Kate, Gary, et al

 

There were two pending items in PR 670 that did not get resolved when the merge 
occurred. I request that PR 670 be reopened and the two pending items have 
action taken (accept or reject) and then merge the pull request based on the 
consensus outcome of these two items. Here are the two pending items I'm 
referring to:

       

 

Add new Annex G with howto information #670 

Merged 

kestewart merged 1 commit into development/v2.3 from annex-howto 

1 hour ago 

+180 −0 

Conversation 2 Commits 1 Checks 2 

Files changed 1 

 

 

 1. rjb4standards Pending G.1.3.1 Linking to a CycloneDX Vulnerability 
Disclosure Report (VDR) for a Software Product (see NIST SP 800-161r1 RA-5 and 
IEC 29147:2018 for VDR information)

"externalRefs" : [ {

  "referenceCategory" : "SECURITY",

  "referenceLocator" : 
"https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml";,

  "referenceType" : "advisory"

} ]

2. rjb4standards Pending G.1.9 Linking to a Vulnerability Disclosure Report 
(VDR) for a Software Product, (see NIST SP 800-161r1 RA-5 and IEC 29147:2018 
for VDR information)

Use this method to reference an "impact statement" per the SECURITY advisory 
type, following the NIST VDR description.

"externalRefs" : [ {

  "referenceCategory" : "SECURITY",

  "referenceLocator" : 
"https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json";,

  "referenceType" : "advisory"

} ]

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! 
<https://reliableenergyanalytics.com/products>  ™

http://www.reliableenergyanalytics.com 
<http://www.reliableenergyanalytics.com/> 

Email: [email protected]

Tel: +1 978-696-1788

 

From: [email protected] <[email protected]> On Behalf Of Gary 
O'Neall
Sent: Tuesday, May 24, 2022 3:05 PM
To: [email protected]
Subject: [spdx-tech] SPDX Version 2.3 Spec Schema Updates

 

Important for 2.3 schedule!

 

I just created a meta-issue to track the activities needed to update the 
schemas for SPDX release 2.3: https://github.com/spdx/spdx-spec/issues/691

 

I’m assuming that there is only ONE potential update to the spec which impacts 
the schemas (https://github.com/spdx/spdx-spec/pull/671).

 

The schema is impacted by any change in classes, properties, fields and tags 
described in the spec.  This includes descriptions as well as cardinality and 
additions.

 

If you know of or are even contemplating a change to the 2.3 spec which will 
impact the schema, please add a comment to the above issue within the next day 
or two.  It takes time and effort to update the schema and we don’t want to do 
it more times than needed.

 

Thanks,

Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:[email protected]> [email protected]

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, re-transmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4528): https://lists.spdx.org/g/Spdx-tech/message/4528
Mute This Topic: https://lists.spdx.org/mt/91318438/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to