spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard

Published 20 hours ago verified publisher icon spdx

SSVC question

Open aamedina opened this issue 1 year ago • 9 comments

I experimentally derived an RDF model from the JSON schemas for SSVC here: https://github.com/aamedina/ssvc/blob/main/resources/ssvc.ttl

How do you suggest I link a SPDX 3 SBOM to a computed SSVC score using a model other than the CISA coordinator? There are supplier and deployer roles as well. Each stakeholder could use a different versioned decision tree that is used to compute the SSVC decision at a specific point in time and being able to reference the exact decision model used is critical.

aamedina avatar Jul 27 '23 00:07 aamedina