goneall
commented
1 year ago @sbarnum - bringing you into this as someone intersecting RDF and security. Any thoughts?
Open aamedina opened 1 year ago
goneall
commented
1 year ago @sbarnum - bringing you into this as someone intersecting RDF and security. Any thoughts?
goneall
commented
9 months ago Moving to the 3.0 milestone consistent with other RDF related issues
sbarnum
commented
7 months ago We may need to bring someone into this discussion who has been involved in the security working group all along. I was participating with the security WG early on helping to establish the fundamental approach of the various in-scope assessment types as subclasses of relationship between a Vulnerability and some particular software, and its applicability for CVSSv2, CVSSv3, CVSSv4, EPSS, ExploitCatalog, SSVC, and VEX. Unfortunately, I was unable to dedicate the cycles to stay engaged there over the last several months and so do not have context for how/why things evolved after I disengaged. Looking at the current model it looks like the Security WG made 2 key decisions regarding SSVC assessment assertions: 1) focus only on the base CISA/CMU decision model, 2) capture and express only the resulting SSVC decision and not the details of the model, the nature of the decision tree used, or the data used in the calculation.
aamedina
commented
7 months ago Best to focus on the minimum requirements for SSVC for SPDX. In the end, I think the semantic web model can open the doors to more complex SSVC decision tree models independently, that shouldn't be a blocker for the SPDX model.
goneall
commented
7 months ago We may need to bring someone into this discussion who has been involved in the security working group all along.
@puerco @jeff-schutt - Any thoughts? I'm also scheduling a R.T. call to discuss RDF issues in general - would you be available to join in the discussion?
goneall
commented
6 months ago @aamedina - Do you think a solution for this issue would create a breaking change for SPDX? If not, I'll move this to the 3.1 release.
sbarnum
commented
5 months ago Based on the current structures in the security profile and the discussion above I strongly believe that this issue is out of scope for 3.0.
I think it MAY be possible to extend the current structure to be able to convey details of the model and decision tree used in a backward compatible manner but will require careful design to do so. I currently assert no personal opinion on whether or not such an extension should be pursued. I believe such a decision should be driven by whether or not we see real-world need for such a capability in SPDX 3.x adoption.
jeff-schutt
commented
5 months ago Best to focus on the minimum requirements for SSVC for SPDX. In the end, I think the semantic web model can open the doors to more complex SSVC decision tree models independently, that shouldn't be a blocker for the SPDX model.
This was the intent of the initial iteration. Good to see agreement with the minimal approach.
rnjudge
commented
5 months ago @sbarnum @aamedina - sounds like we can move this to 3.1?
I experimentally derived an RDF model from the JSON schemas for SSVC here: https://github.com/aamedina/ssvc/blob/main/resources/ssvc.ttl
How do you suggest I link a SPDX 3 SBOM to a computed SSVC score using a model other than the CISA coordinator? There are supplier and deployer roles as well. Each stakeholder could use a different versioned decision tree that is used to compute the SSVC decision at a specific point in time and being able to reference the exact decision model used is critical.