riteshnoronha
commented
1 month ago @fvsamson thanks for your note. Yes this aligns with our operating model. LGTM
Closed fvsamson closed 1 month ago
riteshnoronha
commented
1 month ago @fvsamson thanks for your note. Yes this aligns with our operating model. LGTM
Reference: https://github.com/interlynk-io/sbomqs#what-is-a-high-quality-sbom
The first paragraph of this section currently states:
We (the authors of BSI TR-03183-2) discussed the scope of SBOMs in depth many times internally and externally of BSI and came to the conclusion that IT-security related information shall not be part of an SBOM. While SBOM formats (SPDX, Cyclone DX) allow for including IT-security related information, we define in BSI TR-03183-2 that such files do not constitute an SBOM, but are files providing SBOM information intermingled with IT-security related information. IT-security related information shall be transmitted via CSAF documents, e.g. adhering to the CSAF profile VEX (Vulnerability Exploitability eXchange), because that is the very purpose of the CSAF specifications.
Our reasoning is, that SBOM information is rather static, in contrast to IT-security related information which implicitly is of dynamic character and often updated, even for a single incident. Consequently distributing an SPDX or Cyclone DX file for each update of IT-security related information is overkill, because it contains all the static SBOM data which is then stubbornly replicated for all IT-security related updates (until a software update happens). Furthermore it becomes the task of a receiver and user of such SPDX or Cyclone DX files to dissect the SBOM data from IT-security related information.
I am well aware that the "allow for" does not strictly imply such a use, but may be read as suggesting it. I would rather rephrase it to keep these aspects subtly more apart, e.g.:
A high quality SBOM should aptly support managing software assets, license information and Intellectual Property as well as provide a base for configuration management, vulnerability handling and incident response.
But before posing a PR, I wanted to discuss this and bring forth our line of thinking. @riteshnoronha, do you have thoughts, comment or criticism WRT this proposal?