Revising Vuln Management controls based on feedback (#205)

eddie-knight · TheFoxAtWork · puerco · web-flow · commit fcc7d01bc620 · 2025-02-24T15:41:32.000-08:00
* Updated SCA and SAST checks

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* improved SCA requirement text

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Adjusted to have a separate requirement for VEX

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Update baseline/OSPS-VM.yaml

Co-authored-by: Emily Fox &lt;33327273+TheFoxAtWork@users.noreply.github.com&gt;
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Update baseline/OSPS-VM.yaml

Co-authored-by: Puerco &lt;puerco@users.noreply.github.com&gt;
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

* Update baseline/OSPS-VM.yaml

Co-authored-by: Puerco &lt;puerco@users.noreply.github.com&gt;
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;

---------

Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;
Co-authored-by: Emily Fox &lt;33327273+TheFoxAtWork@users.noreply.github.com&gt;
Co-authored-by: Puerco &lt;puerco@users.noreply.github.com&gt;
Co-authored-by: CRob &lt;69357996+SecurityCRob@users.noreply.github.com&gt;
diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml
@@ -8,139 +8,6 @@ description: |
   security threats and vulnerabilities in the software.
 controls:
   - id: OSPS-VM-01
-    title: |
-      Define a threshold for remediation of SCA findings related to
-      vulnerabilities and licenses
-    objective: |
-      Ensure that the project clearly communicates the threshold for remediation of
-      SCA findings, including vulnerabilities and license issues in software
-      dependencies.
-    family: Vulnerability Management
-    mappings:
-      - reference-id: BPB
-        identifiers:
-          - Q-B-12
-          - Q-S-9
-          - S-B-14
-          - S-B-15
-          - A-B-3
-          - A-B-8
-      - reference-id: CRA
-        identifiers:
-          - 1.2a
-          - 1.2b
-          - 1.2c
-          - 2.1
-          - 2.2
-          - 2.3
-      - reference-id: SSDF
-        identifiers:
-          - PO.4
-          - PW1.2
-          - PW8.1
-          - RV2.1
-          - RV 2.2
-      - reference-id: CSF
-        identifiers:
-          - GV.RM-05
-          - GV.RM-06
-          - GV.PO-01
-          - GV.PO-02
-          - ID.RA-01
-          - ID.RA-08
-          - ID.IM-02
-      - reference-id: OC
-        identifiers:
-          - 4.1.5
-          - 4.2.1
-          - 4.3.2
-      - reference-id: OCRE
-        identifiers:
-          - 124-564
-          - 832-555
-          - 611-158
-          - 207-435
-          - 088-377
-    assessment-requirements:
-      - id: OSPS-VM-01.01
-        text: |
-          The project documentation MUST include a policy that defines a threshold
-          for remediation of SCA findings related to vulnerabilities and licenses.
-        applicability:
-          - Maturity Level 3
-        recommendation: |
-          Document a policy in the project that defines a threshold for
-          remediation of SCA findings related to vulnerabilities and licenses.
-          Include the process for identifying, prioritizing, and remediating
-          these findings.
-
-  - id: OSPS-VM-02
-    title: |
-      Address SCA violations prior to merge and release
-    objective: |
-      Ensure that violations of your SCA policy are addressed before software
-      is merged as well as before it releases, reducing the risk of compromised
-      delivery mechanisms or released software assets that are vulnerable or
-      malicious.
-    family: Vulnerability Management
-    mappings:
-      - reference-id: BPB
-        identifiers:
-          - S-B-14
-          - S-B-15
-          - A-B-3
-          - A-B-8
-      - reference-id: CRA
-        identifiers:
-          - 1.2a
-          - 1.2c
-          - 2.2
-          - 2.3
-      - reference-id: SSDF
-        identifiers:
-          - PW8.1
-      - reference-id: CSF
-        identifiers:
-          - GV.PO-01
-          - GV.PO-02
-          - ID.RA-01
-          - ID.RA-08
-      - reference-id: OC
-        identifiers:
-          - 4.1.5
-      - reference-id: OCRE
-        identifiers:
-          - 486-813
-          - 833-442
-          - 611-158
-          - 207-435
-          - 088-377
-    assessment-requirements:
-      - id: OSPS-VM-02.01
-        text: |
-          The project documentation MUST include a policy to address SCA
-          violations prior to any release.
-        applicability:
-          - Maturity Level 3
-        recommendation: |
-          Document a policy in the project to address applicable Software
-          Composition Analysis results before any release, and add status checks
-          that verify compliance with that policy prior to release.
-      - id: OSPS-VM-02.02
-        text: |
-          All proposed changes to the project's codebase must be automatically
-          evaluated against a documented policy for known vulnerabilities and
-          blocked in the event of violations except when declared and suppressed
-          as non-exploitable.
-        applicability:
-          - Maturity Level 3
-        recommendation: |
-          Create a status check in the project's version control system that
-          runs a Static Application Security Testing (SAST) tool on all changes
-          to the codebase. Require that the status check passes before changes
-          can be merged.
-
-  - id: OSPS-VM-03
     title: |
       Define a policy for coordinated vulnerability reporting
     objective: |
@@ -181,7 +48,7 @@ controls:
         identifiers:
           - 887-750
     assessment-requirements:
-      - id: OSPS-VM-03.01
+      - id: OSPS-VM-01.01
         text: |
           The project documentation MUST include a policy for coordinated
           vulnerability reporting, with a clear timeframe for response.
@@ -194,7 +61,7 @@ controls:
           method for reporting vulnerabilities. Set expectations for the how the
           project will respond and address reported issues.
 
