Rose Judge

- There's some discussion that happened way back that also might be relevant: https://github.com/package-url/purl-spec/issues/127

@goneall as far as I can tell, there is no change for the security team to make here, right? This is a SHACL specific issue?

@goneall this is another SHACL specific fix, right?

Hi @ilans and @goneall - I think the definition of the "exploited" property is wrong. We discussed on the security call and we believe the intention of this property is...

I just saw https://github.com/spdx/spdx-3-model/issues/652 which is the same issue as this one and there is some discussion there.. will discuss more at the next security call.

The revised proposal from the security call on July 15 is to change the description to be: ``` Summary: Denote whether a CVE is present in an exploit catalog. Description:...

@goneall I don't think the difference is Python tools picking up an issue that java missed. I have seen this commonly with the Java tools where only one issue is...

@goneall @kestewart ok to merge?

@sbarnum any thoughts?

7/29 security meeting discussion: - This will also be needed for the functional safety profile so this should be in the Core profile. - This should not be off of...