Re: [openc2-lang] Comments of Note from the Actuator Profile subcommittee: New Language Element

[duncan sfractal.com <duncan@sfractal.com>]

• âThis may be the precursor to other Profiles for remote situation awareness (âreportingâ)â
• I do NOT consider SBoM as related to reporting in any way. Note the proposed action (query) and target (features) already existed and âsbomâ is being added to the features list  as it is similar to âprofileâ and âversionâ that are already there. I would consider âsbomâ to be more detail on the âversionâ â and not some form of reporting.
• âthe well-known formats are SPDX and SWIDâ
• I would also like to point out there are 3 SBoM formats in wide use today â swid, spdx, and cyclonedx. Swid and spdx came from the license use case. CycloneDx came from the security use case. All 3 formats and do all 5 sbom uses in the ntia report. Since I believe CycloneDx is the most used format today for the security use case, and has the most open source vulnerability tooling, I want to make sure it gets included.
• âwe have a language element with a name similar to âPayloadââ.â
• I was proposing âsbom-manifestâ to be very specific to this response and the âsbom_typeâ would be one of swid, spdx, cyclonedx which I think meets the other requirements you mention allowing for conformance checking

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

From: openc2-lang <openc2-lang@lists.oasis-open.org> on behalf of Toby Considine <Toby.Considine@unc.edu>
Date: Wednesday, December 11, 2019 at 9:14 AM
To: openc2-lang <openc2-lang@lists.oasis-open.org>
Subject: [openc2-lang] Comments of Note from the Actuator Profile subcommittee: New Language Element

 

As noted in the minutes of Mondayâs meeting, the SBoM Actuator Profile is entering into rapid development. The Software Bill of Materials is a critical component of the Comply to Connect

 The SBoM draft will come to the language SC as a set of new requirements for remote query. This may be the precursor to other Profiles for remote situation awareness (âreportingâ). More on that in another note.

 For this message, I want to focus on a new language element, one for something that is a BLOB as far as OpenC2 knows. SBoM already has a few standard formats, and none of them are JSON. In the case of SBoM, they are XML based, and there is some hint that the next generation of those formats will skip JSON and go to CBOR. We probably want to restrict these blobs to text-based, using the character-sets already legal in OpenC2.

 To the Language SC, those formats do not matter, although they do to the specific Actuator Profile. In this case, the well-known formats are SPDX and SWID. In another request they could be something else.

I think we have a language element with a name similar to âPayloadâ. The language spec makes no assertions as to the content or format of a Payload. The notion of defining a custom serialization of a specific payload for OpenC2, one which must then be converted back into the original format for use was specifically rejected in the Actuator Profile call.

 A conforming Actuator Profile may request a response that has one or more Payloads. A Profile expecting a Payload MUST define the conformance expectations for the Payload. It is preferred that the conformance expectations be defined by reference to an existing specification.

 (This last pointâpre-existing specification. Is it required? If there is no pre-existing specification, why would we define in a format other than JSON?)

 tc