Skip to content

Implement Security Baseline criterion OSPS-QA-03 #289

New issue
New issue
Closed
#307
Closed
Implement Security Baseline criterion OSPS-QA-03#289
#307
Assignees
eleftherias
Labels
P0Fix Now: These are urgent issues that preempt other work in the current sprint
@mesembria

Description

@mesembria
mesembria
opened on Jan 27, 2025

Criterion: All released software assets MUST be delivered with a machine-readable list of all direct and transitive internal software dependencies with their associated version identifiers.

Maturity Level: 2

Rationale: Provide transparency and accountability for the project’s dependencies, enabling users and contributors to understand the software’s dependencies and versions.

Details: This may take the form of a software bill of materials (SBOM) or a dependency file that lists all direct and transitive dependencies such as package.json, Gemfile.lock, or go.sum.

It is recommended to use a CycloneDX or SPDX file that is auto-generated at build time by a tool that has been vetted for accuracy. This enables users to ingest this data in a standardized approach alongside other projects in their environment.

Metadata

Metadata

Assignees

Labels

P0Fix Now: These are urgent issues that preempt other work in the current sprint

Type

No type

Projects

Planned Work

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions