Here I would like to describe a model on how we organize storage of release metadata for technology products. This methodology is a part of new Reliza

Release Metadata Organization Model

submited by
Style Pass
2024-10-08 16:00:07

Here I would like to describe a model on how we organize storage of release metadata for technology products. This methodology is a part of new Reliza’s project (to be announced soon). This may refer to both software or hardware or a mix of the two.

Various regulator requirements are either mandating already or are going to mandate in the future that vendors provide detailed metadata about their technology products.

For example, refer to https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity and https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act .

Regardless of regulators, many organizations are already implementing requirements for vendors to provide details information about their products – this may include BOMs (Bills of Materials), VDRs (Vulnerability Disclosure Reports), VEXs (Vulnerability Exploitability eXchanges), SARIF files (Static Analysis Results Interchange Format), Attestations and other related artifacts. Explanations of what some of those are about may be found on the CycloneDX website.

Let us now place those requirements on top of the problem of combinatorial explosion of versions – and we can see that it is fairly difficult to organize all the required metadata in a sensible and accessible way.

Leave a Comment