oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Extend to product identification helpers to mitigate name / vendor changes? #355

Closed sthagen closed 3 years ago

sthagen commented 3 years ago

Situation / Comment

3.1.3.3 Full Product Name Type - Product Identification Helper

We welcome the addition of new ways to identify products besides CPE. Two issues we face in this regard is renaming or selling products and patching of software packages by Linux distributions. Both probably out of scope for CSAF, but they might be relevant context. If a vendor decides to rename a product or sell it to another company, it becomes difficult for an advisory consumer to determine, whether an advisory is relevant or not. Things like "previous name / vendor" or "alternative name" might be helpful in this regard. Determining whether an installed package from a Linux distribution is vulnerable based on identifiers using version numbers is difficult if the distribution has not yet published its own advisory. With distributions backporting patches and therefore deviating from upstream version numbers, it is not possible to derive this information from an upstream advisory.

Proposal

The TC will consider the feedback and analyze the possible contribution from CSAF to the mitigation of the identification dilemma from name changes in products and vendors.

Scope CSDPR01 Public Review comment

Received from Christian Keil (DFN-CERT) per email to the public csaf comments mailing list as part of https://lists.oasis-open.org/archives/csaf-comment/202109/msg00000.html @santosomar, @tschmidtb51

santosomar commented 3 years ago

Thank you for the feedback and input. During the TC monthly meeting on Sep 29, 2021, the OASIS Common Security Advisory Framework (CSAF) TC has reviewed your feedback and has voted not to making any changes at this time in CSAF 2.0.