-  - id: OSPS-VM-04
+  - id: OSPS-VM-02
     title: |
       Publish contacts and process for reporting vulnerabilities
     objective: |
@@ -228,7 +95,7 @@ controls:
         identifiers:
           - 464-513
     assessment-requirements:
-      - id: OSPS-VM-04.01
+      - id: OSPS-VM-02.01
         text: |
           The project MUST publish contacts and process for reporting vulnerabilities.
         applicability:
@@ -238,7 +105,7 @@ controls:
           contacts for the project and provide project's process for handling
           vulnerabilities in the project or dependencies.
 
-  - id: OSPS-VM-05
+  - id: OSPS-VM-03
     title: |
       Provide a means for reporting security vulnerabilities privately
     objective: |
@@ -258,7 +125,7 @@ controls:
         identifiers:
           - 308-514
     assessment-requirements:
-      - id: OSPS-VM-05.01
+      - id: OSPS-VM-03.01
         text: |
           The project MUST provide a means for reporting security
           vulnerabilities privately to the security contacts within the project.
@@ -268,7 +135,7 @@ controls:
         recommendation: |
           Enable private bug reporting through VCS or other infrastructure.
 
-  - id: OSPS-VM-06
+  - id: OSPS-VM-04
     title: |
       Publicly publish data about any vulnerabilities discovered
     objective: |
@@ -284,7 +151,7 @@ controls:
           - 2.4
           - 2.6
     assessment-requirements:
-      - id: OSPS-VM-06.01
+      - id: OSPS-VM-04.01
         text: |
           The project MUST publicly publish data about discovered 
           vulnerabilities.
@@ -297,3 +164,144 @@ controls:
           To the degree possible, this information should include affected
           version(s), how a consumer can determine if they are vulnerable, and
           instructions for mitigation or remediation.
+      - id: OSPS-VM-04.02
+        text: |
+          Any vulnerabilities in the software components not affecting the
+          project MUST be accounted for in a VEX document, augmenting
+          the vulnerability report with non-exploitability details.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Establish a VEX feed communicating the exploitability status of 
+          known vulnerabilities, including assessment details or any
+          mitigations in place preventing vulnerable code from being
+          executed.
+
+  - id: OSPS-VM-05
+    title: |
+      Define and enforce a threshold for remediation of SCA findings
+    objective: |
+      Ensure that the project clearly communicates the threshold for remediation
+      of SCA findings, including vulnerabilities and license issues in software
+      dependencies.
+      Ensure that violations of your SCA policy are addressed before software
+      is merged as well as before it releases, reducing the risk of compromised
+      delivery mechanisms or released software assets that are vulnerable or
+      malicious.
+    family: Vulnerability Management
+    mappings:
+      - reference-id: BPB
+        identifiers:
+          - Q-B-12
+          - Q-S-9
+          - S-B-14
+          - S-B-15
+          - A-B-3
+          - A-B-8
+      - reference-id: CRA
+        identifiers:
+          - 1.2a
+          - 1.2b
+          - 1.2c
+          - 2.1
+          - 2.2
+          - 2.3
+      - reference-id: SSDF
+        identifiers:
+          - PO.4
+          - PW1.2
+          - PW8.1
+          - RV2.1
+          - RV 2.2
+      - reference-id: CSF
+        identifiers:
+          - GV.RM-05
+          - GV.RM-06
+          - GV.PO-01
+          - GV.PO-02
+          - ID.RA-01
+          - ID.RA-08
+          - ID.IM-02
+      - reference-id: OC
+        identifiers:
+          - 4.1.5
+          - 4.2.1
+          - 4.3.2
+      - reference-id: OCRE
+        identifiers:
+          - 124-564
+          - 832-555
+          - 611-158
+          - 207-435
+          - 088-377
+    assessment-requirements:
+      - id: OSPS-VM-05.01
+        text: |
+          The project documentation MUST include a policy that defines a
+          threshold for remediation of SCA findings related to vulnerabilities
+          and licenses.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Document a policy in the project that defines a threshold for
+          remediation of SCA findings related to vulnerabilities and licenses.
+          Include the process for identifying, prioritizing, and remediating
+          these findings.
+      - id: OSPS-VM-05.02
+        text: |
+          The project documentation MUST include a policy to address SCA
+          violations prior to any release.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Document a policy in the project to address applicable Software
+          Composition Analysis results before any release, and add status checks
+          that verify compliance with that policy prior to release.
+      - id: OSPS-VM-05.03
+        text: |
+          All changes to the project's codebase MUST be automatically evaluated
+          against a documented policy for malicious dependencies and
+          known vulnerabilities in dependencies and blocked in the event of
+          violations except when declared and suppressed as non-exploitable.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Create a status check in the project's version control system that
+          runs a Software Composition Analysis tool on all changes
+          to the codebase. Require that the status check passes before changes
+          can be merged.
+
+  - id: OSPS-VM-06
+    title: |
+      Define and enforce a threshold for remediation of SAST findings
+    objective: |
+      Identify and address defects and security weaknesses in the project's
+      codebase early in the development process, reducing the risk of shipping
+      insecure software.
+    family: Vulnerability Management
+    mappings: []
+    assessment-requirements:
+      - id: OSPS-VM-06.01
+        text: |
+          The project documentation MUST include a policy that defines a
+          threshold for remediation of SAST findings.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Document a policy in the project that defines a threshold for
+          remediation of Static Application Security Testing (SAST) findings.
+          Include the process for identifying, prioritizing, and remediating
+          these findings.
+      - id: OSPS-VM-06.02
+        text: |
+          All changes to the project's codebase MUST be automatically evaluated
+          against a documented policy for security weaknesses and blocked in the
+          event of violations except when declared and suppressed as
+          non-exploitable.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Create a status check in the project's version control system that
+          runs a Static Application Security Testing (SAST) tool on all changes
+          to the codebase. Require that the status check passes before changes
+          can be merged.
