Re: [spdx] Example of a baseline VDR for the example SBOM presented by Gary an Jeff today

Thu, 09 Jan 2025 11:52:53 -0800 

Nice!

 

Thanks Dick.  This is exactly the type of analysis I was hoping for by
producing the SBOMs.

 

I'll follow-up separately on the VDR.

 

Gary

 

From: [email protected] <[email protected]> On Behalf Of Dick Brooks
Sent: Thursday, January 9, 2025 9:33 AM
To: [email protected]
Subject: [spdx] Example of a baseline VDR for the example SBOM presented by
Gary an Jeff today

 

Gary and Jeff,

 

Thanks for your excellent presentation today. I have created a Baseline
"Vulnerability Disclosure Report" (VDR) for the SBOM example provided in
today's meeting (flexmeasures):

 

"SBOMVulnerabilityDisclosure": {

                              "CVERespository": "NIST_NVD",

                              "NISTNVDSearchStatus": "Success",

                              "UnresolvedVulnerabilities": "U",

                              "PackageSourceLocation": "NOASSERTION",

                              "ProductName":
"flexmeasures/requirements.txt",

                              "ProductVersion":
"784b3a623d031d2c7f36f811321c7ce993b2f002",

                              "SBOMAuthor": "['Organization: aquasecurity',
'Tool: trivy-dev', 'Organization: Linux Foundation', 'Tool: Scaffold',
'Tool: Parlay']",

                              "SBOMFormat": "spdx",

                              "SBOMFormatSyntax": "JSON",

                              "SBOMLocation":
"https://raw.githubusercontent.com/lfscanning/spdx-lfenergy/refs/heads/main/
flexmeasures/2024-09/lfenergy-flexmeasures-spdx.json",

                              "SBOMTimestamp": "2025-01-09T16:25:11Z",

                              "SBOMTotalComponentCount": "117",

                              "SupplierName": "Organization: Linux
Foundation Project lfenergy",

                              "VulnDisclosureCreateDate":
"2025-01-09T17:03:38.427386+00:00"

               },

I can provide the full VDR privately if interested. Some CVE's were
reported.

 

This online, living VDR could be linked to the SPDX V 2.3 SBOM using an
external Secure/advisory reference:

https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vul
nerability-report-for-a-software-product-per-nist-executive-order-14028 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  T

Risk always exists, but trust must be earned and awarded.T 

 <https://businesscyberguardian.com/> https://businesscyberguardian.com/ 

Email: [email protected]
<mailto:[email protected]> 

Tel: +1 978-696-1788

 

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1949): https://lists.spdx.org/g/spdx/message/1949
Mute This Topic: https://lists.spdx.org/mt/110520149/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to