Updated and extended dependency + SBOM criteria (#186)

eddie-knight · puerco · SecurityCRob · web-flow · commit 1b9d26402167 · 2025-02-14T11:05:08.000-08:00
* Add dependency/SBOM critaria and leveling

This commit updates the dependency criteria to add
increasing transparency requirements at each level.

Signed-off-by: Adolfo García Veytia (Puerco) &lt;adolfo.garcia@uservers.net&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: Ben Cotton &lt;bcotton@funnelfiasco.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: Ben Cotton &lt;bcotton@funnelfiasco.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: Eleftheria Stein-Kousathana &lt;eleftheria.kousathana@gmail.com&gt;
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Update OSPS-QA.yaml

suggested update to QA-12

Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update OSPS-QA.yaml

better update than the last one

Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update OSPS-QA.yaml

an even better update than the last two

Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Co-authored-by: Eleftheria Stein-Kousathana &lt;eleftheria.kousathana@gmail.com&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update OSPS-QA.yaml

updated 03 mappings

Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Updated SBOM criteria and lexicon

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Update OSPS-QA.yaml

updates to qa03 &amp; 11

Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;

* Update baseline/OSPS-QA.yaml

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

---------

Signed-off-by: Adolfo García Veytia (Puerco) &lt;adolfo.garcia@uservers.net&gt;
Signed-off-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;
Co-authored-by: Adolfo García Veytia (Puerco) &lt;adolfo.garcia@uservers.net&gt;
Co-authored-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;
Co-authored-by: Ben Cotton &lt;bcotton@funnelfiasco.com&gt;
Co-authored-by: Eleftheria Stein-Kousathana &lt;eleftheria.kousathana@gmail.com&gt;
Co-authored-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml
@@ -62,38 +62,28 @@ criteria:
     security_insights_value: # TODO
 
   - id: OSPS-QA-03
-    maturity_level: 2
+    maturity_level: 1
     criterion: |
-      All released software assets MUST be
-      delivered with a machine-readable list of
-      all direct and transitive internal software
-      dependencies with their associated version
-      identifiers.
+      The code repository MUST contain a dependency 
+      list that accounts for the direct language dependencies
+      when the package management system supports it.
     rationale: |
       Provide transparency and accountability for
-      the project's dependencies, enabling users
-      and contributors to understand the
-      software's dependencies and versions.
+      the project's dependencies
+      while enabling users and contributors to understand the
+      software's direct dependencies.
     details: |
-      This may take the form of a software bill of
-      materials (SBOM) or a dependency file that
-      lists all direct and transitive dependencies
-      such as package.json, Gemfile.lock, or
-      go.sum.
-
-      It is recommended to use a CycloneDX or SPDX
-      file that is auto-generated at build time by
-      a tool that has been vetted for accuracy.
-      This enables users to ingest this data in a
-      standardized approach alongside other
-      projects in their environment.
+      This may take the form a package manager or
+      language dependency file that ennumerates all
+      direct dependencies such as package.json, 
+      Gemfile, or go.mod.
     control_mappings: 
-      BPB: Q-S-9
-      CRA: 1.2b, 2.1
-      SSDF: PO4, PS1
+      BPB: Q-S-8, Q-S-9
+      CRA: 2.1, 2.3
+      SSDF: PO3.3, PS1, PS3.2
       CSF: ID.AM-02
-      OC: 4.3.1
-      OCRE: 486-813, 124-564, 863-521
+      OC: 4.1.5, 4.3.1
+      OCRE: 486-813, 124-564, 673-475,863-521, 613-286
     security_insights_value: # TODO
 
   - id: OSPS-QA-04
@@ -237,3 +227,28 @@ criteria:
     control_mappings:       
       BPB: B-G-3
     security_insights_value: # TODO
+
+  - id: OSPS-QA-11
+    maturity_level: 3
+    criterion: |
+      All compiled released software assets MUST be
+      delivered with a software bill of materials.
+    rationale: |
+      Provide transparency and accountability for
+      the project's dependencies in a standard format,
+      allowing automated systems to understand the
+      software's dependencies and versions.
+    details: |
+      It is recommended to auto-generate SBOMs at build time
+      using a tool that has been vetted for accuracy.
+      This enables users to ingest this data in a
+      standardized approach alongside other
+      projects in their environment.
+    control_mappings: 
+      BPB: Q-S-8, A-S-1
+      CRA: 2.1
+      SSDF: PS3.2, PW4
+      CSF: ID.AM-01, ID.AM-02
+      OC: 4.3.1
+      OCRE: 486-813, 124-564, 863-521, 613-286
+    security_insights_value: # TODO
diff --git a/baseline/lexicon.yaml b/baseline/lexicon.yaml
@@ -266,10 +266,18 @@
     - https://csrc.nist.gov/pubs/sp/800/218/final  
 - term: Software Bill of Materials
   definition: |
-    A manifest or list of all components that make up a given piece of software or hardware, preferably in a machine-readable/macine-parseable format.
-  synonyms: 
-    - SBOM 
-  references: 
+    A list of all components that make up a given piece of software
+    or hardware, formatted as CycloneDX or SPDX. This list must include
+    the following data elements for the components included in the released
+    software asset: license, supplier name, filename of the component,
+    component name, component version, software identifiers, relationship
+    between the components, author of the SBOM data and timestamp. Additionally,
+    for deployable and executable components, the SBOM should record their
+    cryptographic hashes.
+  synonyms:
+    - SBOM
+    - SBOMs
+  references:
     - https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf
     - https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
     - https://spdx.dev
