Hello, following up on the conversation from the last Tech meeting, one of
the open questions for the VEX implementation is how to address
subcomponents in VEX. A little bit of context first.
In VEX a VEX statement talks about a "product" which is the piece of
software about which the statement expresses impact. As shown in the
meeting, the current design proposal links the vulnerability and the
product with a VEX relationship (affected, notAffected, etc).
But a VEX statement also defines a *subcomponent* to express exactly which
component of the *product* contains the vulnerability. So the question we
had is, should we add a list of subcomponents to the VEX relationship? Can
we specify the subcomponents by listing their IDs like this?
{
"@type": "VulnerabilityVexRelationship",
"@id": "urn:spdx.dev:vex-2",
"relationshipType": "notAffected",
"to": "urn:spdx.dev:cve-1",
"from": ["urn:carol-compression-engine-3.1"],
* "subcomponents":[*
* "urn:carol-compression-engine-subcomponent1",*
* "urn:carol-compression-engine-subcomponent2"*
* ],*
"impact": "We are not using this vulnerable part of this library.",
"justification": "componentNotPresent",
"source": "https://vex-system...";,
"vexPublished": "2021-03-10T16:10:50Z"
}
Thanks!
Adolfo
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5117): https://lists.spdx.org/g/Spdx-tech/message/5117
Mute This Topic: https://lists.spdx.org/mt/98519101/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
