Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] CRA Standardisation request 
On 2025-02-18 10:14:47 -0500 (-0500), Dick Brooks wrote:
[...]
> Consumers need SBOM's in order to monitor for vulnerability risk in their
> running ecosystems, so they can take mitigating action as needed.
> An SBOM empowers consumers to monitor for vulnerabilities in products as new
> vulnerabilities are reported. Only the original software producer can answer
> the question authoritatively if a vulnerability affects their products and
> that information is provided in a "Security Advisory" (i.e. CSAF profile 4)
> and an online living Vulnerability Disclosure Report (VDR) that the software
> producer maintains.

I'm starting to get the impression that one of us doesn't understand
what an SBOM is for, and maybe that someone is me.

Let's say you, as a consumer, install a pure-Python open source
project from PyPI, e.g. https://pypi.org/p/bindep which has no
compiled extensions. Would you expect that package to contain an
SBOM, and if so what would go in it? Should the package state that
it contains only the program it packages and nothing else?

Let's say you, as a consumer, install the same project from its
upstream Git repository at https://opendev.org/opendev/bindep rather
than retrieving a package. Would you expect that Git repository to
contain an SBOM, and if so what would go in it? Should the
repository state that it contains only itself?

Should every open source project add (often empty or one-line) SBOMs
to their revision control systems and source distributions?

I would posit that your "only the original software producer can
answer the question authoritatively if a vulnerability affects their
products" is incorrect, and you are conflating the original software
producer with downstream distributors who supply compiled,
integrated or aggregated versions of that software to their
customers as part of some product. Only the manufacturer of the
product that contains that software knows how it was compiled,
patched or altered in order to incorporate it into their product, so
only they can answer the question authoritatively if a vulnerability
affects their products. As an upstream software maintainer I lack
the visibility into their products, any relationship with their
customers, and hence responsibility for that.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Back to the top