Excellent! Thanks Adolfo.
Will be joining the defects call after I’m finished with my current meeting. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Adolfo Veytia <[email protected]> Sent: Wednesday, April 26, 2023 2:04 PM To: [email protected] Cc: SPDX Technical Mailing List <[email protected]>; [email protected] Subject: Re: [spdx-tech] Subcomponents for VEX Here it goes! On Wed, Apr 26, 2023 at 11:35 AM Dick Brooks <[email protected] <mailto:[email protected]> > wrote: Thanks Adolfo. Can you provide a complete example to help put this together. This might be useful for today’s defects call. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Adolfo Veytia <[email protected] <mailto:[email protected]> > Sent: Wednesday, April 26, 2023 1:32 PM To: [email protected] <mailto:[email protected]> Cc: SPDX Technical Mailing List <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] Subcomponents for VEX Yeah, I only sent the relationship for brevity. The vulnerability itself would be the one referenced in the to: end: { "@type": "VulnerabilityVexRelationship", "@id": "urn:spdx.dev:vex-2", "relationshipType": "notAffected", "to": "urn:spdx.dev:cve-1", "from": ["urn:carol-compression-engine-3.1"], "subcomponents":[ "urn:carol-compression-engine-subcomponent1", "urn:carol-compression-engine-subcomponent2" ], "impact": "We are not using this vulnerable part of this library.", "justification": "componentNotPresent", "source": "https://vex-system...";, "vexPublished": "2021-03-10T16:10:50Z" } On Wed, Apr 26, 2023 at 11:03 AM Dick Brooks <[email protected] <mailto:[email protected]> > wrote: Adolfo, According to the VEX minimum elements spec : A VEX statement MUST identify at least one product (or component) and exactly one vulnerability. I’m not seeing the vulnerability description in this example. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Adolfo Sent: Wednesday, April 26, 2023 12:47 PM To: SPDX Technical Mailing List <[email protected] <mailto:[email protected]> > Subject: [spdx-tech] Subcomponents for VEX Hello, following up on the conversation from the last Tech meeting, one of the open questions for the VEX implementation is how to address subcomponents in VEX. A little bit of context first. In VEX a VEX statement talks about a "product" which is the piece of software about which the statement expresses impact. As shown in the meeting, the current design proposal links the vulnerability and the product with a VEX relationship (affected, notAffected, etc). But a VEX statement also defines a subcomponent to express exactly which component of the product contains the vulnerability. So the question we had is, should we add a list of subcomponents to the VEX relationship? Can we specify the subcomponents by listing their IDs like this? { "@type": "VulnerabilityVexRelationship", "@id": "urn:spdx.dev:vex-2", "relationshipType": "notAffected", "to": "urn:spdx.dev:cve-1", "from": ["urn:carol-compression-engine-3.1"], "subcomponents":[ "urn:carol-compression-engine-subcomponent1", "urn:carol-compression-engine-subcomponent2" ], "impact": "We are not using this vulnerable part of this library.", "justification": "componentNotPresent", "source": "https://vex-system...";, "vexPublished": "2021-03-10T16:10:50Z" } Thanks! Adolfo -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5122): https://lists.spdx.org/g/Spdx-tech/message/5122 Mute This Topic: https://lists.spdx.org/mt/98519101/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
