@@ -62,31 +62,21 @@ criteria:
6262 security_insights_value : # TODO
6363
6464 - id : OSPS-QA-03
65- maturity_level : 2
65+ maturity_level : 1
6666 criterion : |
67- All released software assets MUST be
68- delivered with a machine-readable list of
69- all direct and transitive internal software
70- dependencies with their associated version
71- identifiers.
67+ The code repository should contain a dependency
68+ list that accounts for the direct language dependencies
69+ when the package management system supports it.
7270rationale : |
7371 Provide transparency and accountability for
74- the project's dependencies, enabling users
75- and contributors to understand the
76- software's dependencies and versions .
72+ the project's dependencies by fixing the desired versions
73+ while enabling users and contributors to understand the
74+ software's direct dependencies .
7775details : |
78- This may take the form of a software bill of
79- materials (SBOM) or a dependency file that
80- lists all direct and transitive dependencies
81- such as package.json, Gemfile.lock, or
82- go.sum.
83-
84- It is recommended to use a CycloneDX or SPDX
85- file that is auto-generated at build time by
86- a tool that has been vetted for accuracy.
87- This enables users to ingest this data in a
88- standardized approach alongside other
89- projects in their environment.
76+ This may take the form a package manager or
77+ language dependency lock file that ennumerates all
78+ direct and, ideally, transitive build dependencies such as
79+ package.json, Gemfile.lock, or go.sum.
9080control_mappings :
9181 BPB : Q-S-9
9282 CRA : 1.2b, 2.1
@@ -237,3 +227,60 @@ criteria:
237227 control_mappings :
238228 BPB : B-G-3
239229 security_insights_value : # TODO
230+
231+ - id : OSPS-QA-11
232+ maturity_level : 2
233+ criterion : |
234+ All released software assets MUST be
235+ delivered with a software bill of materials
236+ (SBOM) in SPDX or CycloneDX format accounting
237+ all direct software dependencies with their
238+ associated version identifiers.
239+ rationale : |
240+ Provide transparency and accountability for
241+ the project's dependencies in a standard format
242+ allowing automated systems to understand the
243+ software's dependencies and versions.
244+ details : |
245+ It is recommended to use a CycloneDX or SPDX
246+ file that is auto-generated at build time by
247+ a tool that has been vetted for accuracy.
248+ This enables users to ingest this data in a
249+ standardized approach alongside other
250+ projects in their environment.
251+ control_mappings :
252+ BPB : Q-S-9
253+ CRA : 13.24, I.II.1, VII.2
254+ SSDF : PS3, PW4
255+ CSF : ID.AM-02
256+ OC : 4.3.1
257+ OCRE : 486-813, 124-564, 863-521
258+ security_insights_value : # TODO
259+
260+ - id : OSPS-QA-12
261+ maturity_level : 3
262+ criterion : |
263+ The software bill of materials describing the release assets
264+ should provide the following data elements for the components
265+ used in the build: license, supplier name, filename of the component,
266+ component name, component version, software identifiers,
267+ relationship between the components, author of the
268+ SBOM data and timestamp.
269+
270+ Assitionally, for deployable and executable components
271+ the SBOM should record their cryptgraphic hashes.
272+ rationale : |
273+ Provide the minimal data elements required to validate,
274+ verify the integrity of software components and assess risk.
275+ details : |
276+ SBOM generation tools can specialize on one kind of data element.
277+ Supplying the required data in multiple software bills of materials
278+ can be done although, ideally, data should be combined into one.
279+ control_mappings :
280+ BPB : Q-S-9
281+ CRA : 13.24, I.II.1, II.2
282+ SSDF : PS3, PW4
283+ CSF : ID.AM-02
284+ OC : 4.3.1
285+ OCRE : 486-813, 124-564, 863-521
286+ security_insights_value : # TODO
0 commit comments