Re: [OPSAWG] draft-ietf-opsawg-sbom-access
Eliot Lear <lear@lear.ch> Fri, 28 April 2023 13:32 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76EFC15C510 for <opsawg@ietfa.amsl.com>; Fri, 28 Apr 2023 06:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDLP_TwPor67 for <opsawg@ietfa.amsl.com>; Fri, 28 Apr 2023 06:32:36 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B45FC13AE5B for <opsawg@ietf.org>; Fri, 28 Apr 2023 06:32:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1682688740; bh=v4YbVJEU87Akni/b6E905uJBI+phiP0BytH3g7Upxf4=; h=Date:Subject:To:References:From:In-Reply-To:From; b=tOQuuio5W0iC7Xvyh4Ya5fGVTeUXErQXtxhYm15tBDkkmTnrY5Vhp2GuoKmU6npgb 2ANTXfMYdtMF2KI0zTmT6qoFk2C13VZxUPnkqpL0AWs6qekcvULTKAXXSc4SBdd2Z9 ZGaZX7vXcBIRNVDKL8w3O/sXW/q4TFnj+No64HD0=
Received: from [IPV6:2001:420:c0c0:1011::4] ([IPv6:2001:420:c0c0:1011:0:0:0:4]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 33SDWKMk341660 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 28 Apr 2023 15:32:20 +0200
Message-ID: <bde4d63c-d71e-5c29-b01b-cde4297bd395@lear.ch>
Date: Fri, 28 Apr 2023 15:32:16 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: dick@reliableenergyanalytics.com, opsawg@ietf.org
References: <7aa5c179-1fab-77ff-123e-35562d84fa64@lear.ch> <3ed901d979d3$335e03c0$9a1a0b40$@reliableenergyanalytics.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <3ed901d979d3$335e03c0$9a1a0b40$@reliableenergyanalytics.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/-Mg0we_rYBRz-VDiJqTq4Le1fiQ>
Subject: Re: [OPSAWG] draft-ietf-opsawg-sbom-access
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2023 13:32:41 -0000
Hi Dick, Thanks for your comments. Please see below. On 28.04.23 15:13, Dick Brooks wrote: > SPDX V 2.3 provides guidance with regard to vulnerability reporting for SBOM's. > > A NIST Vulnerability Disclosure Report (VDR) is a single file that serves as an attestation showing the vulnerability status of each component listed in an SBOM. Sure. And that was the sort of model I had in mind, but I don't think it's the only one. > > SPDX also supports the listing of individual vulnerabilities which may affect a product, which is a set of entries pointing to Security Advisories: > https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k12-linking-to-a-csaf > Here is a real world example: > https://search.abb.com/library/Download.aspx?DocumentID=8DBD000150-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch Ok, that does indeed argue for a leaf-list. Eliot
- [OPSAWG] draft-ietf-opsawg-sbom-access Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Dick Brooks
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Dick Brooks