Nobuyuki Tanaka,
Is Sony planning to issue an updated SBOM when a VEX status changes for any of the VEX statements contained in an SBOM? How will Sony indicate that a SBOM has no identified vulnerabilities? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! (tm) <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:d...@reliableenergyanalytics.com> d...@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of no.tan...@sony.com Sent: Thursday, April 25, 2024 9:12 PM To: Spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] Is "VexAssessmentRelationship" typo in how-to-implement-VEX-in-SPDX.md? Hi all, Thanks, I could get a reply directly. @type should be "VulnAssessmentRelationship", and "amends" should be "amendedBy". Best regards, Nobuyuki Tanaka Sony Group Corporation _____ 差出人: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > が no.tan...@sony.com <mailto:no.tan...@sony.com> <no.tan...@sony.com <mailto: no.tan...@sony.com> > の代理で送信 送信日時: 2024年4月25日 15:36 宛先: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > 件名: [spdx-tech] Is "VexAssessmentRelationship" typo in how-to-implement-VEX-in-SPDX.md? Hi all, I'd like to confirm one thing in how-to-implement-VEX-in-SPDX.md. This document is very helpful to understand creating VEX. https://github.com/spdx/spdx-spec/blob/cb47a183637a952b644a8b4b3677f5794b2cc 0bf/docs/annexes/how-to-implement-VEX-in-SPDX.md Is the following @type "VulnAssessmentRelationship" or "VexVulnAssessmentRelationship"? "@type": "VexAssessmentRelationship", "@id": "urn:spdx.dev:vex-update", "relationshipType": "amends", "from": "urn:spdx.dev:vex-underInvestigation-1", "to": ["urn:spdx.dev:vex-affected-1"], Sorry, I need time to create github accout, so I sent this mail to this ML. Best regards, Nobuyuki Tanaka Sony Group Corporation -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5616): https://lists.spdx.org/g/Spdx-tech/message/5616 Mute This Topic: https://lists.spdx.org/mt/105742798/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
