Description
Re-reading @stevespringett article on the OWASP website (https://owasp.org/blog/2023/02/07/vdr-vex-comparison), and searching for the authoritative reference regarding VDR, I noticed that the NIST SP 800-161, originally from 2015, have been superseded:
https://csrc.nist.gov/pubs/sp/800/161/r1/final
The new revision can be found here, published in May 2022, so after @stevespringett article, but including updates as of 11-01-2024 (sic):
https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
...and in this document, all reference to VDR disappeared. The revision history at the end does not specifically mention this change. I have no idea of the motivations behind this (unfortunate IMHO) removal. I must still have the original SP in my archive, I'll try to dig deeper in the section modified. On a higher level the update of this SP as a whole seem to be coming from the EO 14028.
Whatever the reason, as of today, at least this mention of this NIST SP is out of date in this repo:
https://github.com/OWASP/owasp.github.io/blob/main/_posts/2023-02-07-vdr-vex-comparison.md
There might be other references elsewhere, including other CDX repos. Noticed in BOM examples too:
CycloneDX/bom-examples#54
Note that I do not consider that this makes the VDR concept obsolete. Just that the NIST can't be referred to, except for historical purposes.