I was pleased to see in my LinkedIn feed this morning a post
from Alec Summers of MITRE containing a link to a “CVE Data Usage and
Satisfaction Survey” which closes on April 4. I was even more pleased when I
went to the survey and found it only asks non-wonky questions that should
mostly be understandable by casual users of CVE information (which probably includes
a large percentage of people in the worldwide cybersecurity community).
The survey is very well thought out. I recommend you fill it
out. I especially recommend that you indicate on questions 14, 16 and 19 that
you wish to see purl implemented in the CVE Record Format. While purl is present
in the format now, it seems that whoever did that thought it’s a format for
expressing versions, like semver. Thus, even though someone might enter a purl
in a CVE record now, it won’t be usable.
Speaking of purl, I’ve retitled and revised the post
I put up a few days ago on the OWASP SBOM Forum’s proposal to enable
implementation and use of purl in the CVE “ecosystem”. Please take a look at
that.
If you would like to comment on
what you have read here, I would love to hear from you. Please email me
at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment