Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for OmniBOR Artifact IDs. #396

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from

Conversation

alilleybrinker
Copy link

@alilleybrinker alilleybrinker commented Apr 1, 2025

(Depends on #391; will need to be rebased on develop if/when that is merged, before this can be merged)

Introduce support for OmniBOR Artifact IDs in the CVE record format.

For more background on the topic of software identification, review CISA's "Software Identification Ecosystem Option Analysis" paper.

Warning

When reviewing, focus on the last commit. This is a "Stacked PR," on top of #391, but GitHub shows both the commit making the cpeApplicability structure generic (from #391) and the commit adding OmniBOR Artifact IDs (the part we care about here), when you click "Files changed" at the top of the PR, making review harder.

alilleybrinker and others added 2 commits April 1, 2025 15:30
This "renames" (not actually a rename, see below) the existing
"cpeApplicability" structure and its children from CPE-specific names
to generic names. For example, "cpeApplicability" becomes "applicability."

This is intended to permit future record format updates to add support for
additional kinds of software identifiers. This change itself does not add
any new kinds of software identifiers.

The prior "cpeApplicability" structure remains entirely supported, though
CNAs and any future ADPs enriching with software ID information should be
encouraged to use the more expressive new "applicability" structure instead,
and use of both at the same time should be treated as an error to avoid
ambiguity.

Signed-off-by: Andrew Lilley Brinker <alilleybrinker@gmail.com>
Signed-off-by: Andrew Lilley Brinker <abrinker@mitre.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant