OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: proposal for enhancement on SBOM inside CSAF

Dear TC members,

We have "relationships" in CSAF (and CVRF), and it can provide the
recursive SBOM information.

The current limitation is "full_product_name" inside "relationship"
doesn't have any vendor information, which implies "full_product_name"
should be from the same vendor who publishes CSAF. For example, if
Apache Log4j is "default_component_of" Oracle Weblogic Server, there is
no way to clarify that "Apache Log4j" isn't a product from Oracle and
should be parsed differently.

If we agree upon a solution to associate "full_product_name" with the
correct vendor, this can greatly enhance CSAF for presenting SBOM.

If there is any interest, this can be discussed in tomorrow's call.

Thanks

--Feng

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]