONG! We were so wrapped up in the 'device delivers the SBOM' model, that we never thought far enough to realize, that 'NO' there are going to be online databases that can distribute SBOMs with VEXs that can change every minute. So while I was a huge proponent of CSAF, I have come to believe that the real answer is bundling them together such as CycloneDX v1.4 has done. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4375): https://lists.spdx.org/g/Spdx-tech/message/4375 Mute This Topic: https://lists.spdx.org/mt/89092150/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
