IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt

Dick Brooks <dick@reliableenergyanalytics.com> Wed, 28 September 2022 12:14 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19ED4C15E412 for <opsawg@ietfa.amsl.com>; Wed, 28 Sep 2022 05:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.606
X-Spam-Level:
X-Spam-Status: No, score=-2.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRutESBj6A3a for <opsawg@ietfa.amsl.com>; Wed, 28 Sep 2022 05:14:12 -0700 (PDT)
Received: from forward5-smtp.messagingengine.com (forward5-smtp.messagingengine.com [66.111.4.239]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89689C1524D7 for <opsawg@ietf.org>; Wed, 28 Sep 2022 05:14:12 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailforward.nyi.internal (Postfix) with ESMTP id C87DF194316D; Wed, 28 Sep 2022 08:14:11 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 28 Sep 2022 08:14:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1664367251; x= 1664453651; bh=wDLzLSurG6IkKW2OoEdds524zyUKYT0jVS13/l6Lwkc=; b=S KghJKVdCEgtDqc8or7GQA6TIybYP2R3m5x7aeKXHUtLunQgZqPvURFCZcmgXWNBY szx+t1brHzeKnNb6ADlxgYjR0XfOpIBwybDKeb/2lkQSvwl9IJK+CsFoPDqDy9vQ mvsMUuiGUZfsl9nLCnuP83AexmWQTvYhqklP1Agr6pwUruyY1yGsTV+LlrcNipny 64VMMWajZW94O+J0nOfjcoqQKQElh3O7/o1eY3m4Z21/61UmpmH02HVfasq969wm c2imKmMWC7Woxh/8x1MnIO7mJEhnuwKusNsGW98i2zVeC6N8Is3/M932jc9hXQYl JjtaAbPA6H/ta0Pws8xDQ==
X-ME-Sender: <xms:kzo0Y-SoAZwyd7KTPb69cxh6ljVzruJlQyIttkwZTxAuPsEEhnzZ1g> <xme:kzo0Yzzdl5yNAvaMM6-y7AWNpbCedjJAtVMi7POdDZdLcvnsFisd1gfscFJc5CYyo nlEdH_ArKKIxcujIQ>
X-ME-Received: <xmr:kzo0Y71yHRCuBN9_7JMAaIxMQWjFSJdFz6uYgGSY0-i12eRiTY2xRdM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeegkedgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnegfrhhlucfvnfffucdlqdegmdenucfj ughrpehrhffvfhgjufffohfkgggtgffothesthhqghdtvddtjeenucfhrhhomhepfdffih gtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghl hihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepveffudefgfeluddtleettddttd eijeeuteffgfdthefffeetvdeigeeuvdehffegnecuffhomhgrihhnpehrvghlihgrsghl vggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhgihhthhhusgdrihhopdhnihhsth drghhovhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm peguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:kzo0Y6AUv0JgWGZd-4ZlSdQCUqHwV0n49BqECV4NB8LXurxb9XYSfw> <xmx:kzo0Y3hMpxfp1XjGxEZOJA4CLkTJUeQWe38a_6Qr-LoGQRfkJZi_bw> <xmx:kzo0Y2r7dXD0wKo_xAzKZB1AtPYoE-lwmYjM90RBX4b5B7qQE8Tk8w> <xmx:kzo0Y5f7ay-e314rqVuN0FHUjq12-_kM1-CJK34GPo60345i-KipmQ>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 28 Sep 2022 08:14:11 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Eliot Lear' <lear@lear.ch>, opsawg@ietf.org
References: <166434857803.6098.2751952271384039583@ietfa.amsl.com> <458e01d8d330$6a04cca0$3e0e65e0$@reliableenergyanalytics.com> <3b4b58ff-9db6-89df-c76d-4bc086dac715@lear.ch>
In-Reply-To: <3b4b58ff-9db6-89df-c76d-4bc086dac715@lear.ch>
Date: Wed, 28 Sep 2022 08:14:09 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <464501d8d333$d184be00$748e3a00$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQICLAMrAIoWuDeNuawABUXC5q+whQCzsakSAhDIsImti+lVoA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/nvMJJnpZ2m6ehk4l5DGBjfIh_4k>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 12:14:17 -0000

See response inline DB>

Thanks,

Dick Brooks
  
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Eliot Lear <lear@lear.ch> 
Sent: Wednesday, September 28, 2022 8:03 AM
To: dick@reliableenergyanalytics.com; opsawg@ietf.org; i-d-announce@ietf.org
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-10.txt

Hi Dick,

On 28.09.22 13:49, Dick Brooks wrote:
> I find this material misleading and incomplete.
>
> The title infers the ability to discover and retrieve vulnerability 
> information. However the text of this draft makes clear that retrieval 
> is not supported, ref Page 2:
>
>    "This memo does not specify how vulnerability information may be
>     retrieved directly from the endpoint.  That's because vulnerability
>     information changes occur at different rates to software updates.
>     However, some SBOM formats may also contain vulnerability
>     information."

The information can be retrieved, but not from the endpoint. That's not misleading.

DB> I agree vulnerability information can be retrieved and some SBOM formats, i.e. SPDX Version 2.3 provide retrieval information for vulnerabilities associated with SBOM's:
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 

The draft could be more accurate and complete by indicating that access to vulnerability information at the SBOM component level may be indicated in an SBOM.

>
> The draft makes no mention of the NIST Vulnerability Disclosure Report (VDR)
> that is used to inform consumers of the vulnerability status of a software
> product at the SBOM component level, ref: NIST SP 800-161 RA-5.
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf

A specification would be incomplete if the reference is necessary for 
implementation.  How is this reference necessary for implementation?

DB> The NIST VDR is no different from other items you reference i.e. CDX VEX and CSAF. Also, parties in the US subject to Executive Order 14028 and OMB memo M 22-18 may need to implement NIST recommendations for SBOM and vulnerability reporting. If this draft guidance is not intended for use by the US Government with regard to these mandates, then you may have a point. 

Eliot

v2.23.0 | Report a Bug | By Email