Re: SPDX Gen Meeting Follow up- Mistake and Thanks
|
May,
Thank you for the quick response.
With regard to testing; some of the spdx tool vendors conduct interoperability testing by sharing artifacts and reporting on any issues encountered. The DocFest is a formal version of this testing. Would Palo Alto Networks be willing to share their SPDX artifacts, confidentially, with spdx tool vendors for interoperability testing purposes only?
I agree with your findings on the NIST VDR; NIST identified the VDR data to be included, but not a specific format. There are two open source NIST VDR “interpretation” formats available, one from OWASP CycloneDX and the other from REA: Here’s an example of the open-source REA VDR format: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SBOMVDR_JSON/VDR_118.json
I also wrote an article describing the NIST SBOM VDR that ties back to the SP 800-161 standard and other NIST materials where VDR is referenced: https://energycentral.com/c/pip/what-nist-sbom-vulnerability-disclosure-report-vdr
FYI: REA has offered to withdraw it’s VDR format if the industry agrees to endorse the CycloneDX VDR format. Also, note, REA offered to freely transfer its open-source VDR format to the Linux Foundation, when it was first introduced; the offer was never acted on.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of May Wang via lists.spdx.org
Sent: Wednesday, April 12, 2023 2:59 AM To: spdx@... Cc: Phil Odence <Phil.Odence@...> Subject: Re: [spdx] SPDX Gen Meeting Follow up- Mistake and Thanks
Dick,
Thank you for your questions.
1. Our spdx-based IoT SBOM is available to all our customers. I am not sure about the specific "testing purposes" you are referring to, happy to talk more details offline.
2. Good question. In addition to the SBOM info, we also provided links from SBOM to vulnerabilities, based on our own vulnerability database and some CVEs for now. We do plan to 1) expand to more vulnerability databases and CVEs. 2) expand to cover more devices. 3) the latest NIST VDR document provides good guidance but did not prescribe specific format, we will closely follow up any updates from NIST.
Thank you, -- May Wang, Ph.D. | CTO, IoT Security Palo Alto Networks | 3000 Tannery Way | Santa Clara, CA 95054 | USA Email: may@... | www.paloaltonetworks.com
The content of this message is the proprietary and confidential property of Palo Alto Networks, and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
On Tue, Apr 11, 2023 at 5:10 AM Dick Brooks <dick@...> wrote:
|
|
|
