OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SBOM AP examples

Apologies but I will miss this week’s OpenC2 meeting as I’ll be at a security conference in Texas. But I have a topic I would have brought up and maybe can be handled via email or discussed in my absence at the meeting.

 

I am updating my twinkly/blinky code for the upcoming Nov 30 prep plugfest preparing for the March Cybersecurity Automation Village. My code from June plugest is clearly dated with a very old version of the SBOM AP. I am in the process of updating my code to the version in the examples in SBOM AP (https://github.com/oasis-tcs/openc2-ap-sbom/blob/working/ap-sbom-v1.0.md#appendix-e-command-examples) but I noticed they are different than the examples in JADN software test directory (https://github.com/oasis-open/openc2-jadn-software/blob/master/Test/device-simple-sbom/Good-command/q1-query-sbom-list.json).

 

A major difference is whether you query the list with a specific target (currently in working branch of AP):

{

  "action": "query",

  "target": "sbom_list"

}

 

Vs query the list with the sbom target but leave it blank ie empty list of what sboms you want means don’t give any sboms but instead give me a list of “all” the SBOMs (currently in JADN test):

{

  "action": "query",

  "target": {

    "sbom": {

      "sbom": {}

    }

  }

}

 

My preference is sbom_list as target as in the AP. My logic is I’m a fan of DIE (https://www.youtube.com/watch?v=_omGtDfaAjI) and prefer immutable (the I in DIE) and program in functional programming languages (which enforce immutability) which I believe to be more secure by design. Functional programming languages use recursion and recursing thru lists is probably the most common programming task. Empty lists means you are done recursing, not ‘all of something different’. Yes it’s easy enough to add in the extra code to do this but it is breaking a design paradigm. Also as a human, I don’t like “nothing of one thing” means “everything of another thing”.

 

But I’m open to arguments on why to do it the JADN way.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]