Dick Brooks (BCG)
Dick Brooks (BCG)
Thanks very much.
FYI: The SPDX SBOM team is working on a V2.3 release that includes the ability for a software vendor to provide a link to a vulnerability report that is independently...
Update proposed Package description materials as needed to support this item ref: https://github.com/spdx/spdx-spec/issues/628
I agree Gary. Thanks for closing. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and...
The SPDX V 3 spec says nothing about NIST's VDR - this is a significant oversight.
The material shown in the commit text matches my understanding of how VEX is used to communicate vulnerability status. "Because [Elements](https://spdx.github.io/spdx-spec/v3.0/model/Core/Classes/Element/) in SPDX are immutable, it is best best practice...
The group may want to consider the impact that US Government activities will influence direction and adoption of software supply chain practices. The Office of Management and Budget issued memo...
The M-22-18 memo refers to "NIST Guidance", which incorporate SBOM, vulnerability reporting and other attestations. [See this article for more details on this point. ](https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements) and [this article on NIST...
The link to M-22-18 is listed in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements
Please include a tool entry for SAG-PM as supporting SPDX V2.* strictly for use in software supply chain risk assessments.