diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml index 3e4da89..211ebd6 100644 --- a/baseline/OSPS-VM.yaml +++ b/baseline/OSPS-VM.yaml @@ -8,139 +8,6 @@ description: | security threats and vulnerabilities in the software. controls: - id: OSPS-VM-01 - title: | - Define a threshold for remediation of SCA findings related to - vulnerabilities and licenses - objective: | - Ensure that the project clearly communicates the threshold for remediation of - SCA findings, including vulnerabilities and license issues in software - dependencies. - family: Vulnerability Management - mappings: - - reference-id: BPB - identifiers: - - Q-B-12 - - Q-S-9 - - S-B-14 - - S-B-15 - - A-B-3 - - A-B-8 - - reference-id: CRA - identifiers: - - 1.2a - - 1.2b - - 1.2c - - 2.1 - - 2.2 - - 2.3 - - reference-id: SSDF - identifiers: - - PO.4 - - PW1.2 - - PW8.1 - - RV2.1 - - RV 2.2 - - reference-id: CSF - identifiers: - - GV.RM-05 - - GV.RM-06 - - GV.PO-01 - - GV.PO-02 - - ID.RA-01 - - ID.RA-08 - - ID.IM-02 - - reference-id: OC - identifiers: - - 4.1.5 - - 4.2.1 - - 4.3.2 - - reference-id: OCRE - identifiers: - - 124-564 - - 832-555 - - 611-158 - - 207-435 - - 088-377 - assessment-requirements: - - id: OSPS-VM-01.01 - text: | - The project documentation MUST include a policy that defines a threshold - for remediation of SCA findings related to vulnerabilities and licenses. - applicability: - - Maturity Level 3 - recommendation: | - Document a policy in the project that defines a threshold for - remediation of SCA findings related to vulnerabilities and licenses. - Include the process for identifying, prioritizing, and remediating - these findings. - - - id: OSPS-VM-02 - title: | - Address SCA violations prior to merge and release - objective: | - Ensure that violations of your SCA policy are addressed before software - is merged as well as before it releases, reducing the risk of compromised - delivery mechanisms or released software assets that are vulnerable or - malicious. - family: Vulnerability Management - mappings: - - reference-id: BPB - identifiers: - - S-B-14 - - S-B-15 - - A-B-3 - - A-B-8 - - reference-id: CRA - identifiers: - - 1.2a - - 1.2c - - 2.2 - - 2.3 - - reference-id: SSDF - identifiers: - - PW8.1 - - reference-id: CSF - identifiers: - - GV.PO-01 - - GV.PO-02 - - ID.RA-01 - - ID.RA-08 - - reference-id: OC - identifiers: - - 4.1.5 - - reference-id: OCRE - identifiers: - - 486-813 - - 833-442 - - 611-158 - - 207-435 - - 088-377 - assessment-requirements: - - id: OSPS-VM-02.01 - text: | - The project documentation MUST include a policy to address SCA - violations prior to any release. - applicability: - - Maturity Level 3 - recommendation: | - Document a policy in the project to address applicable Software - Composition Analysis results before any release, and add status checks - that verify compliance with that policy prior to release. - - id: OSPS-VM-02.02 - text: | - All proposed changes to the project's codebase must be automatically - evaluated against a documented policy for known vulnerabilities and - blocked in the event of violations except when declared and suppressed - as non-exploitable. - applicability: - - Maturity Level 3 - recommendation: | - Create a status check in the project's version control system that - runs a Static Application Security Testing (SAST) tool on all changes - to the codebase. Require that the status check passes before changes - can be merged. - - - id: OSPS-VM-03 title: | Define a policy for coordinated vulnerability reporting objective: | @@ -181,7 +48,7 @@ controls: identifiers: - 887-750 assessment-requirements: - - id: OSPS-VM-03.01 + - id: OSPS-VM-01.01 text: | The project documentation MUST include a policy for coordinated vulnerability reporting, with a clear timeframe for response. @@ -194,7 +61,7 @@ controls: method for reporting vulnerabilities. Set expectations for the how the project will respond and address reported issues. - - id: OSPS-VM-04 + - id: OSPS-VM-02 title: | Publish contacts and process for reporting vulnerabilities objective: | @@ -228,7 +95,7 @@ controls: identifiers: - 464-513 assessment-requirements: - - id: OSPS-VM-04.01 + - id: OSPS-VM-02.01 text: | The project MUST publish contacts and process for reporting vulnerabilities. applicability: @@ -238,7 +105,7 @@ controls: contacts for the project and provide project's process for handling vulnerabilities in the project or dependencies. - - id: OSPS-VM-05 + - id: OSPS-VM-03 title: | Provide a means for reporting security vulnerabilities privately objective: | @@ -258,7 +125,7 @@ controls: identifiers: - 308-514 assessment-requirements: - - id: OSPS-VM-05.01 + - id: OSPS-VM-03.01 text: | The project MUST provide a means for reporting security vulnerabilities privately to the security contacts within the project. @@ -268,7 +135,7 @@ controls: recommendation: | Enable private bug reporting through VCS or other