seeking CSAF help with SBOM "VEX" use case implementation

["Friedman, Allan" <AFriedman@ntia.gov>]

Hi CSAF folks,

Some of you are familiar with the broader SBOM work that we are trying to coordinate at NTIA. (More info is below)

We're trying to implement a key feature, and are actively looking at CSAF, but we need some help from the CSAF community.  We're moving our weekly meeting to not conflict with the CSAF, so that we can win a few CSAF members over to occasionally help us.  

Doodle poll for new time!

https://doodle.com/poll/2sy9f78xyku3cmyn

Also, if helpful, happy to join and make a quick pitch / answer questions / get yelled at.

SBOM: End-users of products that contain software are using SBOM (“Software Bill of Materials”)1 data to gain insight into the potential risks from any third-party software components that are incorporated in that product. Specifically, users want to know to what extent they are affected by known vulnerabilities, which includes vulnerabilities in upstream software components.

Limits of SBOM: SBOMs provide insight into the composition of the product and potential vulnerabilities, but they do so at a high level that does not convey the extent to which a known vulnerability can be exploited in the product. This lack of “exploitability” results in many “false positives” being represented in the SBOM data and potentially obscuring the high risk exploitable vulnerabilities.

VEX: The "Vulnerability Exploitability eXchange " (VEX) approach will allow suppliers or other trusted experts to communicate that a vulnerability does not put the users or operators of software at risk.   The SBOM community is looking into using CSAF to implement this VEX data representation and exchange.

Thanks - happy to chat more if anyone has questions.

allan

Allan Friedman, PhD

Director, Cybersecurity Initiatives

National Telecommunications & Information Administration

United States Department of Commerce

afriedman@ntia.gov

+1-202-573-1312