Re: [spdx-tech] Subcomponents for VEX

[Dick Brooks]

Adolfo,

 

According to the VEX minimum elements spec :

 

A VEX statement MUST identify at least one product (or component) and exactly 
one vulnerability.

 

I’m not seeing the vulnerability description in this example. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Adolfo
Sent: Wednesday, April 26, 2023 12:47 PM
To: SPDX Technical Mailing List <Spdx-tech@lists.spdx.org>
Subject: [spdx-tech] Subcomponents for VEX

 

Hello, following up on the conversation from the last Tech meeting, one of the 
open questions for the VEX implementation is how to address subcomponents in 
VEX. A little bit of context first.

 

In VEX a VEX statement talks about a "product" which is the piece of software 
about which the statement expresses impact. As shown in the meeting, the 
current design proposal links the vulnerability and the product with a VEX 
relationship (affected, notAffected, etc).

 

But a VEX statement also defines a subcomponent to express exactly which 
component of the product contains the vulnerability. So the question we had is, 
should we add a list of subcomponents to the VEX relationship? Can we specify 
the subcomponents by listing their IDs like this?

 

{
   "@type": "VulnerabilityVexRelationship",
   "@id": "urn:spdx.dev:vex-2",
   "relationshipType": "notAffected",
   "to": "urn:spdx.dev:cve-1",
   "from": ["urn:carol-compression-engine-3.1"],
   "subcomponents":[

      "urn:carol-compression-engine-subcomponent1",

      "urn:carol-compression-engine-subcomponent2"

   ],

   "impact": "We are not using this vulnerable part of this library.", 
   "justification": "componentNotPresent", 
   "source": "https://vex-system...";, 
   "vexPublished": "2021-03-10T16:10:50Z" 
}

 


Thanks!

 

Adolfo

 

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5118): https://lists.spdx.org/g/Spdx-tech/message/5118
Mute This Topic: https://lists.spdx.org/mt/98519101/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-