spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard

Published 20 hours ago verified publisher icon spdx

Update vexVersion.md

Open VenkatTechnologist opened this issue 1 year ago • 13 comments

'vexVersion' meant here stands for minimum requirements for data elements version released by CISA. Hence it is suggested that the field be updated to 'vexMinRequirementsVersion'. The other elements in the field like description and metadata are also being updated.

VenkatTechnologist avatar Feb 20 '24 13:02 VenkatTechnologist

I noticed the CI is failing - I think this is due to some references to the old name vexVersion which have not been updated to the proposed new name vexMinRequirementsVersion.

goneall avatar Feb 25 '24 19:02 goneall

Hi Gary,

Would you like me to withdraw this change? We can track this change as part of the broader scope of VEX related observations and incorporate it if needed at that time.

Thanks, Venkat.

On Mon, Feb 26, 2024 at 12:33 AM goneall @.***> wrote:

I noticed the CI is failing - I think this is due to some references to the old name vexVersion which have not been updated to the proposed new name vexMinRequirementsVersion.

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-3-model/pull/649#issuecomment-1963030566, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PIOTUITULXDEWELFDR3YVODGRAVCNFSM6AAAAABDRE5LRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRTGAZTANJWGY . You are receiving this because you authored the thread.Message ID: @.***>

VenkatTechnologist avatar Feb 26 '24 01:02 VenkatTechnologist

Would you like me to withdraw this change?

Let's just switch it to "Draft" mode. We can switch it back after the VEX discussions.

goneall avatar Feb 26 '24 15:02 goneall

@VenkatTechnologist - is this PR still valid based on your analysis?

goneall avatar Apr 03 '24 18:04 goneall

@VenkatTechnologist @jeff-schutt @puerco What I'm gleaning from reading through the comments on this PR and https://github.com/spdx/spdx-3-model/pull/648 is that we should not merge this PR as is and, instead, clarify/change the Summary definition of vexVersion in model/Security/Properties/vexVersion.md to be: "Specifies the version of a VEX statement." This would mean also closing https://github.com/spdx/spdx-3-model/pull/648.

If everyone is agreeable, I can open a PR with the change proposed above unless @VenkatTechnologist wants to do it.

rnjudge avatar Apr 08 '24 21:04 rnjudge

@rnjudge sounds good to me :+1:

I can also fix, no problem. But I thought Venkat can update this PR and we're done :)

puerco avatar Apr 09 '24 00:04 puerco

@puerco, which SPDX field is used for doc version?

On Tue, Apr 9, 2024 at 1:38 AM Puerco @.***> wrote:

@.**** commented on this pull request.

In model/Security/Properties/vexVersion.md https://github.com/spdx/spdx-3-model/pull/649#discussion_r1556380381:

Summary

-Specifies the version of the VEX document. +Specifies the minimum requirements of data elements version that the VEX document adheres to.

To clarify, we were relying on another field to serve as the document version and the summary of vexVersion should read "Specifies the version of a VEX statement."

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-3-model/pull/649#discussion_r1556380381, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PILZOY2QTZNQI5ME4MLY4L2LBAVCNFSM6AAAAABDRE5LRGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSOBXGMYTKOBUGQ . You are receiving this because you were mentioned.Message ID: @.***>

VenkatTechnologist avatar Apr 09 '24 03:04 VenkatTechnologist

If vexVersion is meant to be the statement version, recommend it to be clearly named as vexStatementVersion so that there is no confusion.

On Tue, Apr 9, 2024 at 3:12 AM Rose Judge @.***> wrote:

@VenkatTechnologist https://github.com/VenkatTechnologist @jeff-schutt https://github.com/jeff-schutt @puerco https://github.com/puerco What I'm gleaning from reading through the comments on this PR and #648 https://github.com/spdx/spdx-3-model/pull/648 is that we should not merge this PR as is and, instead, change the Summary definition of vexVersion in model/Security/Properties/vexVersion.md to be: "Specifies the version of a VEX statement." This would mean also closing #648 https://github.com/spdx/spdx-3-model/pull/648.

If everyone is agreeable, I can open a PR with the change proposed above unless @VenkatTechnologist https://github.com/VenkatTechnologist wants to do it.

