Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add weakness enumeration to SPDX #102

Closed
goneall opened this issue Dec 12, 2018 · 4 comments · Fixed by spdx/spdx-3-model#711
Closed

Add weakness enumeration to SPDX #102

goneall opened this issue Dec 12, 2018 · 4 comments · Fixed by spdx/spdx-3-model#711
Labels
enhancement security Adding Security Relevant information to SPDX
Milestone
3.0

Comments

@goneall
Copy link
Member

goneall commented Dec 12, 2018

In the SPDX general meeting on 6 Dec 2018, Mark Baushke requested we add the weakness enumeration in the SPDX security data: https://cwe.mitre.org/
@kestewart kestewart added enhancement security Adding Security Relevant information to SPDX labels Jan 8, 2019
@kestewart kestewart added this to the 2.2 milestone Jan 8, 2019
@kestewart kestewart modified the milestones: 2.2, 3.0 Mar 10, 2020
@kestewart
Copy link
Contributor

Based on discussion in weekly call, defering this to 3.0 so it aligns better with base + security profile discussions.

@goneall
Copy link
Member Author

goneall commented Apr 4, 2024

@jeff-schutt @puerco - is this in the current security profile? If not, should we add this to a 3.1 milestone?

@jeff-schutt
Copy link

@goneall CWE is not there today, and it seems like a reasonable recommendation. Many security advisories link the CVE to a CWE. We can investigate further in the security profile.

@rnjudge
Copy link
Contributor

rnjudge commented Apr 10, 2024
edited
Loading

Per discussion in the security call today, Jeff is going to add cwe as an externalIdentifierType.

@rnjudge rnjudge modified the milestones: 3.0, 3.1 Apr 10, 2024
rnjudge added a commit to rnjudge/spdx-3-model that referenced this issue Apr 10, 2024
@rnjudge
Add cwe as ExternalIdentifierType
db61076 
Per discussion in the April 10 Security call, this commit adds cwe
(common weakness enumeration) as an ExternalIdentifierType.

Closes spdx/spdx-spec#102

Signed-off-by: Rose Judge <[email protected]>
@rnjudge rnjudge mentioned this issue Apr 10, 2024
Merged
rnjudge added a commit to rnjudge/spdx-3-model that referenced this issue Apr 11, 2024
@rnjudge
Add cwe as ExternalRefType
cbc9bfe 
Per discussion in the April 10 Security call, this commit adds cwe
(common weakness enumeration) as an ExternalRefType.

Closes spdx/spdx-spec#102

Signed-off-by: Rose Judge <[email protected]>
goneall pushed a commit to spdx/spdx-3-model that referenced this issue Apr 13, 2024
@rnjudge @goneall
Add cwe as ExternalRefType
3497410 
Per discussion in the April 10 Security call, this commit adds cwe
(common weakness enumeration) as an ExternalRefType.

Closes spdx/spdx-spec#102

Signed-off-by: Rose Judge <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security Adding Security Relevant information to SPDX
Projects
None yet
Milestone
3.0
Development

Successfully merging a pull request may close this issue.

Add cwe as ExternalRefType rnjudge/spdx-3-model
4 participants
@goneall @rnjudge @kestewart @jeff-schutt