Hi Dick-san, I don't have such information. I have just confirmed current specification.
Best regards, Nobuyuki Tanaka Sony Group Corporation. ________________________________ 差出人: Dick Brooks <[email protected]> 送信日時: 2024年4月26日 20:07 宛先: Tanaka, Nobuyuki (SGC) <[email protected]>; [email protected] <[email protected]> 件名: RE: [spdx-tech] Is "VexAssessmentRelationship" typo in how-to-implement-VEX-in-SPDX.md? Nobuyuki Tanaka, Is Sony planning to issue an updated SBOM when a VEX status changes for any of the VEX statements contained in an SBOM? How will Sony indicate that a SBOM has no identified vulnerabilities? Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Thursday, April 25, 2024 9:12 PM To: [email protected] Subject: Re: [spdx-tech] Is "VexAssessmentRelationship" typo in how-to-implement-VEX-in-SPDX.md? Hi all, Thanks, I could get a reply directly. @type should be "VulnAssessmentRelationship", and "amends" should be "amendedBy". Best regards, Nobuyuki Tanaka Sony Group Corporation ________________________________ 差出人: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> が [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> の代理で送信 送信日時: 2024年4月25日 15:36 宛先: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> 件名: [spdx-tech] Is "VexAssessmentRelationship" typo in how-to-implement-VEX-in-SPDX.md? Hi all, I'd like to confirm one thing in how-to-implement-VEX-in-SPDX.md. This document is very helpful to understand creating VEX. https://github.com/spdx/spdx-spec/blob/cb47a183637a952b644a8b4b3677f5794b2cc0bf/docs/annexes/how-to-implement-VEX-in-SPDX.md<https://github.com/spdx/spdx-spec/blob/cb47a183637a952b644a8b4b3677f5794b2cc0bf/docs/annexes/how-to-implement-VEX-in-SPDX.md> Is the following @type "VulnAssessmentRelationship" or "VexVulnAssessmentRelationship"? "@type": "VexAssessmentRelationship", "@id": "urn:spdx.dev:vex-update", "relationshipType": "amends", "from": "urn:spdx.dev:vex-underInvestigation-1", "to": ["urn:spdx.dev:vex-affected-1"], Sorry, I need time to create github accout, so I sent this mail to this ML. Best regards, Nobuyuki Tanaka Sony Group Corporation -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5617): https://lists.spdx.org/g/Spdx-tech/message/5617 Mute This Topic: https://lists.spdx.org/mt/105742798/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
