@@ -11,7 +11,8 @@ description: |
1111controls :
1212 - id : OSPS-QA-01
1313 title : |
14- Ensure that the project's work processes are publicly transparent
14+ The project's source code and change history MUST be publicly readable at
15+ a static URL.
1516objective : |
1617 Enable users to access and review the project's source code and history,
1718 promoting transparency and collaboration within the project community.
@@ -51,8 +52,8 @@ controls:
5152 assessment-requirements :
5253 - id : OSPS-QA-01.01
5354 text : |
54- The project's source code MUST be publicly readable and have a static
55- URL.
55+ While active, the project's source code repository MUST be publicly
56+ readable at a static URL.
5657applicability :
5758 - Maturity Level 1
5859 - Maturity Level 2
@@ -62,11 +63,12 @@ controls:
6263 repository is publicly readable. Avoid duplication or mirroring of
6364 repositories unless highly visible documentation clarifies the primary
6465 source. Avoid frequent changes to the repository that would impact the
65- repository URL.
66+ repository URL. Ensure the repository is public.
6667id : OSPS-QA-01.02
6768 text : |
6869 The version control system MUST contain a publicly readable record of
69- all changes made, who made the changes, and when the changes were made.
70+ all changes made, who made the changes, and when the changes were
71+ made.
7072applicability :
7173 - Maturity Level 1
7274 - Maturity Level 2
@@ -78,7 +80,7 @@ controls:
7880
7981id : OSPS-QA-02
8082 title : |
81- Document dependencies for released software assets
83+ The project MUST provide a list of dependencies used in the software.
8284objective : |
8385 Provide transparency and accountability for the project's dependencies
8486 while enabling users and contributors to understand the software's direct
@@ -115,9 +117,9 @@ controls:
115117 assessment-requirements :
116118 - id : OSPS-QA-02.01
117119 text : |
118- The source code repository MUST contain a dependency list that
119- accounts for the direct language dependencies when the package
120- management system supports it .
120+ When the package management system supports it, the source code
121+ repository MUST contain a dependency list that accounts for the direct
122+ language dependencies .
121123applicability :
122124 - Maturity Level 1
123125 - Maturity Level 2
@@ -128,8 +130,8 @@ controls:
128130 or go.mod.
129131id : OSPS-QA-02.02
130132 text : |
131- All compiled released software assets MUST be delivered with a
132- software bill of materials.
133+ When the project has made a release, all compiled released software
134+ assets MUST be delivered with a software bill of materials.
133135applicability :
134136 - Maturity Level 3
135137 recommendation : |
@@ -140,7 +142,8 @@ controls:
140142
141143id : OSPS-QA-03
142144 title : |
143- Automated status checks for commits don't fail prior to merge
145+ Any automated status checks for commits MUST pass or require manual
146+ acknowledgement prior to merge.
144147objective : |
145148 Ensure that the project's approvers do not become accustomed to tolerating
146149 failing status checks, even if arbitrary, because it increases the risk of
@@ -162,8 +165,8 @@ controls:
162165 assessment-requirements :
163166 - id : OSPS-QA-03.01
164167 text : |
165- Any automated status checks for commits MUST pass or require manual
166- acknowledgement prior to merge .
168+ When a commit is made to the primary branch, any automated status
169+ checks for commits MUST pass or be manually bypassed .
167170applicability :
168171 - Maturity Level 2
169172 - Maturity Level 3
@@ -176,7 +179,9 @@ controls:
176179
177180id : OSPS-QA-04
178181 title : |
179- Enforce matching requirements for subproject code repositories
182+ Any additional subproject code repositories produced by the project
183+ and compiled into a release MUST enforce security requirements as
184+ applicable to the status and intent of the respective codebase.
180185objective : |
181186 Ensure that additional code repositories or subprojects produced by the
182187 project are held to a standard that is clear and appropriate for that
@@ -199,24 +204,34 @@ controls:
199204 assessment-requirements :
200205 - id : OSPS-QA-04.01
201206 text : |
202- Any additional subproject code repositories produced by the project
203- and compiled into a release MUST enforce security requirements as
204- applicable to the status and intent of the respective codebase.
207+ While active, the project documentation MUST contain a list of any
208+ codebases that are considered subprojects or additional repositories.
209+ applicability :
210+ - Maturity Level 1
211+ recommendation : |
212+ Document any additional subproject code repositories produced by the
213+ project and compiled into a release. This documentation should include
214+ the status and intent of the respective codebase.
