[spdx-defects] [spdx] VEX integration in SPDX #spdx
|
Rose Judge
Hi Sandeep,
The SPDX Defects working group announced security enhancements to the ExternalReference section of the spec as well as an explanatory Annex about how to include security information in an SPDX document. These changes apply to spec version 2.3 which should be released by the end of the month.
In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above.
I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions.
Thanks, Rose
|
||||||||||
|
|
||||||||||
|
Sandeep,
NIST also recommends that vendors and consumers “Maintain vendor vulnerability disclosure reports at the SBOM component level.” See 5/5 guidance:
SPDX V 2.3 supports both VEX and Vulnerability Disclosure Reports (VDR), in support of the NIST recommendations for Executive Order 14028.
Here’s an example SPDX V 2.3 reference to a VDR:
ExternalRef SECURITY advisory https://github.com/rjb4standards/REA-Products/blob/master/SBOMVDR_JSON/VDR_118.json
Here’s an example SPDX V 2.3 reference to a VEX:
ExternalRef SECURITY advisory https://cert-portal.siemens.com/productcert/csaf/ssa-661247.json
Here’s an explanation of the difference between VEX and VDR:
In summary a VEX is an artifact showing the status of vulnerabilities within a product. Components with no vulnerabilities are not listed in a VEX, unless there is a "known not affected" product status contained in the VEX.
In summary, a VDR is an attestation by a software vendor that they have checked each component in a software product SBOM for vulnerabilities and reports on the vulnerability status of each component, for a software product.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-defects@... <spdx-defects@...> On Behalf Of Jeff Schutt (jefschut) via lists.spdx.org
Sent: Thursday, June 2, 2022 1:40 PM To: spdx@...; sandeep.patil@...; spdx-defects@... Subject: Re: [spdx-defects] [spdx] VEX integration in SPDX #spdx
Hi Sandeep,
To add to Rose’s comments…
For version 2.3, the new Advisory identifier (F.2.3) is a catch-all that will enable linking to any VEX information, e.g., as contained within OSV or CSAF file.
We’re currently working on further security vulnerability information integrations with version 3.0 of the SPDX spec and would welcome your contributions :) Meetings are Wednesdays at 11am PT.
Jeff
From: <spdx@...> on behalf of "Rose Judge via lists.spdx.org" <rjudge=vmware.com@...>
Hi Sandeep,
The SPDX Defects working group announced security enhancements to the ExternalReference section of the spec as well as an explanatory Annex about how to include security information in an SPDX document. These changes apply to spec version 2.3 which should be released by the end of the month.
In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above.
I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions.
Thanks, Rose
|
||||||||||
|
|
||||||||||
|
Jeff Schutt (jefschut)
Hi Sandeep,
To add to Rose’s comments…
For version 2.3, the new Advisory identifier (F.2.3) is a catch-all that will enable linking to any VEX information, e.g., as contained within OSV or CSAF file.
We’re currently working on further security vulnerability information integrations with version 3.0 of the SPDX spec and would welcome your contributions :) Meetings are Wednesdays at 11am PT.
Jeff
From: <spdx@...> on behalf of "Rose Judge via lists.spdx.org" <rjudge=vmware.com@...>
Hi Sandeep,
The SPDX Defects working group announced security enhancements to the ExternalReference section of the spec as well as an explanatory Annex about how to include security information in an SPDX document. These changes apply to spec version 2.3 which should be released by the end of the month.
In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above.
I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions.
Thanks, Rose
|
||||||||||
|
|
||||||||||
|
Sandeep,
A good example of a VEX advisory is provided by Siemens in their log4j advisory: https://cert-portal.siemens.com/productcert/csaf/ssa-661247.json
NOTE: VEX’s are vulnerability centric, where a vulnerability is reported and a vendor issues a VEX.
It’s important to note that a VEX is very different from a product centric vulnerability disclosure report (VDR) which NIST requires for Executive Order 14028.
If you plan to sell products to the US Government then you will need to follow NIST’s requirements for Executive Order 14028:
“Maintain vendor vulnerability disclosure reports at the SBOM component level “
Here is the difference between a VEX and a VDR (attestation). A VEX is an artifact showing the status of vulnerabilities within a product or products. Components with no vulnerabilities are not listed in a VEX, unless there is a "known not affected" status listed in the VEX. A VDR is an attestation by a software vendor that they have checked each component of a software product in an SBOM for vulnerabilities and reports on the vulnerability status of each component, for a software product. A VDR is dynamically updated and maintained by the software vendor in order to answer the consumer question "What is the vulnerability status of Product P, NOW?"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Jeff Schutt (jefschut) via lists.spdx.org
Sent: Thursday, June 2, 2022 1:40 PM To: spdx@...; sandeep.patil@...; spdx-defects@... Subject: Re: [spdx-defects] [spdx] VEX integration in SPDX #spdx
Hi Sandeep,
To add to Rose’s comments…
For version 2.3, the new Advisory identifier (F.2.3) is a catch-all that will enable linking to any VEX information, e.g., as contained within OSV or CSAF file.
We’re currently working on further security vulnerability information integrations with version 3.0 of the SPDX spec and would welcome your contributions :) Meetings are Wednesdays at 11am PT.
Jeff
From: <spdx@...> on behalf of "Rose Judge via lists.spdx.org" <rjudge=vmware.com@...>
Hi Sandeep,
The SPDX Defects working group announced security enhancements to the ExternalReference section of the spec as well as an explanatory Annex about how to include security information in an SPDX document. These changes apply to spec version 2.3 which should be released by the end of the month.
In order to include security/vulnerability information in 2.3, you will want to use the SECURITY ExternalReference Type. When using this format, there’s several security identifiers available: cpe22type, cpe23type, advisory, fix, url or swid that you can use to reference a VEX document. You can see examples of how this might be done in the link to Annex G above.
I’m also adding the SPDX Defects workgroup to the CC in case you have any further questions.
Thanks, Rose
|
||||||||||
|
|
