[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: proposal for enhancement on SBOM inside CSAF
Dear TC members, We have "relationships" in CSAF (and CVRF), and it can provide the recursive SBOM information. The current limitation is "full_product_name" inside "relationship" doesn't have any vendor information, which implies "full_product_name" should be from the same vendor who publishes CSAF. For example, if Apache Log4j is "default_component_of" Oracle Weblogic Server, there is no way to clarify that "Apache Log4j" isn't a product from Oracle and should be parsed differently. If we agree upon a solution to associate "full_product_name" with the correct vendor, this can greatly enhance CSAF for presenting SBOM. If there is any interest, this can be discussed in tomorrow's call. Thanks --Feng
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]