Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.3] Annex K - Fix bullet list rendering issue + JSON code highlight #1114

Draft
wants to merge 1 commit into
base: support/2.3
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions chapters/how-to-use.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,24 @@

## K.1 Including security information in a SPDX document

SPDX 2.x has the concept of an External Reference for a Package to "reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package."
SPDX 2.x has the concept of an External Reference for a Package to "reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package."

The specification for External Reference identifiers (Annex F) has four defined categories:
- Security: CPE, SWID tag identifier, or reference to security information

- Security: CPE, SWID tag identifier, or reference to security information
- Package-Manager: package identifier and locator
- Persistent-id: identifier which is guaranteed to remain stable (persistent) over time
- Persistent-id: identifier which is guaranteed to remain stable (persistent) over time
- Other: Use if none of the above match your use case

This section provides usage scenarios of how to leverage the Security and Persistent-id category external references specified above to refer to external security information. A complete SPDX document using these can be found in the examples directory within the SPDX code repository. Multiple instances and types of external security information may be included within a SPDX document.

Note that identifiers (e.g. CPE, GitBOM, SWID) are spread throughout Annex F and sometimes locators refer to identifiers.
Note that identifiers (e.g. CPE, GitBOM, SWID) are spread throughout Annex F and sometimes locators refer to identifiers.

### K.1.1 Linking to an advisory

Including a reference to a Common Vulnerabilities and Exposures (CVE) advisory applicable to a package is shown in the example below. A SPDX creator should include current publicly known vulnerabilities at the time of document creation. SPDX consumers should always assume vulnerabilities enumerated by a SPDX creator to be out-of-date.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://nvd.nist.gov/vuln/detail/CVE-2020-29573",
Expand All @@ -40,7 +41,7 @@ Including a reference to a Common Vulnerabilities and Exposures (CVE) advisory a
To learn how to reference to [CSAF](https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html) formatted security information
applicable to a package see the example below, and additional examples here and here.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/csaf_vex/2022-evd-uc-01-a-001.json",
Expand All @@ -52,7 +53,7 @@ applicable to a package see the example below, and additional examples here and

To reference to [CycloneDX](https://cyclonedx.org) formatted security information applicable to a package see the example below.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://raw.githubusercontent.com/CycloneDX/bom-examples/ed522d1f051c364e045b87c20665003a0c4ea777/SBOM/laravel-7.12.0/bom.json",
Expand All @@ -64,7 +65,7 @@ To reference to [CycloneDX](https://cyclonedx.org) formatted security informatio

To learn how to include a reference to [Open Source Vulnerability](https://github.com/google/osv) (OSV) formatted security information applicable to a package see the example below.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/github/advisory-database/tree/6b9d5bc96a62bb845ee71e4551a214eb1457e2c6/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json",
Expand All @@ -76,7 +77,7 @@ To learn how to include a reference to [Open Source Vulnerability](https://githu

To reference to [GitBOM](https://gitbom.dev) formatted security information applicable to a package see the example below.

```
```json
"externalRefs" : [ {
"referenceCategory" : "PERSISTENT-ID",
"referenceLocator" : "gitoid:blob:sha1:d8bcd58df2b14818b8237bb70c979d62c7df5747",
Expand All @@ -95,7 +96,7 @@ To reference to [GitBOM](https://gitbom.dev) formatted security information appl

To express a reference to a vulnerability disclosure document for a package such Cisco’s response to Apache log4j vulnerability.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
Expand All @@ -105,7 +106,7 @@ To express a reference to a vulnerability disclosure document for a package such

To communicate that a package is not vulnerable to a specific vulnerability it is recommended to reference a web page indicating why given vulnerabilities are not applicable.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://example.com/product-x/security-info.html",
Expand All @@ -115,7 +116,7 @@ To communicate that a package is not vulnerable to a specific vulnerability it i

To refer to a security disclosure feed, such as the security bulletins from [CERT-EU](https://cert.europa.eu).

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://cert.europa.eu/cert/Data/newsletter/reviewlatest-SecurityBulletins.xml",
Expand All @@ -128,7 +129,7 @@ To refer to a security disclosure feed, such as the security bulletins from [CER
To reference a code fix for a security issue applicable to a package see the example below.
In this example, the link points to a specific code revision containing the fix for [CVE-2020-28498](https://nvd.nist.gov/vuln/detail/CVE-2020-28498).

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f",
Expand All @@ -138,7 +139,7 @@ In this example, the link points to a specific code revision containing the fix

A fix reference may point to a configuration change for example the patch file as one of the fixes for [CVE-2022-26499](https://nvd.nist.gov/vuln/detail/CVE-2022-26499).

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://downloads.digium.com/pub/security/AST-2022-002-16.diff",
Expand All @@ -149,7 +150,7 @@ A fix reference may point to a configuration change for example the patch file a
Alternatively, it may also link to a landing page with patches for a variety of products such as
Oracle patch information for [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://www.oracle.com/security-alerts/cpujan2022.html",
Expand All @@ -161,7 +162,7 @@ Oracle patch information for [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/C

If you want to reference any security information related to a package but cannot or do not wish to specify its kind, use the `url` referenceType.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/christianlundkvist/blog/blob/aa3a69b5e4c06e4435070610c0c4a2b1e8731783/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md",
Expand All @@ -171,7 +172,7 @@ If you want to reference any security information related to a package but canno

One can also use it to refer to guidance related to a vulnerability such as CISA guidance for Apache Log4j.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance",
Expand All @@ -187,7 +188,7 @@ This enables a software producer to articulate to software consumers the status

Providing a link to such data at the time the SBOM is published provides a pointer for where to find this relevant vulnerability information without promulgating vulnerability information inside the SBOM. This is advantageous because the vulnerability information has a short shelf-life (it will change frequently) while the SBOM component data isn’t likely to change if the software has not changed.

```
```json
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json",
Expand All @@ -213,7 +214,6 @@ US Executive Order 14028 in conjunction with the National Telecommunications and
| Relationship | Characterizing the relationship that an upstream component X is included in software Y. |
| Timestamp | Record of the date and time of the SBOM data assembly. |


### K.2.2 Mapping NTIA Minimum Elements to SPDX Fields

The SPDX Specification contains fields able to address each of the NTIA minimum required data fields.
Expand Down
Loading