OASIS OpenEoX TC

 View Only
  • 1.  An attempt for marking cpe End-of-Support in CVE Quality Working Group

    Posted 11-18-2024 14:04

    Hi all,

    I'm involved in CVE Quality Working Group. This is FYI about an attempt related to End-of-Support there.

    There is a need for new CVE json schema to provide cpe. In addition to that, there is one proposal for adding a tag for cpe for indicating that cpe is End-of-Support. In CVE Quality Working Group meeting last week, I shared OpenEoX url, emphasizing EoX is a standalone issue, CVE json schema should provide the reference url to EoX (hopeful to OpenEoX in the future), and encouraged the interested stakeholders to participate in OpenEoX.

    After the long debate, this proposal was adjourned as there weren't enough votes for it now. 

    Hopefully OpenEoX has the better visibility so that there wouldn't be no duplicated efforts.

    Thanks,

    --Feng



    ------------------------------
    Feng Cao
    Principle Security Analyst
    Oracle
    ------------------------------


  • 2.  RE: An attempt for marking cpe End-of-Support in CVE Quality Working Group

    Posted 11-18-2024 14:22
    Thanks Feng for bringing this to our attention.

    The end of life / end of support topic is discussed in many places.
    There is an ongoing discussion regarding this in the CISA SBOM/VEX working group.
    There are some suggestions to add EoL metadata to the SBOM file.

    It can be a good topic to discuss during our meeting this week.

    Best,
    Rogue

    Przemyslaw Roguski

    Principal Product Security Engineer

    Red Hat

    email: proguski@redhat.com
    nickname: Rogue