|
| 1 | +id,text,l1,l2,l3,file |
| 2 | +1.1,All direct and transitive components and their versions are known at completion of a build,True,True,True,0x10-V1-Inventory.md |
| 3 | +1.2,Package managers are used to manage all third-party binary components,True,True,True,0x10-V1-Inventory.md |
| 4 | +1.3,An accurate inventory of all third-party components is available in a machine-readable format,True,True,True,0x10-V1-Inventory.md |
| 5 | +1.4,Software bill of materials are generated for publicly or commercially available applications,True,True,True,0x10-V1-Inventory.md |
| 6 | +1.5,Software bill of materials are required for new procurements,False,True,True,0x10-V1-Inventory.md |
| 7 | +1.6,Software bill of materials continuously maintained and current for all systems,False,False,True,0x10-V1-Inventory.md |
| 8 | +1.7,"Components are uniquely identified in a consistent, machine-readable format",True,True,True,0x10-V1-Inventory.md |
| 9 | +1.8,The component type is known throughout inventory,False,False,True,0x10-V1-Inventory.md |
| 10 | +1.9,The component function is known throughout inventory ,False,False,True,0x10-V1-Inventory.md |
| 11 | +1.10,Point of origin is known for all components,False,False,True,0x10-V1-Inventory.md |
| 12 | +2.1,"A structured, machine readable software bill of materials (SBOM) format is present",True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 13 | +2.2,SBOM creation is automated and reproducible,False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 14 | +2.3,Each SBOM has a unique identifier,True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 15 | +2.4,"SBOM has been signed by publisher, supplier, or certifying authority",False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 16 | +2.5,SBOM signature verification exists,False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 17 | +2.6,SBOM signature verification is performed,False,False,True,0x11-V2-Software_Bill_of_Materials.md |
| 18 | +2.7,SBOM is timestamped,True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 19 | +2.8,SBOM is analyzed for risk,True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 20 | +2.9,SBOM contains a complete and accurate inventory of all components the SBOM describes,True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 21 | +2.10,SBOM contains an accurate inventory of all test components for the asset or application it describes,False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 22 | +2.11,SBOM contains metadata about the asset or software the SBOM describes,False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 23 | +2.12,Component identifiers are derived from their native ecosystems (if applicable),True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 24 | +2.13,"Component point of origin is identified in a consistent, machine readable format (e.g. PURL)",False,False,True,0x11-V2-Software_Bill_of_Materials.md |
| 25 | +2.14,Components defined in SBOM have accurate license information,True,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 26 | +2.15,Components defined in SBOM have valid SPDX license ID's or expressions (if applicable),False,True,True,0x11-V2-Software_Bill_of_Materials.md |
| 27 | +2.16,Components defined in SBOM have valid copyright statements,False,False,True,0x11-V2-Software_Bill_of_Materials.md |
| 28 | +2.17,Components defined in SBOM which have been modified from the original have detailed provenance and pedigree information ,False,False,True,0x11-V2-Software_Bill_of_Materials.md |
| 29 | +2.18,"Components defined in SBOM have one or more file hashes (SHA-256, SHA-512, etc)",False,False,True,0x11-V2-Software_Bill_of_Materials.md |
| 30 | +3.1,Application uses a repeatable build,True,True,True,0x12-V3-Build_Environment.md |
| 31 | +3.2,Documentation exists on how the application is built and instructions for repeating the build,True,True,True,0x12-V3-Build_Environment.md |
| 32 | +3.3,Application uses a continuous integration build pipeline,True,True,True,0x12-V3-Build_Environment.md |
| 33 | +3.4,Application build pipeline prohibits alteration of build outside of the job performing the build,False,True,True,0x12-V3-Build_Environment.md |
| 34 | +3.5,Application build pipeline prohibits alteration of package management settings,False,True,True,0x12-V3-Build_Environment.md |
| 35 | +3.6,Application build pipeline prohibits the execution of arbitrary code outside of the context of a jobs build script,False,True,True,0x12-V3-Build_Environment.md |
| 36 | +3.7,Application build pipeline may only perform builds of source code maintained in version control systems,True,True,True,0x12-V3-Build_Environment.md |
| 37 | +3.8,Application build pipeline prohibits alteration of DNS and network settings during build,False,False,True,0x12-V3-Build_Environment.md |
| 38 | +3.9,Application build pipeline prohibits alteration of certificate trust stores,False,False,True,0x12-V3-Build_Environment.md |
| 39 | +3.10,Application build pipeline enforces authentication and defaults to deny,False,True,True,0x12-V3-Build_Environment.md |
| 40 | +3.11,Application build pipeline enforces authorization and defaults to deny,False,True,True,0x12-V3-Build_Environment.md |
| 41 | +3.12,Application build pipeline requires separation of concerns for the modification of system settings,False,False,True,0x12-V3-Build_Environment.md |
| 42 | +3.13,Application build pipeline maintains a verifiable audit log of all system changes,False,False,True,0x12-V3-Build_Environment.md |
| 43 | +3.14,Application build pipeline maintains a verifiable audit log of all build job changes,False,False,True,0x12-V3-Build_Environment.md |
| 44 | +3.15,"Application build pipeline has required maintenance cadence where the entire stack is updated, patched, and re-certified for use",False,True,True,0x12-V3-Build_Environment.md |
| 45 | +3.16,"Compilers, version control clients, development utilities, and software development kits are analyzed and monitored for tampering, trojans, or malicious code",False,False,True,0x12-V3-Build_Environment.md |
