Hi!We had started a discussion about having vulnerability information made available alongside SBOM information in the draft. In the last part of this discussion, people became concerned that the two concepts would become intermixed. They are, to be sure, related, but one can be provided without the other.
What I propose is to introduce both concepts to explain both their independence and inter-relation, and then create optional elements for both.
To be clear, one can provide an SBOM and not vulnerability information. One can provide vulnerability information and not an SBOM. One can provide both.
The same approach will be taken for both: format neutral. Ok? Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
