RE: [csaf] proposal for enhancement on SBOM inside CSAF

["Schmidt, Thomas" <thomas.schmidt@bsi.bund.de>]

Dear Feng,
thanks for bringing that up. I would suggest to discuss that in today's call.

IMHO, CSAF SHOULD NOT try to become a new SBOM format... 

We already have the capability to link to a product to its SBOM (either through its download url (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31335-full-product-name-type---product-identification-helper---sbom-urls) or through the specific link to the primary component with the SBOM (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os..html#31338-full-product-name-type---product-identification-helper---generic-uris)) and to link subcomponents to their appearance in an SBOM (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31338-full-product-name-type---product-identification-helper---generic-uris)  

Moreover, through the relationship you mention, it is possible to link to products from different vendors. Here is an example:
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.2",
                "product": {
                  "name": "Vendor A Product ABC 4.2",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Product ABC"
          }
        ],
        "category": "vendor",
        "name": "Vendor A"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "17.4",
                "product": {
                  "name": "Supplier 1 Product XYZ 17.4",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Product XYZ"
          }
        ],
        "category": "vendor",
        "name": "Supplier 1"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Supplier 1 Product XYZ 17.4 default component of Vendor A Product ABC 4.2",
          "product_id": "CSAFPID-0003"
        },
        "product_reference": "CSAFPID-0002",
        "relates_to_product_reference": "CSAFPID-0001"
      }
    ]
  }

Best wishes,
Thomas

-- 
Thomas Schmidt


> -----Original Message-----
> From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of
> Feng Cao
> Sent: Wednesday, March 29, 2023 2:08 AM
> To: csaf@lists.oasis-open.org
> Subject: [csaf] proposal for enhancement on SBOM inside CSAF
> 
> Dear TC members,
> 
> We have "relationships" in CSAF (and CVRF), and it can provide the
> recursive SBOM information.
> 
> The current limitation is "full_product_name" inside "relationship"
> doesn't have any vendor information, which implies "full_product_name"
> should be from the same vendor who publishes CSAF. For example, if
> Apache Log4j is "default_component_of" Oracle Weblogic Server, there is
> no way to clarify that "Apache Log4j" isn't a product from Oracle and
> should be parsed differently.
> 
> If we agree upon a solution to associate "full_product_name" with the
> correct vendor, this can greatly enhance CSAF for presenting SBOM.
> 
> If there is any interest, this can be discussed in tomorrow's call.
> 
> Thanks
> 
> --Feng
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php