Hi Sandeep, To add to Rose’s comments…
For version 2.3, the new Advisory identifier (F.2.3<https://github.com/spdx/spdx-spec/blob/b57e348b19b4ba03474c7293f2c5b86878e23d4c/chapters/external-repository-identifiers.md#f23-advisory->) is a catch-all that will enable linking to any VEX information, e.g., as contained within OSV or CSAF file. We’re currently working on further security vulnerability information integrations with version 3.0 of the SPDX spec and would welcome your contributions :) Meetings are Wednesdays at 11am PT. Jeff From: <[email protected]> on behalf of "Rose Judge via lists.spdx.org" <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, June 2, 2022 at 10:30 AM To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [spdx-defects] [spdx] VEX integration in SPDX #spdx Hi Sandeep, The SPDX Defects working group announced security enhancements to the ExternalReference section<https://github.com/spdx/spdx-spec/blob/b57e348b19b4ba03474c7293f2c5b86878e23d4c/chapters/external-repository-identifiers.md#f2-security-> of the spec as well as an explanatory Annex about how to include security information in an SPDX document<https://github.com/spdx/spdx-spec/blob/e25d183ade64c123770412297b9bf5086a7ed0bf/chapters/how-to-use.md#g1-including-security-information-in-a-spdx-document>. These changes apply to spec version 2.3 which should be released by the end of the month. In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above. I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions. Thanks, Rose Subject: [EXT] [spdx] VEX integration in SPDX #spdx Date: Tue, 31 May 2022 22:49:51 -0700 From: Patil, Sandeep via lists.spdx.org <[email protected]><mailto:[email protected]> Reply-To: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Hi , Is there any roadmap to integrate VEX to with SPDX ? Or is there already way in current SPDX specification to integrate vulnerability information ? Regards Sandeep ________________________________ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1535): https://lists.spdx.org/g/spdx/message/1535 Mute This Topic: https://lists.spdx.org/mt/91504626/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
