Add dependency/SBOM criteria and releveling#163
Closed
Conversation
SecurityCRob
approved these changes
Jan 24, 2025
Contributor
SecurityCRob
left a comment
SecurityCRob
left a comment
There was a problem hiding this comment.
i need to adjust the xls to account for this change, but +1
baseline/OSPS-QA.yaml
Outdated
Comment on lines
+77
to
+78
| language dependency lock file that ennumerates all | ||
| direct and transitive dependencies such as |
Contributor
There was a problem hiding this comment.
Details says "direct and transitive" but criteria says "direct". Which do we require here?
Member
Author
@SecurityCRob I'm happy to add it to the spreadsheet. |
eddie-knight
requested changes
Jan 24, 2025
Contributor
eddie-knight
left a comment
eddie-knight
left a comment
There was a problem hiding this comment.
I noticed that the first entry needs to be changed to follow our criterion format
This commit updates the dependency criteria to add increasing transparency requirements at each level. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
evankanderson
approved these changes
Jan 25, 2025
funnelfiasco
requested changes
Jan 25, 2025
Contributor
funnelfiasco
left a comment
funnelfiasco
left a comment
There was a problem hiding this comment.
I think we should soften the language in the rationale/details to make it clear that what we're looking for in this criterion is enumeration, not pinning.
On the other hand, if we do want to require some form of pinning at level 1, we need to
- Update the criterion text to include that
- Specify what sort of pinning is sufficient (e.g. minimum version, branch/release name, specific version, hash, etc etc etc)
For clarity: my strong preference is to go with the first approach and focus on enumeration at level 1.
Contributor
I'll figure this out today, no worries! |
Co-authored-by: Ben Cotton <bcotton@funnelfiasco.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Ben Cotton <bcotton@funnelfiasco.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
funnelfiasco
approved these changes
Jan 27, 2025
Signed-off-by: Evan Anderson <evan@stacklok.com>
* Enhancement of SA rationales and implementation details <title> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/OSPS-SA.yaml Co-authored-by: Puerco <puerco@users.noreply.github.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/OSPS-SA.yaml Co-authored-by: Puerco <puerco@users.noreply.github.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Moved some content into lexicon entries Signed-off-by: Eddie Knight <knight@linux.com> * Update baseline/OSPS-SA.yaml Co-authored-by: Ben Cotton <ben@kusari.dev> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --------- Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Signed-off-by: Eddie Knight <knight@linux.com> Co-authored-by: Puerco <puerco@users.noreply.github.com> Co-authored-by: Eddie Knight <knight@linux.com> Co-authored-by: Ben Cotton <ben@kusari.dev>
eleftherias
reviewed
Jan 31, 2025
Co-authored-by: Eleftheria Stein-Kousathana <eleftheria.kousathana@gmail.com> Signed-off-by: Eddie Knight <knight@linux.com>
suggested update to QA-12 Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
better update than the last one Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
an even better update than the last two Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
* Add a maintenance process Signed-off-by: Ben Cotton <ben@kusari.dev> * Remove "Scorecard/Insights values" from allowed changes Co-authored-by: Eddie Knight <knight@linux.com> Signed-off-by: Ben Cotton <bcotton@funnelfiasco.com> * Update the examples to use our CalVer scheme And also comment them out so that they aren't rendered until there are actual things to put there. Signed-off-by: Ben Cotton <ben@kusari.dev> * Reflect new numbering system Signed-off-by: Ben Cotton <ben@kusari.dev> * Correct wording per ossf#175 Co-authored-by: Eddie Knight <knight@linux.com> Signed-off-by: Ben Cotton <bcotton@funnelfiasco.com> --------- Signed-off-by: Ben Cotton <ben@kusari.dev> Signed-off-by: Ben Cotton <bcotton@funnelfiasco.com> Co-authored-by: Eddie Knight <knight@linux.com>
Signed-off-by: Ben Cotton <ben@kusari.dev>
Signed-off-by: Eddie Knight <knight@linux.com>
eleftherias
reviewed
Feb 5, 2025
* Update lexicon.yaml with control mappings add control mapping references Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/lexicon.yaml Co-authored-by: Eddie Knight <knight@linux.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update lexicon.yaml tweaked ssdf Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update lexicon.yaml now with 100% MOAR SBOM! Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Fix yaml formatting Signed-off-by: Ben Cotton <ben@kusari.dev> * Apply suggestions from code review Co-authored-by: Puerco <puerco@users.noreply.github.com> Signed-off-by: Eddie Knight <knight@linux.com> --------- Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Signed-off-by: Ben Cotton <ben@kusari.dev> Signed-off-by: Eddie Knight <knight@linux.com> Co-authored-by: Eddie Knight <knight@linux.com> Co-authored-by: Ben Cotton <ben@kusari.dev> Co-authored-by: Puerco <puerco@users.noreply.github.com>
Signed-off-by: Ben Cotton <ben@kusari.dev>
Signed-off-by: Ben Cotton <ben@kusari.dev>
Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Eleftheria Stein-Kousathana <eleftheria.kousathana@gmail.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
updated 03 mappings Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
…e into pull/163/head
Signed-off-by: Eddie Knight <knight@linux.com>
updates to qa03 & 11 Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Contributor
|
This PR history has gone sideways, and the fix seems more complex than is worthwhile at the moment. I've copied these commits to a new branch and PR. |
auto-merge was automatically disabled
February 14, 2025 15:49
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit updates the dependency criteria to add increasing transparency requirements at each level:
In addition to the two new ones, OSPS-QA-03 is simplified and releveled to 1.
Signed-off-by: Adolfo García Veytia (Puerco) adolfo.garcia@uservers.net