| 46 | +3.17,All build-time manipulations to source or binaries are known and well defined,True,True,True,0x12-V3-Build_Environment.md |
| 47 | +3.18,Checksums of all first-party and third-party components are documented for every build,True,True,True,0x12-V3-Build_Environment.md |
| 48 | +3.19,Checksums of all components are accessible and delivered out-of-band whenever those components are packaged or distributed,False,True,True,0x12-V3-Build_Environment.md |
| 49 | +3.20,Unused direct and transitive components have been identified,False,False,True,0x12-V3-Build_Environment.md |
| 50 | +3.21,Unused direct and transitive components have been removed from the application,False,False,True,0x12-V3-Build_Environment.md |
| 51 | +4.1,Binary components are retrieved from a package repository,True,True,True,0x13-V4-Package_Management.md |
| 52 | +4.2,Package repository contents are congruent to an authoritative point of origin for open source components,True,True,True,0x13-V4-Package_Management.md |
| 53 | +4.3,Package repository requires strong authentication,False,True,True,0x13-V4-Package_Management.md |
| 54 | +4.4,Package repository supports multi-factor authentication component publishing,False,True,True,0x13-V4-Package_Management.md |
| 55 | +4.5,Package repository components have been published with multi-factor authentication,False,False,True,0x13-V4-Package_Management.md |
| 56 | +4.6,Package repository supports security incident reporting,False,True,True,0x13-V4-Package_Management.md |
| 57 | +4.7,Package repository automates security incident reporting,False,False,True,0x13-V4-Package_Management.md |
| 58 | +4.8,Package repository notifies publishers of security issues,False,True,True,0x13-V4-Package_Management.md |
| 59 | +4.9,Package repository notifies users of security issues,False,False,True,0x13-V4-Package_Management.md |
| 60 | +4.10,Package repository provides a verifiable way of correlating component versions to specific source codes in version control,False,True,True,0x13-V4-Package_Management.md |
| 61 | +4.11,Package repository provides auditability when components are updated,True,True,True,0x13-V4-Package_Management.md |
| 62 | +4.12,Package repository requires code signing to publish packages to production repositories,False,True,True,0x13-V4-Package_Management.md |
| 63 | +4.13,Package manager verifies the integrity of packages when they are retrieved from remote repository,True,True,True,0x13-V4-Package_Management.md |
| 64 | +4.14,Package manager verifies the integrity of packages when they are retrieved from file system,True,True,True,0x13-V4-Package_Management.md |
| 65 | +4.15,Package repository enforces use of TLS for all interactions,True,True,True,0x13-V4-Package_Management.md |
| 66 | +4.16,Package manager validates TLS certificate chain to repository and fails securely when validation fails,True,True,True,0x13-V4-Package_Management.md |
| 67 | +4.17,Package repository requires and/or performs static code analysis prior to publishing a component and makes results available for others to consume,False,False,True,0x13-V4-Package_Management.md |
| 68 | +4.18,Package manager does not execute component code,True,True,True,0x13-V4-Package_Management.md |
| 69 | +4.19,Package manager documents package installation in machine-readable form,True,True,True,0x13-V4-Package_Management.md |
| 70 | +5.1,Component can be analyzed with linters and/or static analysis tools,True,True,True,0x14-V5-Component_Analysis.md |
| 71 | +5.2,Component is analyzed using linters and/or static analysis tools prior to use,False,True,True,0x14-V5-Component_Analysis.md |
| 72 | +5.3,Linting and/or static analysis is performed with every upgrade of a component,False,True,True,0x14-V5-Component_Analysis.md |
| 73 | +5.4,An automated process of identifying all publicly disclosed vulnerabilities in third-party and open source components is used,True,True,True,0x14-V5-Component_Analysis.md |
| 74 | +5.5,An automated process of identifying confirmed dataflow exploitability is used,False,False,True,0x14-V5-Component_Analysis.md |
| 75 | +5.6,An automated process of identifying non-specified component versions is used,True,True,True,0x14-V5-Component_Analysis.md |
| 76 | +5.7,An automated process of identifying out-of-date components is used,True,True,True,0x14-V5-Component_Analysis.md |
| 77 | +5.8,An automated process of identifying end-of-life / end-of-support components is used,False,False,True,0x14-V5-Component_Analysis.md |
| 78 | +5.9,An automated process of identifying component type is used,False,True,True,0x14-V5-Component_Analysis.md |
| 79 | +5.10,An automated process of identifying component function is used,False,False,True,0x14-V5-Component_Analysis.md |
| 80 | +5.11,An automated process of identifying component quantity is used,True,True,True,0x14-V5-Component_Analysis.md |
| 81 | +5.12,An automated process of identifying component license is used,True,True,True,0x14-V5-Component_Analysis.md |
| 82 | +6.1,Point of origin is verifiable for source code and binary components,False,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 83 | +6.2,Chain of custody if auditable for source code and binary components,False,False,True,0x15-V6-Pedigree_and_Provenance.md |
| 84 | +6.3,Provenance of modified components is known and documented,True,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 85 | +6.4,Pedigree of component modification is documented and verifiable,False,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 86 | +6.5,Modified components are uniquely identified and distinct from origin component,False,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 87 | +6.6,Modified components are analyzed with the same level of precision as unmodified components,True,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 88 | +6.7,Risk unique to modified components can be analyzed and associated specifically to modified variant,True,True,True,0x15-V6-Pedigree_and_Provenance.md |
| 89 | + |
0 commit comments