Products not listed as required

[tschmidtb51]

Currently, the table Statement fields lists productsas not required. However, they should be according to the introduction.

[luhring]

I believe this is addressed by this part of the field's description:

this field is optional as it can cascade down from the encapsulating document, see Inheritance.

The idea is that if there's already a higher-ranking specification of the product(s), it's not necessary to redefine the product(s) for every statement in the document.

So while it's mandatory that the statement is associated with a specific set of products, it's not mandatory that the association be achieved via the statement's products field.

cc: @puerco

[mjnagel]

This was confusing to me as well, maybe partially due to a mix of possible inheritance scenarios?

It seems like there's two types of inheritance:

• Timestamp inheritance from the VEX document struct
• Timestamp or product id inheritance from the encapsulating document (in-toto, CSAF, etc)

Am I tracking this correctly? Maybe some clarification around this in the spec would be beneficial, I initially was thinking you could throw a products section into the document struct since the only inheritance examples are "pure VEX" (no encapsulation).

[puerco]

As Dan mentioned, the reason why products is technically optional is because the field can be inherited. Specifically, this is meant to inherit an attestations's subject. This is further explained in the attesting documentation. Perhaps the spec should explicitly mention this, I'll try to add some language to that effect in the next minor revision.

[puerco]

This, of course does, not imply that the VEX statement can be completed without products, it just means that the JSON struct can be considered valid by a simple validator if it does not have the products field.