Hi Dick,
Would this be considered a documentation issue or an issue that would change the schema and tools? Thanks, Gary From: Dick Brooks <[email protected]> Sent: Sunday, June 12, 2022 1:41 PM To: 'Gary O'Neall' <[email protected]>; 'SPDX Technical Mailing List' <[email protected]> Subject: RE: [spdx-tech] SPDX release 2.3 - Starting to update the schema Gary, FYI, this version of the SPDX 2.3 spec does not contain explicit support for NIST Executive Order 14028 vulnerability disclosure reporting recommendations at the SBOM component level in appendix G, refer to NIST 5/5/2022 guidance regarding this requirement: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecuri ty/software-security-supply-chains-software-1 "Maintain vendor vulnerability disclosure reports at the SBOM component level." Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Gary O'Neall Sent: Sunday, June 12, 2022 3:13 PM To: 'SPDX Technical Mailing List' <[email protected] <mailto:[email protected]> > Subject: [spdx-tech] SPDX release 2.3 - Starting to update the schema Greetings SPDX tech team, I believe I just merged in the last PR that will impact the schemas and tools for the 2.3 release of the SPDX Spec. Please review the open PR <https://github.com/spdx/spdx-spec/pulls?q=is%3Aopen+is%3Apr+milestone%3A2.3 > 's and open issue <https://github.com/spdx/spdx-spec/issues?q=is%3Aopen+is%3Aissue+milestone%3 A2.3> and let me know if you believe there are any issues or PR's that will impact the schema, please let me know as soon as possible as I plan on starting to work on the schema updates tomorrow (Monday). Thanks, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4574): https://lists.spdx.org/g/Spdx-tech/message/4574 Mute This Topic: https://lists.spdx.org/mt/91711920/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
