Re: [spdx] End Of Life Tag in spdx #spdx

[Dick Brooks]

Steve,

 

Regarding: “I have no opinion on end-of-life either way, but wouldn’t the same 
argument apply to security vulnerabilities?”

 

Yes, if a software vendor chooses to list each known vulnerability with a 
separate V 2.3 “SECURITY advisory object “affecting a software product on day 
one, when the SBOM is finalized. 

 

However, that is not the case if a vendor chooses to link to a single, 
dynamically generated Vulnerability Disclosure Report (VDR) using a V 2.3 
“SECUIRTY advisory object”, where the link is static, but the contents 
delivered by the link are dynamic, which enables a software consumer to answer 
this question about a software product: “What is the vulnerability status NOW 
at the SBOM component level?” 

 

The 5/5 NIST guidance for Executive order 14028 supports this dynamic VDR 
concept, which appears in SPDX V 2.3, Appendix G 1.3.1 and G 1.9:

https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
 

 

“Maintain vendor vulnerability disclosure reports at the SBOM component level.”

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: spdx@lists.spdx.org <spdx@lists.spdx.org> On Behalf Of Steve Kilbane
Sent: Friday, May 20, 2022 3:33 AM
To: spdx@lists.spdx.org
Subject: Re: [spdx] End Of Life Tag in spdx #spdx

 

Armijn said:

> Current information inside SPDX documents is largely static […]

> This would make SPDX a lot more cumbersome, as not only do the documents need 
> to be generated, but they also need to be updated all the time to avoid 
> falling out of sync

 

I have no opinion on end-of-life either way, but wouldn’t the same argument 
apply to security vulnerabilities?

 

steve

 

From: spdx@lists.spdx.org <mailto:spdx@lists.spdx.org>  <spdx@lists.spdx.org 
<mailto:spdx@lists.spdx.org> > On Behalf Of Armijn Hemel - Tjaldur Software 
Governance Solutions
Sent: 19 May 2022 11:21
To: spdx@lists.spdx.org <mailto:spdx@lists.spdx.org> 
Subject: Re: [spdx] End Of Life Tag in spdx #spdx

 


[External]

 

hello,

 

I would suggest to keep this information "out of band" and not inside SPDX 
documents. Current information inside SPDX documents is largely static: 
package, license, checksum, and so on. Of course there could have been errors 
that need to be fixed, but overall these fields are static.

 

EOL information, commercial status and support status on the other hand are 
much more dynamic. Sometimes packages are supported for only a few hours, 
sometimes for decades. Very often it is also not clear when a package is EOL or 
supported as many authors/maintainers do not announce it. The support is 
sometimes also not done by the author/maintainers, but by an external entity 
(for example: enterprise grade Linux distributions). Does this mean it is 
supported, or only supported for people willing to pay for it, or .... ? It is 
simply not clear and it adds a lot of fuzziness.

 

This would make SPDX a lot more cumbersome, as not only do the documents need 
to be generated, but they also need to be updated all the time to avoid falling 
out of sync. It also mixes syntax and semantics, which is never a good idea.

 

armijn

 

Kate and Sandeep,

 

Our customers are also interested in this information. There are two concepts 
to consider:

Commercial Status: 

        <enumeration value="Available"></enumeration>

        <enumeration value="Retired"></enumeration>

        <enumeration value="EOL"></enumeration>

        <enumeration value="BetaTest"></enumeration>

        <enumeration value="Pilot"></enumeration>

        <enumeration value="Abandoned"></enumeration>

 

Support Status:

        <enumeration value="Supported"></enumeration>
        <enumeration value="Unsupported"></enumeration>
        <enumeration value="Community"></enumeration>

 

Both are described in the open-source Vendor Response File (VRF) XML schema 
available here: 
https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVendorSchema.xsd
 
<https://urldefense.com/v3/__https:/raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVendorSchema.xsd__;!!A3Ni8CS0y2Y!9WT3znbOkRnt_Oxmq72VIE182dVmBJJLEyFUlnytRAucg1fgdB6UmTiIu3AOjg5l6UHEllVXXZv_4iaMyNVZp08$>
  

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 
<https://urldefense.com/v3/__https:/reliableenergyanalytics.com/products__;!!A3Ni8CS0y2Y!9WT3znbOkRnt_Oxmq72VIE182dVmBJJLEyFUlnytRAucg1fgdB6UmTiIu3AOjg5l6UHEllVXXZv_4iaMnvTahkc$>
 Never trust software, always verify and report! ™

 
<https://urldefense.com/v3/__http:/www.reliableenergyanalytics.com/__;!!A3Ni8CS0y2Y!9WT3znbOkRnt_Oxmq72VIE182dVmBJJLEyFUlnytRAucg1fgdB6UmTiIu3AOjg5l6UHEllVXXZv_4iaMkxnpiVc$>
 http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: spdx@lists.spdx.org <mailto:spdx@lists.spdx.org>   
<mailto:spdx@lists.spdx.org> <spdx@lists.spdx.org> On Behalf Of Kate Stewart
Sent: Friday, May 6, 2022 3:34 PM
To: SPDX-general  <mailto:spdx@lists.spdx.org> <spdx@lists.spdx.org>
Subject: Re: [spdx] End Of Life Tag in spdx #spdx

 

Hi Sandeep,

 

     There is a pull request expected shortly from the Usage profile team, to 
add this specific field to 2.3.

When it comes in,  please feel free to review and make sure it's going to 
suffice for your needs.

 

For now, with 2.2 documents,  suggest you use the Package Comment field 
(https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field
 
<https://urldefense.com/v3/__https:/spdx.github.io/spdx-spec/package-information/*720-package-comment-field__;Iw!!A3Ni8CS0y2Y!9WT3znbOkRnt_Oxmq72VIE182dVmBJJLEyFUlnytRAucg1fgdB6UmTiIu3AOjg5l6UHEllVXXZv_4iaMKqY76lk$>
 ) and standardize on a tag (like EndOfSupport: ) and the date. 

 

Will that work for now?

 

Thanks, 
Kate

 

On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org 
<https://urldefense.com/v3/__http:/lists.spdx.org__;!!A3Ni8CS0y2Y!9WT3znbOkRnt_Oxmq72VIE182dVmBJJLEyFUlnytRAucg1fgdB6UmTiIu3AOjg5l6UHEllVXXZv_4iaMrxBSECs$>
  <sandeep.patil=philips....@lists.spdx.org <mailto:philips....@lists.spdx.org> 
> wrote:

Hi All, 
We have requirement to specify End Of Life as part of package information in 
SBoM , 
Is there way current SPDX format support this ? 

Regards
Sandeep  

 

-- 
Armijn Hemel, MSc
Tjaldur Software Governance Solutions





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1525): https://lists.spdx.org/g/spdx/message/1525
Mute This Topic: https://lists.spdx.org/mt/90941107/21656
Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-