Merge branch 'main' into issue63-clarify-br-01

Signed-off-by: Eddie Knight <[email protected]>
ossf · Jan 17, 2025 · dc8e64e · dc8e64e
2 parents 3513b60 + 176ad34
commit dc8e64e
Show file tree

Hide file tree

Showing 9 changed files with 262 additions and 66 deletions.
diff --git a/baseline/OSPS-AC.yaml b/baseline/OSPS-AC.yaml
@@ -30,7 +30,12 @@ criteria:
       authentication when accessing sensitive data
       or modifying repository settings.
       Passkeys are acceptable for this criterion.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: CC-G-1 
+      CRA: 1.2d, 1.2e, 1.2f
+      SSDF: PO3.2, PS1
+      CSF: PR.AA-02
+      OCRE: 486-813, 124-564, 347-352, 333-858, 152-725, 201-246
     security_insights_value: # TODO
 
 
@@ -50,7 +55,11 @@ criteria:
       permissions to collaborators by default when
       added, granting additional permissions only
       when necessary.
-    control_mappings: # TODO
+    control_mappings:
+      CRA: 1.2f
+      SSDF: PO3.2, PS1
+      CSF: PR:AA-02
+      OCRE: 486-813, 124-564, 802-056, 368-633, 152-725 
     security_insights_value: # TODO
 
 
@@ -80,7 +89,12 @@ criteria:
       first proposed in another repository, and
       merging changes into the primary repository
       requires a specific separate act.
-    control_mappings: # TODO
+    control_mappings:
+      CRA: 1.2f
+      SSDF: PO3.2, PS1
+      CSF: PR.AA-02
+      OCRE: 486-813, 124-564, 152-725
+    security_insights_value: # TODO
 
   - id: OSPS-AC-04
     maturity_level: 1
@@ -97,7 +111,12 @@ criteria:
       Set branch protection on the primary branch
       in the project's version control system to
       prevent deletion.
-    control_mappings: # TODO
+    control_mappings:
+      CRA: 1.2b, 1.2f
+      SSDF: PO3.2, PS1
+      CSF: PR.AA-02
+      OCRE: 486-813, 124-564,123-124, 152-725
+    security_insights_value: # TODO
 
   - id: OSPS-AC-05
     maturity_level: 2
@@ -119,8 +138,14 @@ criteria:
       may be possible at the organizational or
       repository level. If not, set permissions at
       the top level of the pipeline.
-    control_mappings: # TODO
+    control_mappings:
+      CRA: 1.2d, 1.2e, 1.2f
+      SSDF: PO2, PO3.2, PS1
+      CSF: PR.AA-02, PR.AA-05
+      OCRE: 486-813, 124-564,347-507, 263-284, 123-124
+    security_insights_value: # TODO
 
+
   - id: OSPS-AC-07
     maturity_level: 3
     criterion: |
@@ -141,5 +166,10 @@ criteria:
       alternatives include hardware tokens, mobile
       authenticator apps, or biometric
       authentication.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: CC-G-1
+      CRA: 1.2d
+      SSDF: PO3.2, PS1
+      CSF: PR.AA-02
+      OCRE: 486-813, 124-564,333-858, 102-811, 354-752
     security_insights_value: # TODO
diff --git a/baseline/OSPS-BR.yaml b/baseline/OSPS-BR.yaml
@@ -25,8 +25,13 @@ criteria:
       that accept externally-controlled input (e.g. git
       branch names) do not use input in ways that could
       provide unintended access to privileged resources.
-    control_mappings: # TODO
-
+    control_mappings:
+      CRA: 1.2f
+      SSDF: PO3.2, PS1
+      CSF: PR.AA-02
+      OCRE: 483-813, 124-564, 357-352
+    security_insights_value: # TODO
+
   - id: OSPS-BR-02
     maturity_level: 2
     criterion: |
@@ -47,7 +52,11 @@ criteria:
       scheme.
       Examples include SemVer, CalVer, or
       git commit id.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: CC-B-5, CC-B-6, CC-B-7
+      CRA: 1.2f
+      SSDF: PO3.2, PS1, PS2, PS3
+      OCRE: 483-813, 124-564
     security_insights_value: # TODO
 
