OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SBOM VEX work and Potential Integration with CSAF

Hi folks,


Allan Friedman is in the process of becoming a member. As a follow up to the conversation we had in our last meeting Allan has provided additional information and a call to action below. We can further discuss in the meeting today.



From: Friedman, Allan


Dear CSAF Community,


OVERVIEW: The Software Bill of Materials [1] community has been looking at the CSAF/CVRF spec for a particular need, that is tentatively called VEX (Vulnerability exploitability [exchange]).  The high level goal is to facilitate communication around product/vulnerability relationships, which has a particular importance in a world of SBOMs.


THE ASK: Omar kindly briefed the VEX working group on CSAF/CVRF spec, and we'd like to try to see how we can implement the high level needs for VEX using the existing fields in CSAF/CVRF. This will go much better if someone from the TAC is able to help us map between VEX needs and the existing data fields for CSAF/CVRF.  We meet every Wednesday at 1pm ET--any meetings you can join would be helpful.


BACKGROUND ON VEX: As more suppliers share information about their third party dependencies with downstream users, we anticipate the following issue: a supplier uses a known vulnerable component, but that vulnerability does not put the user of the downstream product at any real risk. (e.g. the affected code isn't compiled in, inline mitigations exist, etc.)  For suppliers with mature product security teams, if they can communicate that downstream to their customers/users, then it will save everyone time, money, effort, customer support costs, etc.  We seek to support the ability to handle this at scale with automation, but want to avoid trying to boil the ocean, and are adopting a crawl-walk-run mentality. If we can do this with an existing data tool like CSAF/CVRF, so much the better!


[1] - WHAT'S AN SBOM? - A âSoftware Bill of Materialsâ (SBOM) is effectively a nested inventory, a list of ingredients that make up software components.  Over the last two years, an international group of experts from across the software world have worked to define the technical, operational, and business sides of software supply chain transparency to address a range of use cases supporting software production, purchase, and acquisition. More information is available at NTIA.gov/SBOM.  If you'd like to know more, please contact afriedman@ntia.gov


Thanks for your help!





Allan Friedman, PhD

Director, Cybersecurity Initiatives

National Telecommunications & Information Administration

United States Department of Commerce






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]