Closed sparrell closed 2 years ago
As part of the process check, the README includes a note to include a link to the Healthcare PoC. Reviewers could: 1) create another PR to add the link, or 2) use the GitHub process to suggest that the PR submitter add the link: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_healthcare_update-2021-04-29.pdf, perhaps with additional information https://healthitsecurity.com/features/using-software-bill-of-materials-sboms-for-medical-device-security
My only other review comment is that VEX is described as a profile of CSAF (see also https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), The relationship between SBOM documents and VEX flags is not clear; it would be helpful to include a reference to CSAF documents as a source of VEX flag values.
dpk review: Approve this PR, work on CSAF text for a future PR.
I'm reading the README file on @sparrell's fork / vex0 branch for simplicity / clarity. Notes:
Neither of which is a reason not to merge this material into the PACE repo, so 👍 from me.
This sets the stage for the VEX flag use cases