Skip to content

NIST.IR.8060 PRI-13 requires additional attributes for Meta#43

Open
adelton wants to merge 1 commit into
strongswan:masterfrom
adelton:PRI-13
Open

NIST.IR.8060 PRI-13 requires additional attributes for Meta#43
adelton wants to merge 1 commit into
strongswan:masterfrom
adelton:PRI-13

Conversation

@adelton

@adelton adelton commented Jul 12, 2018

Copy link
Copy Markdown
Contributor

Addressing swidval errors

ERROR PRI-13-3: The <Meta> @colloquialVersion attribute was not provided.
ERROR PRI-13-4: The <Meta> @revision attribute was not provided.
ERROR PRI-13-5: The <Meta> @edition attribute was not provided.

Leaving the attribute values empty seems enough to make swidval happy.
We could put the name (sans version) to product and then have version in colloquialVersion, to turn

  <Meta colloquialVersion="" edition="" product="Fedora 28 i686" revision=""/>

into (say)

  <Meta colloquialVersion="28" edition="" product="Fedora" revision=""/>

But I plan to add option to use Meta for information about the package, not about the distribution.

Addressing swidval errors
ERROR PRI-13-3: The <Meta> @colloquialVersion attribute was not provided.
ERROR PRI-13-4: The <Meta> @revision attribute was not provided.
ERROR PRI-13-5: The <Meta> @edition attribute was not provided.
@tobiasbrunner

Copy link
Copy Markdown
Member

PRI-13 states:

If appropriate values exist and can be determined, a element MUST be provided and MUST furnish values for as many of the following attributes as possible: @product, @colloquialVersion, @revision, and @edition.

This doesn't read to me like "... attribute MUST be provided", but I guess "furnish values" could be interpreted to mean add the attributes but leave those empty for which no value exists or can be determined. However, according to the schema all these attributes of the SoftwareMeta are optional (there are actually a lot more than listed there in NIST.IR.8060) and I don't really see an advantage in specifying empty attributes. So I think SWIDVal might be too restrictive here too.

@adelton

adelton commented Jul 20, 2018

Copy link
Copy Markdown
Contributor Author

Thank you for the analysis. Have you guys talked to NIST about it or should we try to bring it up?

@tobiasbrunner

Copy link
Copy Markdown
Member

We currently have no plans to contact NIST about this. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants