Kate, Gary, et al
There were two pending items in PR 670 that did not get resolved when the merge
occurred. I request that PR 670 be reopened and the two pending items have
action taken (accept or reject) and then merge the pull request based on the
consensus outcome of these two items. Here are the two pending items I'm
referring to:
Add new Annex G with howto information #670
Merged
kestewart merged 1 commit into development/v2.3 from annex-howto
1 hour ago
+180 −0
Conversation 2 Commits 1 Checks 2
Files changed 1
1. rjb4standards Pending G.1.3.1 Linking to a CycloneDX Vulnerability
Disclosure Report (VDR) for a Software Product (see NIST SP 800-161r1 RA-5 and
IEC 29147:2018 for VDR information)
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" :
"https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml";,
"referenceType" : "advisory"
} ]
2. rjb4standards Pending G.1.9 Linking to a Vulnerability Disclosure Report
(VDR) for a Software Product, (see NIST SP 800-161r1 RA-5 and IEC 29147:2018
for VDR information)
Use this method to reference an "impact statement" per the SECURITY advisory
type, following the NIST VDR description.
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" :
"https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json";,
"referenceType" : "advisory"
} ]
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products> ™
http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/>
Email: [email protected]
Tel: +1 978-696-1788
From: [email protected] <[email protected]> On Behalf Of Gary
O'Neall
Sent: Tuesday, May 24, 2022 3:05 PM
To: [email protected]
Subject: [spdx-tech] SPDX Version 2.3 Spec Schema Updates
Important for 2.3 schedule!
I just created a meta-issue to track the activities needed to update the
schemas for SPDX release 2.3: https://github.com/spdx/spdx-spec/issues/691
I’m assuming that there is only ONE potential update to the spec which impacts
the schemas (https://github.com/spdx/spdx-spec/pull/671).
The schema is impacted by any change in classes, properties, fields and tags
described in the spec. This includes descriptions as well as cardinality and
additions.
If you know of or are even contemplating a change to the 2.3 spec which will
impact the schema, please add a comment to the above issue within the next day
or two. It takes time and effort to update the schema and we don’t want to do
it more times than needed.
Thanks,
Gary
-------------------------------------------------
Gary O'Neall
Principal Consultant
Source Auditor Inc.
Mobile: 408.805.0586
Email: <mailto:[email protected]> [email protected]
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review, re-transmission,
dissemination or other use of, or taking of any action in reliance upon this
information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and
destroy any copies of this information.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4528): https://lists.spdx.org/g/Spdx-tech/message/4528
Mute This Topic: https://lists.spdx.org/mt/91318438/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
