Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependency/SBOM criteria and releveling #163

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add dependency/SBOM criteria and releveling #163

wants to merge 4 commits into from

Conversation

puerco
Copy link
Member

@puerco puerco commented Jan 24, 2025

This commit updates the dependency criteria to add increasing transparency requirements at each level:

  1. Checked in language-native dependency list
  2. Simple SBOM
  3. SBOM with NTIA/CRA data fields

In addition to the two new ones, OSPS-QA-03 is simplified and releveled to 1.

Signed-off-by: Adolfo García Veytia (Puerco) [email protected]

SecurityCRob
SecurityCRob approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i need to adjust the xls to account for this change, but +1

evankanderson
evankanderson reviewed Jan 24, 2025
View reviewed changes
baseline/OSPS-QA.yaml Outdated Show resolved Hide resolved
baseline/OSPS-QA.yaml Outdated
Comment on lines 77 to 78
language dependency lock file that ennumerates all
direct and transitive dependencies such as
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Details says "direct and transitive" but criteria says "direct". Which do we require here?

baseline/OSPS-QA.yaml Show resolved Hide resolved
@puerco
Copy link
Member Author

puerco commented Jan 24, 2025

i need to adjust the xls to account for this change,

@SecurityCRob I'm happy to add it to the spreadsheet.
Note that OSPS-QA-11 & OSPS-QA-12 match SSDF PS3, PW4. OSPS-QA-03 is cross referenced to SSDF PO4 and PS1. I think those are not correct, but I didn't want to mess with your original assessment.

eddie-knight
eddie-knight requested changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@eddie-knight eddie-knight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that the first entry needs to be changed to follow our criterion format

baseline/OSPS-QA.yaml Outdated Show resolved Hide resolved
@puerco puerco enabled auto-merge (squash) January 24, 2025 23:59
@puerco
Add dependency/SBOM critaria and leveling
8478f38 
This commit updates the dependency criteria to add
increasing transparency requirements at each level.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
evankanderson
evankanderson approved these changes Jan 25, 2025
View reviewed changes
baseline/OSPS-QA.yaml Show resolved Hide resolved
@evankanderson evankanderson mentioned this pull request Jan 25, 2025
Merged
funnelfiasco
funnelfiasco requested changes Jan 25, 2025
View reviewed changes
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should soften the language in the rationale/details to make it clear that what we're looking for in this criterion is enumeration, not pinning.

On the other hand, if we do want to require some form of pinning at level 1, we need to

  1. Update the criterion text to include that
  2. Specify what sort of pinning is sufficient (e.g. minimum version, branch/release name, specific version, hash, etc etc etc)

For clarity: my strong preference is to go with the first approach and focus on enumeration at level 1.

baseline/OSPS-QA.yaml Show resolved Hide resolved
baseline/OSPS-QA.yaml Outdated Show resolved Hide resolved
baseline/OSPS-QA.yaml Outdated Show resolved Hide resolved
@SecurityCRob
Copy link
Contributor

i need to adjust the xls to account for this change,

@SecurityCRob I'm happy to add it to the spreadsheet. Note that OSPS-QA-11 & OSPS-QA-12 match SSDF PS3, PW4. OSPS-QA-03 is cross referenced to SSDF PO4 and PS1. I think those are not correct, but I didn't want to mess with your original assessment.

I'll figure this out today, no worries!

SecurityCRob and others added 2 commits January 27, 2025 09:50
@SecurityCRob @funnelfiasco
Update baseline/OSPS-QA.yaml
38442a7 
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @funnelfiasco
Update baseline/OSPS-QA.yaml
3a1f91b 
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: CRob <[email protected]>
@mesembria mesembria mentioned this pull request Jan 27, 2025
Open
@evankanderson evankanderson mentioned this pull request Jan 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eddie-knight eddie-knight eddie-knight requested changes

@SecurityCRob SecurityCRob SecurityCRob approved these changes

@evankanderson evankanderson evankanderson approved these changes

@funnelfiasco funnelfiasco funnelfiasco approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
criteria
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@puerco @SecurityCRob @funnelfiasco @evankanderson @eddie-knight