Rose,
You are correct. I am planning to work with Sebastian on this matter. The proposed addition to appendix G, G1.9 is shown below: G.1.9 Linking to a Vulnerability Disclosure Report (VDR) for a Software Product (per NIST Executive Order 14028): https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1 Use the SECURITY advisory type to identify a Vulnerability Disclosure Report (VDR) attestation that a software vendor has checked each SBOM component for vulnerabilities and reports the vulnerability search results for each SBOM component, following the NIST VDR requirement below: “Maintain vendor vulnerability disclosure reports at the SBOM component level.” "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json";, "referenceType" : "advisory" } ] Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Rose Judge <[email protected]> Sent: Friday, June 17, 2022 3:44 PM To: [email protected]; [email protected]; 'SPDX Technical Mailing List' <[email protected]> Subject: Re: [spdx-tech] Update on 2.3 release and schema review I think Dick is talking about comments that he made about wanting a VDR example in appendix G not my PR adding SBOM minimum element mapping. My understanding from the tech call is that he was going to work with Sebastian to open that PR. From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Gary O'Neall via lists.spdx.org <[email protected] <mailto:[email protected]> > Date: Friday, June 17, 2022 at 12:38 PM To: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> >, 'SPDX Technical Mailing List' <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] Update on 2.3 release and schema review ⚠ External Email Hi Dick, From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Dick Brooks Sent: Friday, June 17, 2022 11:50 AM To: 'Gary O'Neall' <[email protected] <mailto:[email protected]> >; 'SPDX Technical Mailing List' <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] Update on 2.3 release and schema review Gary, Will this pull request also include the addition of G.1.9 in appendix G? [G.O.] This is a separate PR: https://github.com/spdx/spdx-spec/pull/722 Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliableenergyanalytics.com%2Fproducts&data=05%7C01%7Crjudge%40vmware.com%7C4dd67a0dfddc4dbded6008da5098f2cb%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637910915101233714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zsuop4ciHXscwKSfkWJNJaSBLJfM0PR0pstazWElWk0%3D&reserved=0> ™ http://www.reliableenergyanalytics.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliableenergyanalytics.com%2F&data=05%7C01%7Crjudge%40vmware.com%7C4dd67a0dfddc4dbded6008da5098f2cb%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637910915101233714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0xIwKCm%2FRmddE5XMbLP%2F5OIoQIaT4aMM0OR5pLLBQus%3D&reserved=0> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Gary O'Neall Sent: Friday, June 17, 2022 2:48 PM To: 'SPDX Technical Mailing List' <[email protected] <mailto:[email protected]> > Subject: [spdx-tech] Update on 2.3 release and schema review Greetings SPDX tech team, I just pushed an updated schema to the existing PR: https://github.com/spdx/spdx-spec/pull/716 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fpull%2F716&data=05%7C01%7Crjudge%40vmware.com%7C4dd67a0dfddc4dbded6008da5098f2cb%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637910915101233714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xdWHzPCcZ0Wn6dP15ZBAd51hIXvn4jxA7tpYziW0Y%2Fs%3D&reserved=0> Thanks to all who reviewed the changes! There is one outstanding issue identified in the review which impacts the spec itself as well as tooling. We will need to decide how to resolve this before we can move forward with the release. The issue is about the cardinality of the Package Purpose. The issue is described here: https://github.com/spdx/spdx-spec/issues/720 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fissues%2F720&data=05%7C01%7Crjudge%40vmware.com%7C4dd67a0dfddc4dbded6008da5098f2cb%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637910915101233714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jHoZvRW1kCNwLLoE1r6g5dDwA3aHUf5KSGNadPnGWDw%3D&reserved=0> and there is a pull request implemented a proposed solution here: https://github.com/spdx/spdx-spec/pull/721 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fpull%2F721&data=05%7C01%7Crjudge%40vmware.com%7C4dd67a0dfddc4dbded6008da5098f2cb%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637910915101233714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=R4XGzxkJnAYtPMElqQF45vmPL6KbmLOc%2FvdZMYmHvcE%3D&reserved=0> Please review the above. If no one objects to the proposed solution via a comment in the PR, I’ll merge it in early next week (Monday or Tuesday). Thanks, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _____ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4595): https://lists.spdx.org/g/Spdx-tech/message/4595 Mute This Topic: https://lists.spdx.org/mt/91828119/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
