I apologize but I haven t been very active in CSAF lately. I ve been spending more of my time on the software transparency working group set up by the NTIA. See
https://www.ntia.gov/sbom for more about software bill of materials (SBOM) or
https://www.ntia.gov/SoftwareTransparency for the process we are following.
A particular problem of the SBOM group is
communicating that a specific product is not affected/exploitable from a given vulnerability--we are calling this "Vulnerability Exploitability eXchange," or VEX. This will be important to minimize false positives in a world
of widespread SBOM use. The SBOM group is looking at CVRF/CSAF for VEX, but has some hesitancy since none of the transparency attendees have CSAF knowledge. We think CVRF can convey this, but it would be very helpful to have some people who know the
standard, and also have input on some more precise definitions and other extensions (e.g. 1. we would like to be more precise on what "not affected" means and 2. make sure suppliers can easily implement or add on integrity mechanisms to these messages). They
asked me because I did attend CSAF early on and I am a member of the TC (so I m allowed to post to this list). However I m too out of touch to be able to help much and I m asking if any of you would be able to help. The VEX subgroup meets Wednesdays 1-2 and
I ve included Allan Friedman on the cc. Allan is the overall lead at NTIA for the software transparency effort and he would provide the meeting info if anyone could attend.
I notice that there are companies that are active in both groups, even if there are no individual overlaps. I m hoping some of you might get together intracompany and help cross fertilize. I notice that 3 of the
14 voting members of the TC are from Cisco and that Eliot Lear of Cisco (cc d on this) is very active in SBOM and VEX. Similarly two of voting members are from Siemens - and Jim Jacobson of Siemens cochairs the SBOM Healthcare Working Group (which is very
interested in using VEX in the next phase of the proof of concept underway). Similarly many of the companies involved in VEX/SBOM are already OASIS members so I will try to talk them into joining the CSAF TC so the dialog can be two-way and I don t have to
play middleman.
Please let Allan and myself know if (1) you think your specifications could help our software transparency needs and if so, (2) who might be able to help us.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at
http://vsre.info /