OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Would CSAF be appropriate for SBOM VEX?


I apologize but I havenât been very active in CSAF lately. Iâve been spending more of my time on the software transparency working group set up by the NTIA. See https://www.ntia.gov/sbom for more about software bill of materials (SBOM) or https://www.ntia.gov/SoftwareTransparency for the process we are following.

 

A particular problem of the SBOM group is communicating that a specific product is not affected/exploitable from a given vulnerability--we are calling this "Vulnerability Exploitability eXchange," or VEX. This will be important to minimize false positives in a world of widespread SBOM use. The SBOM group is looking at CVRF/CSAF for VEX, but has some hesitancy since none of the transparency attendees have CSAF knowledge. We thinkâ CVRF can convey this, but it would be very helpful to have some people who know the standard, and also have input on some more precise definitions and other extensions (e.g. 1. we would like to be more precise on what "not affected" means and 2. make sure suppliers can easily implement or add on integrity mechanisms to these messages). They asked me because I did attend CSAF early on and I am a member of the TC (so Iâm allowed to post to this list). However Iâm too out of touch to be able to help much and Iâm asking if any of you would be able to help. The VEX subgroup meets Wednesdays 1-2 and Iâve included Allan Friedman on the cc. Allan is the overall lead at NTIA for the software transparency effort and he would provide the meeting info if anyone could attend.

 

I notice that there are companies that are active in both groups, even if there are no individual overlaps. Iâm hoping some of you might get together intracompany and help cross fertilize. I notice that 3 of the 14 voting members of the TC are from Cisco and that Eliot Lear of Cisco (ccâd on this) is very active in SBOM and VEX. Similarly two of voting members are from Siemens - and Jim Jacobson of Siemens cochairs the SBOM Healthcare Working Group (which is very interested in using VEX in the next phase of the proof of concept underway). Similarly many of the companies involved in VEX/SBOM are already OASIS members so I will try to talk them into joining the CSAF TC so the dialog can be two-way and I donât have to play middleman.

 

Please let Allan and myself know if (1) you think your specifications could help our software transparency needs and if so, (2) who might be able to help us.

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]