Here it goes! On Wed, Apr 26, 2023 at 11:35 AM Dick Brooks < [email protected]> wrote:
> Thanks Adolfo. > > > > Can you provide a complete example to help put this together. This might > be useful for today’s defects call. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > *From:* Adolfo Veytia <[email protected]> > *Sent:* Wednesday, April 26, 2023 1:32 PM > *To:* [email protected] > *Cc:* SPDX Technical Mailing List <[email protected]> > *Subject:* Re: [spdx-tech] Subcomponents for VEX > > > > Yeah, I only sent the relationship for brevity. The vulnerability itself > would be the one referenced in the to: end: > > > > { > "@type": "VulnerabilityVexRelationship", > "@id": "urn:spdx.dev:vex-2", > "relationshipType": "notAffected", > * "to": "urn:spdx.dev:cve-1",* > "from": ["urn:carol-compression-engine-3.1"], > "subcomponents":[ > "urn:carol-compression-engine-subcomponent1", > "urn:carol-compression-engine-subcomponent2" > ], > "impact": "We are not using this vulnerable part of this library.", > "justification": "componentNotPresent", > "source": "https://vex-system...";, > "vexPublished": "2021-03-10T16:10:50Z" > } > > > > On Wed, Apr 26, 2023 at 11:03 AM Dick Brooks < > [email protected]> wrote: > > Adolfo, > > > > According to the VEX minimum elements spec : > > > > A VEX statement MUST identify at least one product (or component) and > exactly one vulnerability*.* > > > > I’m not seeing the vulnerability description in this example. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Adolfo > *Sent:* Wednesday, April 26, 2023 12:47 PM > *To:* SPDX Technical Mailing List <[email protected]> > *Subject:* [spdx-tech] Subcomponents for VEX > > > > Hello, following up on the conversation from the last Tech meeting, one of > the open questions for the VEX implementation is how to address > subcomponents in VEX. A little bit of context first. > > > > In VEX a VEX statement talks about a "product" which is the piece of > software about which the statement expresses impact. As shown in the > meeting, the current design proposal links the vulnerability and the > product with a VEX relationship (affected, notAffected, etc). > > > > But a VEX statement also defines a *subcomponent* to express exactly > which component of the *product* contains the vulnerability. So the > question we had is, should we add a list of subcomponents to the VEX > relationship? Can we specify the subcomponents by listing their IDs like > this? > > > > { > "@type": "VulnerabilityVexRelationship", > "@id": "urn:spdx.dev:vex-2", > "relationshipType": "notAffected", > "to": "urn:spdx.dev:cve-1", > "from": ["urn:carol-compression-engine-3.1"], > * "subcomponents":[* > > * "urn:carol-compression-engine-subcomponent1",* > > * "urn:carol-compression-engine-subcomponent2"* > > * ],* > > "impact": "We are not using this vulnerable part of this library.", > "justification": "componentNotPresent", > "source": "https://vex-system...";, > "vexPublished": "2021-03-10T16:10:50Z" > } > > > > > Thanks! > > > > Adolfo > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5121): https://lists.spdx.org/g/Spdx-tech/message/5121 Mute This Topic: https://lists.spdx.org/mt/98519101/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
vex-subcomponents.spdx.json
Description: application/json
