Articles in this section

Outbound artefacts

Avatar
Fred from TrustSource Support
  • Updated
Follow

One of the strengths of TrustSource is support in creating outbound documents. Currently TrustSource is setup to support the following documentations:

  • Software of unknown Provenance (SOUP) lists:
    This is a list indirectly required by the Medical Device Directive or IEC 62304. It contains all parts that are not manufactured (or build) inhouse and therefore may underly different quality assurance procedures. It contains the 3rd party parts as well as information on the supplier as well as their quality and security information. See "Managing SOUP lists" for more details.  
  • Software Bill of Materials (SBOM):
    The SBOM is a list of the components used to identify the ingredients of the object of concern. This could be of different scope. If it is a single artefact, we tend to call it a module, if it is a set of artefacts, we would scope it project. Be reminded, that TrustSource allows you to add also infrastructure as part of an SBOM, e.g. middleware or runtimes. See "Creating SBOMS" for more details.  
  • Crypto Bill of Materials (CBOM):
    The CBOM is a comparably new invention, driven by the rise of quantum computing. Since quantum computing will become real in upcoming years, it may be a threat to some sort of encryption. There are many articles and study groups on the viability of encryption algorithms. However, with TrustSource you may generate a CBOM for your solution. See "Creating a CBOM" for more details. 
  • Notice File:
    The notice file is a legal document, that you may put into your distribution. It will be generated based on the given circumstances and provide the data which is required to be completed to follow your legal obligations. See "Creating a Notice File" for more details.
  • Cyber Security Advisory Framework (CSAF) Documents:
    We implemented support for the CSAF standard. CSAF defines a basic JSON based document structure to allow automated M2M information exchange on vulnerabilities. This structure supports different profiles for different purposes: 
    • Informational Advisory:
      The informational advisory is defined to support configurational information on how to setup or operate a system in a secure way. These documents typically relate to a product or a group of products.
    • Security Advisory:
      The Security Advisory profile typically handles one or more vulnerabilities of one or more impacted products. The vulnerabilities need to be officially named (CVE through CNA). The document should inform about the vulnerability, the potential impact on the products as well as potential mitigations. 
    • Vulnerability Exploitability Exchange (VEX):
      The VEX tends to be CVE centred and has the function of declaring a state of CVE across the product portfolio. Thus it can be understood, whether the CVE already has been recognised by the vendor, what the current state in a particular product is and what the vendor is about to do. Therefor the standard provides specific states like "under investigation", "not impacted" or "fixed". 

While most of the documents will be available through the API, TrustSource also offers you the option to download and publish the CSAF documents on our own publisher or provider or even publish  directly into your TrustSource-hosted Trusted Provider.  

Comments

0 comments

Please sign in to leave a comment.