Binary Use Case
Software Producer
Wabbit Networks frequently releases their Net Monitor software. Their software is distributed as container images and loose binaries for Linux and Windows servers. They maintain multiple versions of their software, while releasing patched versions.
Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases. They occasionally need to issue new versions of the VRF, as well as updated VEX reports, because even while the software may remain unmodified the vulnerability landscape and Wabbit Networks’ understanding of it is constantly evolving.
The Net Monitor Release Page
Due to the complexity of different versions, platforms, architectures and product lines, companies and projects typically use marketing based navigation to assist users with their download choices. The below matrix is meant to visually represent a common matrix, that would be provided through marketing links.
Versions and Patched Releases:
- For each major release (
1.0.0,2.0.0,3.0.0), there are a set of minor feature releases (1.1.0,1.2.0) with potential patches (1.0.1,1.0.2).
<Note:> Vendors and projects use various forms of versioning, including SemVer, CalVer and other forms. SCITT must support any versioning scheme a producer wishes to support. - In the below examples, not all platforms have patches for a specific major or minor release.
Questions for Producers
When software producers wish to publish additional information for their products, how can they:
- Let consumers know the most recently patched version for a specific platform/architecture release?
- Let consumers know a new version is available?
- Let consumers know an SBOM, VEX, VRF was verifiably published by the publisher?
- Let consumers know a newer version of the SBOM, VEX, VRF was released, and verifiably published by the publisher?
Software Consumer
ACME Rockets consumes the Net Monitor software from Wabbit Networks. They are currently using their version 1 release, and need to get notified of updates when they’re available.
Third Party Security Vendor
Cosmic Security evaluates the security posture of its customers, providing 3rd party analysis and validation.
ACME Rockets subscribes to Cosmic Security to monitor the software they use within their environment.
End to End Integration
ACME Rockets deploys the Cosmic Security products to monitor the software in their environment. Wabbit Networks publishes their security information through a public SCITT Service. For each product ACME Rockets consumes, a SCITT Feed Identifier is used to get the latest information about the products.
Cosmic Security also publishes their perspective of the ACME Rockets software, as well as other vendors and projects. Cosmic Security publishes the information using a a SCITT Service that provides a series of statements associated with the Feeds of each of their products they consume.
References
Examples of Product Download Pages