OASIS Common Security Advisory Framework (CSAF) TC

Hi everyone, 

I just wanted to make everyone aware that I have added a draft PR for a community guidance how to implement an SBOM matching system in order to match between CSAF and SBOM. The matching itself is based on a confidence level, since we are trying to match different values in an CSAF documents to different values in various SBOM formats and the confidence of that match might be different dependent on the semantics of the matched value.

Feel free to have a look here: https://github.com/oasis-tcs/csaf/pull/953. There is also an implementation of that guidance available in https://github.com/csaf-sbom/kotlin-csaf.

Thomas suggested that we should discuss this in one of the later TC meetings were we have the forced "hiatus" once the 2.1 draft is in the corresponding review phase.

BR,

Christian