2017-07-10 Meeting

Scheduled for July 10th 2017 at 8am PST.

Zoom video conference link: https://docker.zoom.us/j/226725723


  • Review goals of group for new attendees.
  • approx. 15-20 minute presentation on SPDX, a Linux Foundation effort to standardize the communication of components, licenses, and copyrights associated with software.
  • Q&A on SPDX
  • Review of 2nd draft of report format.
  • CFP for future presentations on relevant topics.
  • Schedule next meeting.


1 Like

Some SPDX materials:


  • Great overview from Yev on SPDX (slides kindly provided immediately above).
    • What and how much should we use from SPDX?
    • It seems like it could replace pretty much the entire currently proposed format, is that desirable? Would it have restrictions that prevent use cases being met?
    • Should probably adopt the SPDX license names - https://spdx.org/licenses/
  • Review of 2nd draft of report format
    • just use the single composed string value for CPEs
  • Blackduck offered to give a deep dive in the future on how CVSS scores are calculated.
  • Next meeting scheduled for 2017-07-31, will focus on use cases for scan reports

The SPDX presentation was great. We can definitely borrow a lot, at the very least, and there seems to be strong overlap of interests.

I updated the draft specification. I made cpes an array because there are multiple versions of this specification as well. Score should be an array, as there could be many of them, and I added scoring metrics.

One thing that’s a bit awkward about this design is that vulns will often reference CVEs which reference CPEs, but we’re putting CPE above vulns in our model. I think it makes sense, because while CVEs can relate to many products (CPEs), an entry in the BoM is by definition only part of one.

There’s a note that the next meeting is scheduled for 31 July, just wanted to confirm whether it’s 8am PST again?

Yes it is. I have your email now so I’ll add you directly to the invitation.