Ability to refer back to an SBOM?

[rnjudge]

Is there currently a way for openvex to refer back to an SBOM? Right now it is common that you might refer to an openvex document from an SBOM, but does openvex support the inverse relationship?

[jspeed-meyers]

I'm also curious. I reviewed the spec, especially the document struct fields and did not see a field that ties an an OpenVEX VEX document to an SBOM. Hmmm...

@puerco or @luhring, any thoughts?

[puerco]

Rose can you explain a bit more how you imagine this working?

I'm thinking to draft a proposal to expand product similar to this idea in the vulnerability field, this would let it use IRIs to point to elements in other documents, but perhaps you are thinking something else.

There has been a ton of feedback on the product field and I want to capture all needs and ideas in the next proposal to improve it

[rnjudge]

I'm thinking of the security-focused SBOM consumers who care more about CVEs than the actual contents of an SBOM (like license, etc). I see them having a VEX that they focus on and update as CVEs get fixed or are not applicable. Their primary document will be the VEX but they'll want a way to link the CVEs in a VEX back to a product SBOM (because they still need the SBOM to check the box). If there's no way to meaningfully link an SBOM to a VEX from openvex, they'll have to manage this relationship themselves. I'm thinking they would probably use something like the SPDX ID of the SBOM to make this reference somewhere in their openvex document?

Inn discussions in the implementers call yesterday, referring to an SBOM from an openvex document was seen as an important requirement for the folks there.

[puerco]

To anyone following this is one of the issues that went into the just released v0.20 spec revision. The product field in the vex statement now takes an IRI which can point to components in SBOMs. This can make the vex statement rely 100% on an entry in an external document.

The next release of the OpenVEX tooling will have strong support to read SBOMs as part of the document VEX processing logic. It will make use of these new fields. Thanks for pointing this out @rnjudge :)