[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [csaf] proposal for enhancement on SBOM inside CSAF
Dear Feng, thanks for bringing that up. I would suggest to discuss that in today's call. IMHO, CSAF SHOULD NOT try to become a new SBOM format... We already have the capability to link to a product to its SBOM (either through its download url (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31335-full-product-name-type---product-identification-helper---sbom-urls) or through the specific link to the primary component with the SBOM (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os..html#31338-full-product-name-type---product-identification-helper---generic-uris)) and to link subcomponents to their appearance in an SBOM (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31338-full-product-name-type---product-identification-helper---generic-uris) Moreover, through the relationship you mention, it is possible to link to products from different vendors. Here is an example: "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "4.2", "product": { "name": "Vendor A Product ABC 4.2", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "Product ABC" } ], "category": "vendor", "name": "Vendor A" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "17.4", "product": { "name": "Supplier 1 Product XYZ 17.4", "product_id": "CSAFPID-0002" } } ], "category": "product_name", "name": "Product XYZ" } ], "category": "vendor", "name": "Supplier 1" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "Supplier 1 Product XYZ 17.4 default component of Vendor A Product ABC 4.2", "product_id": "CSAFPID-0003" }, "product_reference": "CSAFPID-0002", "relates_to_product_reference": "CSAFPID-0001" } ] } Best wishes, Thomas -- Thomas Schmidt > -----Original Message----- > From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of > Feng Cao > Sent: Wednesday, March 29, 2023 2:08 AM > To: csaf@lists.oasis-open.org > Subject: [csaf] proposal for enhancement on SBOM inside CSAF > > Dear TC members, > > We have "relationships" in CSAF (and CVRF), and it can provide the > recursive SBOM information. > > The current limitation is "full_product_name" inside "relationship" > doesn't have any vendor information, which implies "full_product_name" > should be from the same vendor who publishes CSAF. For example, if > Apache Log4j is "default_component_of" Oracle Weblogic Server, there is > no way to clarify that "Apache Log4j" isn't a product from Oracle and > should be parsed differently. > > If we agree upon a solution to associate "full_product_name" with the > correct vendor, this can greatly enhance CSAF for presenting SBOM. > > If there is any interest, this can be discussed in tomorrow's call. > > Thanks > > --Feng > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]