On 27.05.21 05:33, Michael Richardson wrote:
Eliot Lear <l...@lear.ch> wrote: > For those of you who don’t know, Common Security Advisory Format (CSAF) > is an evolution on Common Vulnerability Reporting Framework. Such an > object could easily be delivered with an SBOM. It has a slightly > different characteristic in terms of update frequency. CSAF changesIt's not an SBOM, but it would be associated with a specific instance of an SBOM, right?
I think the relationship varies on format. They CAN be independent or related.
> My proposal is to add into the draft an optional URL that indicates the
> CSAF object for This device, a’la:
>> container sbom { … leaf csaf-location { type inet:uri;
So, would this be an alternative to an actual SBOM?
Patrick can say more here, but one could easily imagine an extension of CycloneDX that would contain CSAF info, and if that is the case, you wouldn't include this separate element in the MUD extension.
Would the CSAF instead point to the SBOM indirectly?
Yes.
And yes. Depending on how the SBOM is constructed, and whether it's there at all.Or would this be in addition to an SBOM?
Clear as mud?
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