infrastructure. - - id: OSPS-VM-06 + - id: OSPS-VM-04 title: | Publicly publish data about any vulnerabilities discovered objective: | @@ -284,7 +151,7 @@ controls: - 2.4 - 2.6 assessment-requirements: - - id: OSPS-VM-06.01 + - id: OSPS-VM-04.01 text: | The project MUST publicly publish data about discovered vulnerabilities. @@ -297,3 +164,144 @@ controls: To the degree possible, this information should include affected version(s), how a consumer can determine if they are vulnerable, and instructions for mitigation or remediation. + - id: OSPS-VM-04.02 + text: | + Any vulnerabilities in the software components not affecting the + project MUST be accounted for in a VEX document, augmenting + the vulnerability report with non-exploitability details. + applicability: + - Maturity Level 3 + recommendation: | + Establish a VEX feed communicating the exploitability status of + known vulnerabilities, including assessment details or any + mitigations in place preventing vulnerable code from being + executed. + + - id: OSPS-VM-05 + title: | + Define and enforce a threshold for remediation of SCA findings + objective: | + Ensure that the project clearly communicates the threshold for remediation + of SCA findings, including vulnerabilities and license issues in software + dependencies. + Ensure that violations of your SCA policy are addressed before software + is merged as well as before it releases, reducing the risk of compromised + delivery mechanisms or released software assets that are vulnerable or + malicious. + family: Vulnerability Management + mappings: + - reference-id: BPB + identifiers: + - Q-B-12 + - Q-S-9 + - S-B-14 + - S-B-15 + - A-B-3 + - A-B-8 + - reference-id: CRA + identifiers: + - 1.2a + - 1.2b + - 1.2c + - 2.1 + - 2.2 + - 2.3 + - reference-id: SSDF + identifiers: + - PO.4 + - PW1.2 + - PW8.1 + - RV2.1 + - RV 2.2 + - reference-id: CSF + identifiers: + - GV.RM-05 + - GV.RM-06 + - GV.PO-01 + - GV.PO-02 + - ID.RA-01 + - ID.RA-08 + - ID.IM-02 + - reference-id: OC + identifiers: + - 4.1.5 + - 4.2.1 + - 4.3.2 + - reference-id: OCRE + identifiers: + - 124-564 + - 832-555 + - 611-158 + - 207-435 + - 088-377 + assessment-requirements: + - id: OSPS-VM-05.01 + text: | + The project documentation MUST include a policy that defines a + threshold for remediation of SCA findings related to vulnerabilities + and licenses. + applicability: + - Maturity Level 3 + recommendation: | + Document a policy in the project that defines a threshold for + remediation of SCA findings related to vulnerabilities and licenses. + Include the process for identifying, prioritizing, and remediating + these findings. + - id: OSPS-VM-05.02 + text: | + The project documentation MUST include a policy to address SCA + violations prior to any release. + applicability: + - Maturity Level 3 + recommendation: | + Document a policy in the project to address applicable Software + Composition Analysis results before any release, and add status checks + that verify compliance with that policy prior to release. + - id: OSPS-VM-05.03 + text: | + All changes to the project's codebase MUST be automatically evaluated + against a documented policy for malicious dependencies and + known vulnerabilities in dependencies and blocked in the event of + violations except when declared and suppressed as non-exploitable. + applicability: + - Maturity Level 3 + recommendation: | + Create a status check in the project's version control system that + runs a Software Composition Analysis tool on all changes + to the codebase. Require that the status check passes before changes + can be merged. + + - id: OSPS-VM-06 + title: | + Define and enforce a threshold for remediation of SAST findings + objective: | + Identify and address defects and security weaknesses in the project's + codebase early in the development process, reducing the risk of shipping + insecure software. + family: Vulnerability Management + mappings: [] + assessment-requirements: + - id: OSPS-VM-06.01 + text: | + The project documentation MUST include a policy that defines a + threshold for remediation of SAST findings. + applicability: + - Maturity Level 3 + recommendation: | + Document a policy in the project that defines a threshold for + remediation of Static Application Security Testing (SAST) findings. + Include the process for identifying, prioritizing, and remediating + these findings. + - id: OSPS-VM-06.02 + text: | + All changes to the project's codebase MUST be automatically evaluated + against a documented policy for security weaknesses and blocked in the + event of violations except when declared and suppressed as + non-exploitable. + applicability: + - Maturity Level 3 + recommendation: | + Create a status check in the project's version control system that + runs a Static Application Security Testing (SAST) tool on all changes + to the codebase. Require that the status check passes before changes + can be merged.