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-3-model/pull/649#issuecomment-2043689499, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PIIGG7UQUSRSLKQNWXDY4MFL5AVCNFSM6AAAAABDRE5LRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTGY4DSNBZHE . You are receiving this because you were mentioned.Message ID: @.***>

VenkatTechnologist avatar Apr 09 '24 03:04 VenkatTechnologist

which SPDX field is used for doc version?

That's the catch with SPDX docs: They are supposed to be immutable, so there are no versions.

recommend it to be clearly named as vexStatementVersion

So, we don't have a vex statement in SPDX. A VEX statement is assembled by a triad of (at least):

a software package + a vex assessment relationship + a vulnerability

The vexVersion field marks is a property of the assessment. This means that naming it vexStatementVersion is not correct because there is no vex statement element. It would have been named VexVulnAssessmentRelationship.version but there was a naming collision and we had to look for an alternative.

puerco avatar Apr 09 '24 03:04 puerco

which SPDX field is used for doc version?

@.**: "That's the catch with SPDX docs: They are supposed to be immutable, so there are no versions."

Then how do we implement doc versions of VEX implementation? Each VEX document can be updated (and its version incremented) when there is an update to any of the statements within. How would this be implemented in SPDX?

@.**: "So, we don't have a vex statement in SPDX. A VEX statement is assembled by a triad of (at least):

a software package + a vex assessment relationship + a vulnerability

The vexVersion field marks is a property of the assessment. This means that naming it vexStatementVersion is not correct because there is no vex statement element. It would have been named VexVulnAssessmentRelationship.version but there was a naming collision and we had to look for an alternative." As I mentioned above, a VEX statement does not stand on its own. It is embedded in a VEX document because of the way the VEX structure is designed. Bypassing this structure does not seem to be a good idea in terms of consumption perspective. Consumers will be clearly confused.

To me, there needs be a doc level above the vex assessment relationship.

If what I said makes sense, we can look at this change in SPDX 3.1 and leave things as is for SPDX 3.0. This will also enable us to collect feedback from consumers on the VEX implementation in SPDX 3.0. (I personally feel there will be a LOT of explanation to do.)

On Tue, Apr 9, 2024 at 8:51 AM Puerco @.***> wrote:

which SPDX field is used for doc version?

That's the catch with SPDX docs: They are supposed to be immutable, so there are no versions.

recommend it to be clearly named as vexStatementVersion

So, we don't have a vex statement in SPDX. A VEX statement is assembled by a triad of (at least):

a software package + a vex assessment relationship + a vulnerability

The vexVersion field marks is a property of the assessment. This means that naming it vexStatementVersion is not correct because there is no vex statement element. It would have been named VexVulnAssessmentRelationship.version but there was a naming collision and we had to look for an alternative.

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-3-model/pull/649#issuecomment-2044083018, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PILM4LLXZPRFL2NPNODY4NNENAVCNFSM6AAAAABDRE5LRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBUGA4DGMBRHA . You are receiving this because you were mentioned.Message ID: @.***>

VenkatTechnologist avatar Apr 09 '24 04:04 VenkatTechnologist

@VenkatTechnologist @puerco can you both plan to join the security call this Wed to discuss and come to a conclusion on this?

rnjudge avatar Apr 09 '24 15:04 rnjudge

I am in the midst of a travel. My views are already recorded here.

My recommendation is to defer this to 3.1 and look at it in detail when we have time. Thanks.

On Tue, 9 Apr, 2024, 9:23 pm Rose Judge, @.***> wrote:

@VenkatTechnologist https://github.com/VenkatTechnologist @puerco https://github.com/puerco can you both plan to join the security call this Wed to discuss and come to a conclusion on this?

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-3-model/pull/649#issuecomment-2045538904, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PIJLRBOO72YWCTR6FGLY4QFI7AVCNFSM6AAAAABDRE5LRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBVGUZTQOJQGQ . You are receiving this because you were mentioned.Message ID: @.***>

VenkatTechnologist avatar Apr 09 '24 16:04 VenkatTechnologist

Decision in the April 10th security call to defer this to 3.1 per Venkat's comment. I will open a PR to update the Summary definition of vexVersion in model/Security/Properties/vexVersion.md to be: "Specifies the version of a VEX statement." per puerco's recommendation and to clear up confusion in the short term.

rnjudge avatar Apr 10 '24 19:04 rnjudge