Hi Rose,
Thanks for your offer to assist. I have chosen not to pursue these proposed enhancements, and the record will stand as is on this matter. I’m certain the Office of Management and Budget (OMB) will soon offer clear guidance to U.S. entities to follow NIST’s vulnerability disclosure reporting (VDR) guidance for Executive Order 14028: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1 Thank you for your support, guidance and leadership throughout this journey. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Rose Judge <[email protected]> Sent: Wednesday, May 25, 2022 11:48 AM To: [email protected]; 'Gary O'Neall' <[email protected]>; [email protected] Subject: Re: [spdx-tech] SPDX Version 2.3 Spec Schema Updates Hi Dick, The PR cannot be reopened once it is merged. On the call, we discussed opening a new PR with any edits to Appendix G. As far as the specific comments you made, are you able to join the defects call today? That seems like the best forum to discuss. I can help with the PR side of it once we come to a conclusion about how to proceed with your suggestions. Thanks, Rose From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Dick Brooks via lists.spdx.org <[email protected] <mailto:[email protected]> > Date: Tuesday, May 24, 2022 at 12:57 PM To: 'Gary O'Neall' <[email protected] <mailto:[email protected]> >, [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] SPDX Version 2.3 Spec Schema Updates ⚠ External Email Kate, Gary, et al There were two pending items in PR 670 that did not get resolved when the merge occurred. I request that PR 670 be reopened and the two pending items have action taken (accept or reject) and then merge the pull request based on the consensus outcome of these two items. Here are the two pending items I'm referring to: Add new Annex G with howto information #670 Merged kestewart merged 1 commit into development/v2.3 from annex-howto 1 hour ago +180 −0 Conversation 2 Commits 1 Checks 2 Files changed 1 1. rjb4standards Pending G.1.3.1 Linking to a CycloneDX Vulnerability Disclosure Report (VDR) for a Software Product (see NIST SP 800-161r1 RA-5 and IEC 29147:2018 for VDR information) "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githubusercontent.com%2Frjb4standards%2FREA-Products%2Fmaster%2FCDXVEX%2FCDX14.xml&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PHlg1u1cImu9hmdXJpwtfkhFL%2B0b3W2Ia2CMWcHSgzY%3D&reserved=0> ", "referenceType" : "advisory" } ] 2. rjb4standards Pending G.1.9 Linking to a Vulnerability Disclosure Report (VDR) for a Software Product, (see NIST SP 800-161r1 RA-5 and IEC 29147:2018 for VDR information) Use this method to reference an "impact statement" per the SECURITY advisory type, following the NIST VDR description. "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frjb4standards%2FREA-Products%2Fblob%2Fmaster%2FSBOM_and_VDRbaseline%2Fsag-pm-118_VDR.json&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kE4OuREW1VcUZuIxy8KhVKNV72zhHKPwiSg6j3pCde8%3D&reserved=0> ", "referenceType" : "advisory" } ] Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliableenergyanalytics.com%2Fproducts&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jBuNNoVPrOqI3MxgT06%2FrYN%2FdojhCWFrKGj5hZ66hK8%3D&reserved=0> ™ http://www.reliableenergyanalytics.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliableenergyanalytics.com%2F&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6mRdCC5ESZaYuKDAHIsylwubfG3pMjzLBrZuIw5MLK0%3D&reserved=0> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Gary O'Neall Sent: Tuesday, May 24, 2022 3:05 PM To: [email protected] <mailto:[email protected]> Subject: [spdx-tech] SPDX Version 2.3 Spec Schema Updates Important for 2.3 schedule! I just created a meta-issue to track the activities needed to update the schemas for SPDX release 2.3: https://github.com/spdx/spdx-spec/issues/691 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fissues%2F691&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AF5ZQkRdh2cJ%2Bhbvpxme1X%2BRNRQskbwCcUr%2FjweMMx0%3D&reserved=0> I’m assuming that there is only ONE potential update to the spec which impacts the schemas (https://github.com/spdx/spdx-spec/pull/671 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fpull%2F671&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fx1C5lQFhAmQVao8tcuOoFsFKy4sefngZw67O4OX1eM%3D&reserved=0> ). The schema is impacted by any change in classes, properties, fields and tags described in the spec. This includes descriptions as well as cardinality and additions. If you know of or are even contemplating a change to the 2.3 spec which will impact the schema, please add a comment to the above issue within the next day or two. It takes time and effort to update the schema and we don’t want to do it more times than needed. Thanks, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _____ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4532): https://lists.spdx.org/g/Spdx-tech/message/4532 Mute This Topic: https://lists.spdx.org/mt/91318438/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
