Update spec to final VEX-WG document #25
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please note that supplier disappeared from the document metadata and is now an optional field at the statement level. Its meaning is different now too, now denoting the supplier of the |
luhring
previously approved these changes
May 30, 2023
zmanion
reviewed
May 31, 2023
OPENVEX-SPEC.md
Outdated
| | tooling | ✕ | Tooling expresses how the VEX document and contained VEX statements were generated. It's optional. It may specify tools or automated processes used in the document or statement generation. | | ||
| | last_updated | ✕ | Date of last modification to the document. | | ||
| | version | ✓ | Version is the document version. It must be incremented when any content within the VEX document changes, including any VEX statements included within the VEX document. | | ||
| | tooling | ✕ | Tooling expresses how the VEX document and contained VEX statements were generated. It may specify tools or automated processes used in the document or statement generation. | | ||
| | supplier | ✕ | An optional field specifying who is providing the VEX document. | |
There was a problem hiding this comment.
Line 163 should be deleted I think, Supplier is (now corrrectly) defined in the Statement section.
There was a problem hiding this comment.
I was aiming for only additions in this PR but I've reconsidered from your comment and we should do one change only.
There was a problem hiding this comment.
I've pushed another commit removing the supplier.
puerco
force-pushed
the
minimum-reqs-update
branch
from
d6eb6af to
528e9b3
Compare
SecurityCRob
approved these changes
Jun 9, 2023
Closed
Open
tschmidtb51
suggested changes
Jun 15, 2023
| | products | ✕ | Product identifiers that the statement applies to. Any software identifier can be used and SHOULD be traceable to a described item in an SBOM. The use of [Package URLs](https://github.com/package-url/purl-spec) (purls) is recommended. While a product identifier is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). | | ||
| | subcomponents | ✕ | Identifiers of components where the vulnerability originates. While the statement asserts about the impact on the software product, listing `subcomponents` let scanners find identifiers to match their findings. | | ||
| | status | ✓ | A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement. `status` MUST be one of the labels defined by VEX (see [Status](#Status-Labels)), some of which have further options and requirements. | | ||
| | status | ✓ | A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement. `status` MUST be one of the labels defined by VEX (see [Status](#Status-Labels)), some of which have further options and requirements. | | ||
| | supplier | ✕ | Supplier of the product or subcomponent. | |
There was a problem hiding this comment.
Please clarify how this fulfills the requirement of https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf:
[supplier] MUST clearly indicate the [product_id] or [subcomponent_id] to which [supplier]
applies.
If I understand the description correctly, subcomponents and products might come from different suppliers...
There was a problem hiding this comment.
Right, this is an issue we're tackling in an upcoming revision. Right now subcomponents cannot be easily tied back to products (and thus to their suppliers).
There was a problem hiding this comment.
This one will be handled in the first revision to the spec coming up in August.
puerco
added a commit
to puerco/go-vex
that referenced
this pull request
Jul 10, 2023
This commit implements the changes to the spec done to update OpenVEX to the published version of the minimum elements for VEX document. These changes were proposed to the spec in: openvex/spec#25 Specifically, this commit introduces the following changes: Document - version is now an integer - Added last_updated to record changes to the doc - author is now recommended to be a machine-readable identifier - role is now optional Statement - @id takes an IRI to identify the statement and make it referenceable - version an integer field, accounts for changes in the statement. Defaults to zero, and may be omitted when so. - last_updated added to the statement - supplier an identifier of the supplier of the document Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
puerco
added a commit
to puerco/go-vex
that referenced
this pull request
Jul 14, 2023
This commit implements the changes to the spec done to update OpenVEX to the published version of the minimum elements for VEX document. These changes were proposed to the spec in: openvex/spec#25 Specifically, this commit introduces the following changes: Document - version is now an integer - Added last_updated to record changes to the doc - author is now recommended to be a machine-readable identifier - role is now optional Statement - @id takes an IRI to identify the statement and make it referenceable - version an integer field, accounts for changes in the statement. Defaults to zero, and may be omitted when so. - last_updated added to the statement - supplier an identifier of the supplier of the document Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
puerco
added a commit
to puerco/go-vex
that referenced
this pull request
Jul 17, 2023
This commit implements the changes to the spec done to update OpenVEX to the published version of the minimum elements for VEX document. These changes were proposed to the spec in: openvex/spec#25 Specifically, this commit introduces the following changes: Document - version is now an integer - Added last_updated to record changes to the doc - author is now recommended to be a machine-readable identifier - role is now optional Statement - @id takes an IRI to identify the statement and make it referenceable - version an integer field, accounts for changes in the statement. Defaults to zero, and may be omitted when so. - last_updated added to the statement - supplier an identifier of the supplier of the document Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
This PR updates the openvex spec to match the final minimal requirements for VEX as defined by the VEX Working group and published by CISA on https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf The summary of changes to the spec are as follows. Except for the document `version` changing from string to integere, all fields are new so should not break existing consumers. version is now an integer added last_updated for changes to record changes to the doc author is now recommended to be a machine readable identifier role is now optional 🎉 @id takes an IRI to identify the statement and make it referenceable version integer field, accounts for changes in the statement, defaults to zero and may be ommitted when so. last_updated added a last updated timestamp to the statement supplier an identifier of the supplier of the document Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
puerco
force-pushed
the
minimum-reqs-update
branch
from
528e9b3 to
7d74dc9
Compare
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
luhring
approved these changes
Jul 18, 2023
|
Thanks for your reviews everyone, I'm tagging v0.0.2 of the spec 🎉 Please note that these changes will not get a technical release. The minor adjustments in v0.0.2 will be rolled into the upcoming updates to the OpenVEX libraries and tools as part of the v0.1.0 revision. |
|
Congratulations team! To 0.0.2 and BEYOND!!!
Cheers,
CRob
Director of Security Communications
Intel Product Assurance and Security
From: Puerco ***@***.***>
Sent: Tuesday, July 18, 2023 7:57 PM
To: openvex/spec ***@***.***>
Cc: Robinson, Christopher ***@***.***>; Comment ***@***.***>
Subject: Re: [openvex/spec] Update spec to final VEX-WG document (PR #25)
Thanks for your reviews everyone, I'm tagging v0.0.2 of the spec 🎉
Please note that these changes will not get a technical release. The minor adjustments in v0.0.2 will be rolled into the upcoming updates to the OpenVEX libraries and tools as part of the v0.1.0 revision.
—
Reply to this email directly, view it on GitHub<#25 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQRFDLEO7A56OWN5L6SOFULXQ4PGPANCNFSM6AAAAAAYTKRALM>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the OpenVEX spec to match the final minimal requirements for VEX as defined by the VEX Working group and published by CISA.
The summary of changes to the spec is as follows. Except for the document
versionchanging from string to integer, all fields are new so should not break existing consumers.Document
versionis now an integerlast_updatedto record changes to the docauthoris now recommended to be a machine-readable identifierroleis now optional 🎉Statement
@idtakes an IRI to identify the statement and make it referenceableversionan integer field, accounts for changes in the statement. Defaults to zero, and may be omitted when so.last_updatedadded to the statementsupplieran identifier of the supplier of the documentFixes #18
Signed-off-by: Adolfo García Veytia (Puerco) [email protected]