IETF Logo Mail Archive

Re: [OPSAWG] Yangdoctors early review of draft-ietf-opsawg-sbom-access-02

Dick Brooks <dick@reliableenergyanalytics.com> Fri, 22 October 2021 14:11 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975563A0E5B; Fri, 22 Oct 2021 07:11:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EepiX5rQ71L8; Fri, 22 Oct 2021 07:11:26 -0700 (PDT)
Received: from wforward1-smtp.messagingengine.com (wforward1-smtp.messagingengine.com [64.147.123.30]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBAE93A0E4C; Fri, 22 Oct 2021 07:11:26 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailforward.west.internal (Postfix) with ESMTP id 0A0FD1AC01C3; Fri, 22 Oct 2021 10:11:23 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 22 Oct 2021 10:11:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :reply-to:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=OODKCsKZYgGNoo61vs4r75xBb7ZKs yoln4f7Y0cwzR0=; b=B6xZF2ERA/BVTts4AJQbLl5yT4rVIBfDZxIKJXFrVM0DJ 9xlWmsfzvgoGLkPdZWH16HD1jLq4Xvp8DcJCC7cV+2PMRKwUVQXxnvcl7zGGf36J oEQA9mEqqmxCqtOrfRwf6hvmI7l/m0yR7Q/MRl71e6BTrTIet0hesMHBWtQiNNl8 ndw30LxAKX+VPxHZbckTwpboRE4wdyDDXLzlw+fmAPtMsgUkxnN576uxk8OJc1xp TXWSiAofdWsLTIZNp8FzbjECWxG2G6HFmSr3MW5abakf/fepRI2YSVwRWrLlvRL7 AxVri22sbQ62kBjXAmr7aswhoFnKHMEUhN10JdeKg==
X-ME-Sender: <xms:i8ZyYdOEVK3iSpn6LNT5FZTOCYGc0xtC11TR3t0ivF6lmipFSD1qsg> <xme:i8ZyYf87zHCBcFWSPpIi9wzj9PS_LdxWejZM6iI0_uZPUK2IcILaiCI9Gagn2Q-Bn W_a0fU9agy3zE3bbg>
X-ME-Received: <xmr:i8ZyYcT9UO3X6O8fjyYKfFwQR4tWQmsHlwb5vX_9HevYl3QiXqKWUQo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddvkedgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlqdehmdenucfjughrpehrhffvfhgjufffohfkgggtgffothesthhq ghdtvddtjeenucfhrhhomhepfdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlh hirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghr nhepjedtueevfffhgfeihfekjeelledvledvgefhffegfffhudetheefhedvvdefheegne cuffhomhgrihhnpehgihhthhhusgdrtghomhdptghonhhgrhgvshhsrdhgohhvpdhrvghl ihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhivghtfhdrohhrghenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgtkhes rhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:i8ZyYZuQDf2U9CUM-Xx4IIlKUOR11aL0q62pKDAJePhrSYN2ksFd3A> <xmx:i8ZyYVeY2eMOsbqvGlkWq-DiF6MTRef_YRj7sa-Bog6qRq5Wl6AP9w> <xmx:i8ZyYV2jnuVX8fsZBunzzhhJf-wnwqRyu9P-y9y5KztwoD3GN154uQ> <xmx:i8ZyYWq5CE9gq4daAdTb9fGfESbwgQ3TLUcJYyKZpHuUGBfUVC4HakKuEi0>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 22 Oct 2021 10:11:22 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Eliot Lear' <lear@lear.ch>, 'Ebben Aries' <exa@juniper.net>, yang-doctors@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
References: <163321652671.24319.2544349921956875817@ietfa.amsl.com> <dcac8b99-2f56-c819-b1f9-6618b673e9e1@lear.ch>
In-Reply-To: <dcac8b99-2f56-c819-b1f9-6618b673e9e1@lear.ch>
Date: Fri, 22 Oct 2021 10:11:17 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <22b201d7c74e$b178a7d0$1469f770$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQE6nOW2E9sg5Z5uMdyn92VWvC5/ngJLi5OFrQcESWA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/ZsDaP4dRVclc7Ny6zy-IgeV3ycM>
Subject: Re: [OPSAWG] Yangdoctors early review of draft-ietf-opsawg-sbom-access-02
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 14:11:33 -0000

Eliot,

REA has open-sourced a Vendor Response File XML format that addresses SBOM access, using a URL, along with other required data needed for a comprehensive NIST software supply chain risk assessment (C-SCRM), i.e. Known Vulnerabilities disclosure:
https://github.com/rjb4standards/REA-Products

Schema file: https://github.com/rjb4standards/REA-Products/raw/master/SAGVendorSchema.xsd
Example Vendor Response File: https://github.com/rjb4standards/REA-Products/raw/master/SAG-PM-VendorResponseExample.xml
Known Vulnerabilities Declaration: https://github.com/rjb4standards/REA-Products/blob/master/KnownVulnDisclosure.docx?raw=true

A software vendor makes the Vendor Response file available to customers via an access controlled customer portal.

