Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add example information for NIST EO 14028 to Appendix G #733

Merged
merged 1 commit into from Jul 6, 2022
Merged

Add example information for NIST EO 14028 to Appendix G #733

merged 1 commit into from Jul 6, 2022

Conversation

rnjudge
Copy link
Contributor

@rnjudge rnjudge commented Jun 29, 2022

This commit adds an example to Appendix G.1 describing how users can
reference vulnerability reports using the ExternalRefs SECURITY
category in accordance with Executive Order 14028.

This example and language was agreed upon at the SPDX Defects WG meeting
on June 29th.

Signed-off-by: Rose Judge rjudge@vmware.com

@rnjudge
Add example information for NIST EO 14028 to Appendix G
fa0e625 
This commit adds an example to Appendix G.1 describing how users can
reference vulnerability reports using the ExternalRefs `SECURITY`
category in accordance with Executive Order 14028.

This example and language was agreed upon at the SPDX Defects WG meeting
on June 29th.

Signed-off-by: Rose Judge <rjudge@vmware.com>
@zvr
Copy link
Member

zvr commented Jun 30, 2022

The definition of advisory type in F.2.3 says that it should point to

published security advisory (where advisory as defined per ISO 29147:2018).

giving as an example https://nvd.nist.gov/vuln/detail/CVE-2020-28498.

This example points to some JSON file stored on GitHub.

What has to change to reconcile the two?

@zvr zvr added this to the 2.3 milestone Jun 30, 2022
@rnjudge
Copy link
Contributor Author

rnjudge commented Jul 1, 2022
edited

@zvr I'm not sure the two are incompatible. This is an example for those looking for guidance on how to correlate vulnerability and SBOM information for a software product at the component level in order to satisfy EO 14028. Per ISO 29147:2018, the advisory may contain an impact statement whether a package (e.g. a product) is or is not affected by vulnerabilities, which the example file does. Technically, even a JSON file stored on GitHub is "published". I agree that there could be a better/more official example document for this appendix, but the one there now is consistent with the guidance we have provided. Perhaps we can update the example link in the future as more example documents become available.

kestewart
kestewart approved these changes Jul 1, 2022
View reviewed changes
Copy link
Contributor

@kestewart kestewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Been following the discussion, and this matches. Looks good.

@kestewart kestewart merged commit fca3630 into spdx:development/v2.3 Jul 6, 2022
@lumjjb lumjjb mentioned this pull request Jul 27, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kestewart kestewart kestewart approved these changes

@goneall goneall Awaiting requested review from goneall

@tsteenbe tsteenbe Awaiting requested review from tsteenbe

@zvr zvr Awaiting requested review from zvr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.3
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rnjudge @zvr @kestewart