Skip to content

Internal and/or external SADP content #5

New issue
New issue
Open
Open
Internal and/or external SADP content#5
@zmanion

Description

@zmanion
zmanion
opened on Feb 25, 2026

An SADP container can directly contain SADP content, using the CVE Record Format (with some minor additions).

Another (non-exclusive) option is for the SADP container to reference external SADP content. This option could use the existing URL references and tags schema, possibly with a new tag:

"references": [
  {
    "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-14174.json",
      "tags": [
      "x_sadp-csaf-vex"
      ]
  }
]

Or we could create a more robust and machine-usable reference, partly informed by the proposed assertions RFD :

"x_adpReference": [
  {
    "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-14174.json",
    "format": "csaf-vex",
    "definition": {
      "url": "https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json",
      "namespace": "csaf",
      "version": "2.0"
    }
  }
]

We should decide whether and how to support external SADP content, especially the "robust reference" schema changes, and use external SADP content during the pilot.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions