Eliot,
With help from Keith at Anchore during some recent testing I was able to explain the difficulties REA has experienced with identifying enforceable License information during a binary analysis. Fortunately, licensing information is optional under SPDX V 2.3; Licensing information is not a “minimal element” under the NTIA SBOM minimum elements recommendations for EO 14028. https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/ Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Eliot Lear Sent: Monday, August 21, 2023 9:18 AM To: [email protected]; [email protected] Cc: SPDX Technical Mailing List <[email protected]>; Emrick Donadei <[email protected]>; Tyler Pirtle <[email protected]> Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field I could understand why Syft would want to do NOASSERTION, and even a manufacturer might need to do something like this if we are receiving binaries from suppliers. Licensing probably doesn't care about versioning so long as a license is declared. But cybersecurity cares. Is it a show stopper? Not for a manufacturer because we can issue VEX statements. But for Syft, it may be more problematic because Syft may not be in a position to create a VEX (I don't know). Eliot On 18.08.23 18:34, Keith Zantow via lists.spdx.org wrote: We just had a talk about this yesterday due to a Syft issue that came in: https://github.com/anchore/syft/issues/2038 (from Emrick). Currently, we're thinking about excluding packages without name and version information, but the NOASSERTION idea is also something that seems to solve the problem fairly well. I suppose I'm giving a plus-one on adding this as a specific value for the version when we cannot determine it, but also welcome thoughts on how best to handle this situation. Cheers, -Keith On Fri, Aug 18, 2023 at 12:15 PM Brandon Lum via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > wrote: Hi, In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into situations where the version information of a package is unknown. What comes to mind is to set the version to NOASSERTION. However, this is not currently spelt out in the spec (https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field). Although semantically, in terms of usage of information, it should be similar, it still lacks the ability to say that "This information is incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON relationship more broadly - which may perhaps be a different discussion altogether. Wanted to get thoughts on this. Cheers Brandon -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5310): https://lists.spdx.org/g/Spdx-tech/message/5310 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
