Adolfo,

 

You make some good points. The SBOM’s we produce today are less than perfect 
and leave room for improvement.

 

The real question is: Are they good enough to provide value to software 
consumers today in monitoring for risks in new vulnerabilities.

 

I believe the answer is yes..

 

Regarding the issues you cited in the supplied SPDX:

 

*       This SBOM uses the default relationship approach that’s supported today 
in SPDX. When no relationship is explicit then assume “CONTAINS” relationship 
as the default. 

 

*       The version issue is actually a typo entered during the risk assessment 
process when the SBOM was being produced.  

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:[email protected]> 
[email protected]

Tel: +1 978-696-1788

 

From: [email protected] <[email protected]> On Behalf Of Adolfo
Sent: Thursday, December 8, 2022 3:55 PM
To: [email protected]
Subject: Re: [spdx-tech] [SCITT] Another party claiming that SBOM is bad

 

Dick, I applaud you for raising awareness about this. But we also need to 
recognize that while SBOM tooling is getting better, we still need to improve a 
lot. Take the SBOM you sent as an example, it seems to have a number of 
problems, it doesn't have any relationships, versions don't seem to match 
(PackageName: apache-log4j-2.15.0-bin.zip vs PackageVersion: 2.19.0), the URL 
is wrong.. etc. 

We haven't yet gotten generation 100% right, and we have a ton of work to do on 
the consumption side. We need to fight the sentiment of the letter, but we need 
to do so by taking criticism and responding to the problems with faster, better 
improvements.

Adolfo García Veytia

Chainguard





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4886): https://lists.spdx.org/g/Spdx-tech/message/4886
Mute This Topic: https://lists.spdx.org/mt/95469298/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to