The materials contained in the response file are sufficient for software vendors to meet the upcoming "SBOM law" that's working its way through Congress, H.R. 4611; https://www.congress.gov/bill/117th-congress/house-bill/4611 

Thanks,

Dick Brooks

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Eliot Lear
Sent: Friday, October 22, 2021 8:30 AM
To: Ebben Aries <exa@juniper.net>; yang-doctors@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org; opsawg@ietf.org
Subject: Re: [OPSAWG] Yangdoctors early review of draft-ietf-opsawg-sbom-access-02

Hi Ebben and thanks for your review.  Please see below:

On 03.10.21 01:15, Ebben Aries via Datatracker wrote:
> Reviewer: Ebben Aries
> Review result: Almost Ready
>
> Apologies for not turning this around sooner.  Structure wise, the 
> model is fairly sound.  Most of the comments below are either 
> nits/wording, slight adjustments and questions/clarifications.
>
> 1 module in this draft:
> - ietf-mud-transparency@2021-07-06.yang
>
> No YANG compiler errors or warnings (pyang 2.5.0, yanglint 2.0.88, 
> confdc 7.2.3.4)
> - L#364: CODE BEGINS : filename must be defined on same line for tools such as
>    rfcstrip to correctly parse the module contents
>
> Module ietf-mud-transparency@2021-07-06.yang:
> - import `ietf-inet-types` should reference RFC 6991 per
>    
> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-15#section-4.
> 7
Corrected.
> - import `ietf-mud` should reference RFC 8520 per
>    
> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-15#section-4.
> 7
Corrected.
> - L#016 - Minor nit: looks like L#17 should be moved up here
Corrected.
> - L#018-020 - Minor nit: adjust email address formatting per
>    
> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-15#appendix-C

Corrected.

> - The type and enum members are identically defined for
>    `sbom-local-well-known` and `vuln-local-well-known`.  Is this something you
>    can leverage by using a typedef or a grouping or is there intention to keep
>    these separately defined?

I think we are removing vuln-local-well-known.

> - When retrieving say an 'sbom' from the device, is it assumed that it be via
>    `sbom-local-well-known`?  What if it is necessary to host this on an
>    alternate port for one of the communication protocols chosen?  Would this
>    scenario then best use `sbom-url` to define a static URI? (Same question
>    applies to vuln as well)

We truly hadn't considered this aspect, but I think you would be right: 
best to use sbom-url.  Alternatively we could add an optional port parameter.

> - Independent of the answer to the above question, is `cloud` the best choice
>    or wording for the other case statement under the retrieval method choices?

Pick something better?

>
>    It seems to be that we have 3 cases for sbom/vuln retrieval methods which
>    correspond to the draft wording at L#176-180 which seems to not pair
>    identically.
>
>    * on devices themselves: Could be /.well-known/ or a static URI could it
>      not?
.well-known.  The issue is this: management systems may well query .well-known without ever referring to this model.
>    * on a website: Static URI only
Correct.
>    * out-of-band: Static URI only - should this leaf be named something closer
>      to that vs. 'contact'?

I think contact covers this appropriately.


>
> General comments on the draft/modules:
> - L#0021: s/provide access this/provide access to this/
Corrected.
> - L#0117: s/bills of material/bill of materials/
Both need an s.
> - L#0627: JSON example needs correct prefix for the augment
>    `ietf-mud-transparency:transparency`
Will correct in the tooling that generated this.
> - L#0941: s/not be/not been/
Corrected.
> - L#0961: s/authoration/authorization/
Corrected.
> - Since `ietf-mud-transparency` imports `ietf-inet-types`, a normative
>    reference must be added per
>    
> https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-15#section-3.
> 9


Done


And thanks!


Eliot

v2.23.0 | Report a Bug | By Email