Re: [OPSAWG] draft-ietf-opsawg-sbom-access
Dick Brooks <dick@reliableenergyanalytics.com> Fri, 28 April 2023 13:13 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D33FC151B28 for <opsawg@ietfa.amsl.com>; Fri, 28 Apr 2023 06:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="Zou3cTcN"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="LUzrKr97"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6Fx5rdmIWd6 for <opsawg@ietfa.amsl.com>; Fri, 28 Apr 2023 06:13:20 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23B6C1524A3 for <opsawg@ietf.org>; Fri, 28 Apr 2023 06:13:19 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 22CFA5C0098; Fri, 28 Apr 2023 09:13:19 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Fri, 28 Apr 2023 09:13:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:content-transfer-encoding :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to :reply-to:sender:subject:subject:to:to; s=fm1; t=1682687599; x= 1682773999; bh=qDthkK0cJgulGvtoqSPH85kpAGb+zVdoQMVsHDo9/IU=; b=Z ou3cTcNUWVh6RTqzh6SpgLN0x559XcF00xt4O7qabgZzfoLMvvc5QdRmfoHQUCY1 2WmO30fFM6FApa+TiLFIxWCOMGE/OIMc00iDaBvmoNnAZUZxJ6XmCDFxJbeE1ZYM nWVFu/q/SMBVZZZXXqzYTJG+oXzBGESxlUC9JA7Qk1taNWf3sxxGG86VMp8e1zn6 ecJCsOh5gr5iLgEKxItIb8NKJDpAckK6nPZrqVXxtKJNTLqJhAMQYEB9WTjLUq5V pIQFMyibnvJ1dPd+7tEYhSbXBLtWWKnXIfDmUkGRHXMp+yfJXx0EjyU4cVFmvpuC T2tfa523lz8nCqLU2Wbiw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1682687599; x=1682773999; bh=qDthkK0cJgulGvtoqSPH85kpAGb+zVdoQMV sHDo9/IU=; b=LUzrKr9737RLMJdx0NYeZPZp9M+KppqPx+GoBGD17L+4tIYICj4 Ayty6DDgFdTgn1Pc3oAoa6vvdN4uigAQ/6ab1NdFqv0EMRc9kFG6rvBTRYvKkxuV ZkwgPWEk/JMXrBJqds1Y36Ol3Vbqa3ruYoRnSly9oVygEr/j7c0jtWer/eSb8kGC ezqybSUxq2XpzYyfCnhBAjXh/Qmf0LlXy7BtmxWN3nnriV0yMPlZlUiPyZfto/PJ m8+f4q8GX7UoTKLuy2kG7tOtvAQsklIGWiYSdz6dm2CPCTJKGvUTimOTA0YKWOBL tnf1IisZ42MPHmJnmIlSxoJVzDXmfNB9B5g==
X-ME-Sender: <xms:bsZLZN93v8NYE1zrPUrSTPdas43SSDQhV6WnBO8hVPfUYI2MjBAZHg> <xme:bsZLZBuAwokFaof8VmcoewH9P-UiAIQyt45S_59cd1A_QGtzDxHl-tavB3Vl_pz3r x4igy-ZOVrboB0seg>
X-ME-Received: <xmr:bsZLZLAlLeGH9cVH70EM-0RtKLwaaLqmDpgSmoc9ku9sLqPq9nul_6U>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfedukedgiedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurheprhfhvfhfjgfuffhokfgg tgfgofhtsehtqhhgtddvtdejnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoug hitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmqeenucgg tffrrghtthgvrhhnpefgtdefieeukeeftefhuddvtefhgfettdekudduleegtdfhheevte ffudffgfefueenucffohhmrghinhepghhithhhuhgsrdhiohdpghhithhhuhgsuhhsvghr tghonhhtvghnthdrtghomhdprggssgdrtghomhdprhgvlhhirggslhgvvghnvghrghihrg hnrghlhihtihgtshdrtghomhdpihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepughitghksehrvghlihgrsghlvggvnhgvrh hghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:bsZLZBeYOBO-Zyw9G02dDGox4-chlDawDVqrYJaFdDBMCeMxvIC6nw> <xmx:bsZLZCMwNWugdY9hMh10WDZdT-6MsYzcklToe5rAEhNcOf0qgQ2xqQ> <xmx:bsZLZDmND6peNwqeinJQscLudSE3CkpgIoFeXhKK_c_ClmlYKfGfYQ> <xmx:b8ZLZMVI9_vOO1WUzRk722jT95BzyutLBW7n9oGP4C3GQJqIEhJmrQ>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 28 Apr 2023 09:13:18 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Eliot Lear' <lear@lear.ch>, opsawg@ietf.org
References: <7aa5c179-1fab-77ff-123e-35562d84fa64@lear.ch>
In-Reply-To: <7aa5c179-1fab-77ff-123e-35562d84fa64@lear.ch>
Date: Fri, 28 Apr 2023 09:13:15 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <3ed901d979d3$335e03c0$9a1a0b40$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFUy+c8kQay/ddhBdLNrZqoEa9XFbBKClGw
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/sv8I4EK2nFHicYIY7qnpXqXpMYU>
Subject: Re: [OPSAWG] draft-ietf-opsawg-sbom-access
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2023 13:13:24 -0000
SPDX V 2.3 provides guidance with regard to vulnerability reporting for SBOM's. A NIST Vulnerability Disclosure Report (VDR) is a single file that serves as an attestation showing the vulnerability status of each component listed in an SBOM. The SBOM contains a link to the "living" VDR, which can change over time. https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vulnerability-report-for-a-software-product-per-nist-executive-order-14028 Here is a real world example: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SBOMVDR_JSON/VDR_118.json SPDX also supports the listing of individual vulnerabilities which may affect a product, which is a set of entries pointing to Security Advisories: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k12-linking-to-a-csaf Here is a real world example: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000150-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch I recommend referring to the SPDX V2.3 spec Appendix K as a methods to communicate the relationship between SBOM's and Vulnerability reporting. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Eliot Lear Sent: Friday, April 28, 2023 6:44 AM To: opsawg@ietf.org Subject: [OPSAWG] draft-ietf-opsawg-sbom-access During the IESG evaluation, I received a query from the AD about using leaf-lists instead of leafs for SBOM and vulnerability data. Before we publish this document, I think it's probably worth reviewing those nodes. Right now, everything is a leaf. For SBOMs at least, to me this makes sense, since the SBOM should be a description of the system to which the schema refers. Having multiple descriptions introduces the need for potential conflict resolution between those descriptions, and complicates processing in a way that could cause interoperability problems. For vulnerability information, I feel differently. It may be desirable to update the description by vulnerability, rather than to have one large file of vulnerabilities. It may also be undesirable, in that it means you have to get description updates when vulnerabilities are updated, rather than just updating one file. But I see no harm in allowing both methods. Therefore, my suggestion is that we change vuln-url to be a leaf-list. Are there any objections? Eliot _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
- [OPSAWG] draft-ietf-opsawg-sbom-access Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Dick Brooks
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access Dick Brooks