215+ id : OSPS-QA-04.02
216+ text : |
217+ When the project has made a release comprising multiple source code
218+ repositories, all subprojects MUST enforce security requirements that
219+ are as strict or stricter than the primary codebase.
205220applicability :
206221 - Maturity Level 3
207222 recommendation : |
208- The parent project should maintain a list of any codebases that are
209- considered subprojects or additional repositories. Collaborators on
210- those repositories should identify the proper maturity level and apply
211- the Open Source Project Security Baseline to the codebase. Any
212- subproject or repository from the project which is compiled into the
213- primary project must be held to the same standard as the primary
214- project. Others may be held to a lower standard if they have lower
215- levels of adoption or are not intended for general use.
223+ Any additional subproject code repositories produced by the project
224+ and compiled into a release must enforce security requirements as
225+ applicable to the status and intent of the respective codebase.
226+ In addition to following the corresponding OSPS Baseline requirements,
227+ this may include requiring a security review, ensuring that it is
228+ free of vulnerabilities, and ensuring that it is free of known
229+ security issues.
216230
217231id : OSPS-QA-05
218232 title : |
219- Remove generated executable artifacts from the version control system
233+ The version control system MUST NOT contain generated executable
234+ artifacts.
220235objective : |
221236 Reduce the risk of including generated executable artifacts in the
222237 project's version control system, ensuring that only source code and
@@ -236,9 +251,10 @@ controls:
236251 assessment-requirements :
237252 - id : OSPS-QA-05.01
238253 text : |
239- The version control system MUST NOT contain generated executable
240- artifacts.
254+ While active, the version control system MUST NOT contain generated
255+ executable artifacts.
241256applicability :
257+ - Maturity Level 1
242258 - Maturity Level 2
243259 - Maturity Level 3
244260 recommendation : |
@@ -250,7 +266,8 @@ controls:
250266
251267id : OSPS-QA-06
252268 title : |
253- Use at least one automated test suite for the source code repository
269+ The project MUST use at least one automated test suite for the source
270+ code repository.
254271objective : |
255272 Ensure that the project uses at least one automated test suite for the
256273 source code repository which clearly documents when and how tests are run.
@@ -279,8 +296,9 @@ controls:
279296 assessment-requirements :
280297 - id : OSPS-QA-06.01
281298 text : |
282- The project MUST use at least one automated test suite for the source
283- code repository.
299+ Prior to a commit being accepted, the project's CI/CD pipelines MUST
300+ run at least one automated test suite to ensure the changes meet
301+ expectations.
284302applicability :
285303 - Maturity Level 2
286304 - Maturity Level 3
@@ -294,8 +312,8 @@ controls:
294312 end-to-end tests.
295313id : OSPS-QA-06.02
296314 text : |
297- The project's documentation MUST clearly document when and how tests
298- are run.
315+ While active, project's documentation MUST clearly document when and
316+ how tests are run.
299317applicability :
300318 - Maturity Level 3
301319 recommendation : |
@@ -305,9 +323,9 @@ controls:
305323 interpret the results.
306324id : OSPS-QA-06.03
307325 text : |
308- The project's documentation MUST include a policy that all major
309- changes to the software produced by the project should add or update
310- tests of the functionality in an automated test suite.
326+ While active, the project's documentation MUST include a policy that
327+ all major changes to the software produced by the project should add
328+ or update tests of the functionality in an automated test suite.
311329applicability :
312330 - Maturity Level 3
313331 recommendation : |
@@ -317,7 +335,8 @@ controls:
317335
318336id : OSPS-QA-07
319337 title : |
320- Require at least one non-author approval of changes before merging
338+ The project's version control system MUST require at least one
339+ non-author approval of changes to the primary branch.
321340objective : |
322341 Ensure that the project's version control system requires at least one
323342 non-author approval of changes before merging into the release or primary
@@ -330,9 +349,9 @@ controls:
330349 assessment-requirements :
331350 - id : OSPS-QA-07.01
332351 text : |
333- The project's version control system MUST require at least one
334- non-author approval of changes before merging into the release or
335- primary branch .
352+ When a commit is made to the primary branch, the project's version
353+ control system MUST require at least one non-author approval of the
354+ changes before merging .
336355applicability :
337356 - Maturity Level 3
338357 recommendation : |
0 commit comments