Re: [spdx-defects] [spdx] VEX integration in SPDX #spdx


Rose Judge
 

Hi Sandeep,

 

The SPDX Defects working group announced security enhancements to the ExternalReference section of the spec as well as an explanatory Annex about how to include security information in an SPDX document. These changes apply to spec version 2.3 which should be released by the end of the month.

 

In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above.

 

I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions.

 

Thanks,

Rose

 

 

Subject:

[EXT] [spdx] VEX integration in SPDX #spdx

Date:

Tue, 31 May 2022 22:49:51 -0700

From:

Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>

Reply-To:

spdx@...

To:

spdx@...



Hi , 
Is there any roadmap to integrate VEX to  with SPDX ? Or is there already way in current SPDX specification to integrate vulnerability information ? 


Regards
Sandeep 

 


Join spdx@lists.spdx.org to automatically receive all group messages.