Hi Dick
That makes a lot of sense. One might layer on top of the binary scan
some sort of declaration... I don't know if people do that.
Eliot
On 21.08.23 15:28, Dick Brooks wrote:
Eliot,
With help from Keith at Anchore during some recent testing I was able
to explain the difficulties REA has experienced with identifying
enforceable License information during a binary analysis.
Fortunately, licensing information is optional under SPDX V 2.3;
Licensing information is not a “minimal element” under the NTIA SBOM
minimum elements recommendations for EO 14028.
https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field
https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/
Thanks,
Dick Brooks
/Active Member of the CISA Critical Manufacturing Sector, /
/Sector Coordinating Council – A Public-Private Partnership/
*/Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>/*™
http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/>
Email: [email protected]
<mailto:[email protected]>
Tel: +1 978-696-1788
*From:* [email protected] <[email protected]> *On Behalf
Of *Eliot Lear
*Sent:* Monday, August 21, 2023 9:18 AM
*To:* [email protected]; [email protected]
*Cc:* SPDX Technical Mailing List <[email protected]>; Emrick
Donadei <[email protected]>; Tyler Pirtle <[email protected]>
*Subject:* Re: [spdx-tech] NOASSERTION on PackageVersion field
I could understand why Syft would want to do NOASSERTION, and even a
manufacturer might need to do something like this if we are receiving
binaries from suppliers. Licensing probably doesn't care about
versioning so long as a license is declared. But cybersecurity
cares. Is it a show stopper? Not for a manufacturer because we can
issue VEX statements. But for Syft, it may be more problematic because
Syft may not be in a position to create a VEX (I don't know).
Eliot
On 18.08.23 18:34, Keith Zantow via lists.spdx.org wrote:
We just had a talk about this yesterday due to a Syft issue that
came in: https://github.com/anchore/syft/issues/2038 (from
Emrick). Currently, we're thinking about excluding packages
without name and version information, but the NOASSERTION idea is
also something that seems to solve the problem fairly well.
I suppose I'm giving a plus-one on adding this as a specific value
for the version when we cannot determine it, but also welcome
thoughts on how best to handle this situation.
Cheers,
-Keith
On Fri, Aug 18, 2023 at 12:15 PM Brandon Lum via lists.spdx.org
<http://lists.spdx.org> <[email protected]> wrote:
Hi,
In generating some of our SPDX documents, we've (Tyler/Emrick
CC'ed) run into situations where the version information of a
package is unknown. What comes to mind is to set the version
to NOASSERTION. However, this is not currently spelt out in
the spec
(https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field).
Although semantically, in terms of usage of information, it
should be similar, it still lacks the ability to say that
"This information is incomplete", with exception of having
NOASSERTION be set on the DEPENDS_ON relationship more broadly
- which may perhaps be a different discussion altogether.
Wanted to get thoughts on this.
Cheers
Brandon
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5311): https://lists.spdx.org/g/Spdx-tech/message/5311
Mute This Topic: https://lists.spdx.org/mt/100823660/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
