THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/2018-12-4
From SPDX Wiki
December 4, 2018
Contents
Attendees
- Gary O'Neall
- James Neushul
- Alexios Zavras
SPDX Model Updates for SEVA fields
- Discussed the vulnerability relationship to SpdxItem, Package, and File
- Most vulnerabilities will be associated with package
- NIST NVD’s can only be associated with packages
- There are some scanners that will associate vulnerabilities with files
- Agreed that we should associate the vulnerability to Item so that it can apply to both Package and File
- vulnerability information is optional (0 to many)
- Most vulnerabilities will be associated with package
SEVA Vulnerability inclusion in SPDX
- Most of the information is based on the NIST NVD definitions
- Modeled after the definition documentation
- A schema for the NVD which includes all of the details (e.g. scoring) does not exist (or at least we could not find one)
- Names do not match the NVD names to support distinguishing an official NVD schema if one to be found or produced
- Reviewed the SPDX-SECURITY schema at https://spdx-ccm.specchain.org/xsdccm/home
- There is also an SPDX-SEC-ISM schema which includes classification information (ISM)
- We agreed that the ISM information would be valuable to commercial use, but can be a separate decision from the vulnerability information
- Discussed whether we should include all of the detail present in the SEVA document in the SPDX document or should we somehow reference an external document
- There are a large number of fields to be reviewed
- We are not vulnerability experts, and may not have the background to decide on a model and tools of our own
- Agreed we should reference an external document
- We agreed that the vulnerability information should be included
- We discussed having a “proposal” or “working draft” similar to the W3C for the external document
Next Steps in Vulnerability inclusion in SPDX
- Gain a larger consensus on referencing an external document for vulnerabilities
- Draft the external document reference language
- Discuss / agree on the external reference content
Documentation for SPDX including SEVA
- James provided a document
- Produced from the XML document
- Extension to allow security classifications for each element (e.g. confidential)
- Uses ISM schema
- Discussion on approach
- Document in sections vs get experience with proposed sections prior to specifying
- Document in sections first is the traditional approach for SPDX, may have “culture shock” switching to a more prototyping approach
- Danger in specifying first – may create implementation challenges and may create specs that are not widely used
- Discussion on scope and prioritization
- Large scope – many new sections and properties
- Suggestion to prioritize by importance and ease of standardization
- Discussion on the modeling
- Agreed modeling will be helpful
- Plan going forward:
- Next week Mathew will review some of the new sections/areas being proposed and help prioritize which areas would be most useful
- Next week’s call will focus on the use cases / prioritization
- In 2 weeks, Gary will propose an update to the model which will include the higher priority areas/sections