   - id: OSPS-BR-03
@@ -67,7 +76,11 @@ criteria:
       responses, and other services to use
       encrypted channels such as SSH or HTTPS for
       data transmission.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-11
+      CRA: 1.2d, 1.2e, 1.2f, 1.2i, 1.2j, 1.2k
+      SSDF: PO3.2, PS1
+      OCRE: 483-813, 124-564, 263-184
     security_insights_value: # TODO
 
   - id: OSPS-BR-04
@@ -87,8 +100,12 @@ criteria:
       recommended to ensure consistency and
       automation in the build and release
       processes.
-    control_mappings: # TODO
-    security_insights_value: # TODO
+    control_mappings:  
+      BPB: Q-B-7
+      CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j
+      SSDF: PO3.2, PS1
+      OCRE: 483-813, 124-564, 347-352, 263-184, 208-355
+    security_insights_value: project-lifecycle.release-process
 
   - id: OSPS-BR-05
     maturity_level: 2
@@ -110,7 +127,11 @@ criteria:
       dependency file, lock file, or manifest to
       specify the required dependencies, which are
       then pulled in by the build system.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: Q-B-2
+      CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j, 2.1
+      SSDF: PO3.2, PS1
+      OCRE: 483-813, 124-564, 347-352, 715-334
     security_insights_value: # TODO
 
   - id: OSPS-BR-06
@@ -133,7 +154,11 @@ criteria:
       beyond commit messages, such as descriptions 
       of the security impact or relevance to
       different use cases.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: CC-B-8, CC-B-9
+      CRA: 1.2l, 2.2
+      SSDF: PS1, PS2, PS3, PW1.2
+      OCRE: 483-813, 124-564, 745-356
     security_insights_value: # TODO
 
   - id: OSPS-BR-08
@@ -155,5 +180,8 @@ criteria:
       VSAs. Include the cryptographic hashes of
       each asset in a signed manifest or
       metadata file.
-    control_mappings: # TODO
-    security_insights_value: # TODO
+    control_mappings:
+      SSDF: PO5.2, PS2.1, PW6.2
+    security_insights_value: 
+      Signed-Releases
+
diff --git a/baseline/OSPS-DO.yaml b/baseline/OSPS-DO.yaml
@@ -25,7 +25,13 @@ criteria:
       use the project's features. If there are any
       known dangerous or destructive actions
       available, include highly-visible warnings.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-1, B-B-9, B-S-7, B-S-9
+      CRA: 1.2b, 1.2j, 1.2k
+      SSDF: PW1.2
+      CSF: GV.OC-04, GV.OC-05
+      OC: 4.1.4
+      OCRE: 036-275
     security_insights_value: # TODO
 
   - id: OSPS-DO-05
@@ -51,7 +57,12 @@ criteria:
       It is recommended that project documentation
       also sets expectations for how defects will
       be triaged and resolved.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: B-B-3, R-B-1+, R-B-1, R-B-2, R-S-2
+      CRA: 1.2c, 1.2l, 2.1, 2.2,2.5, 2.6
+      SSDF: PW1.2, RV1.1, RV2.1, RV1.2
+      CSF: RS.MA-02, GV.RM-05
+      OC: 4.2.1
     security_insights_value: # TODO
 
   - id: OSPS-DO-12
@@ -75,7 +86,11 @@ criteria:
       expected identity may be in the form of key
       IDs used to sign, issuer and identity from a
       sigstore certificate, or other similar forms.
-    control_mappings: # TODO
+    control_mappings:  
+      BPB: CC-B-8
+      CRA: 1.2d
+      SSDF: PO4.2, PS.2, PS2.1, PS3.1, RV1.3
+      OCRE: 171-222 
     security_insights_value: # TODO
 
   - id: OSPS-DO-13
@@ -87,7 +102,10 @@ criteria:
       duration of support.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: R-B-3
+      SSDF: PO4.2, PS3.1, RV1.3 
+      OC: 4.1, 4.3.1
     security_insights_value: # TODO
 
   - id: OSPS-DO-14
@@ -100,7 +118,10 @@ criteria:
       will no longer receive security updates.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
+    control_mappings: 
+      CRA: 1.2c, 2.6
+      OC: 4.1.1, 4.3.1
+      OCRE: 673-475, 053-751
     security_insights_value: # TODO
 
   - id: OSPS-DO-15
@@ -112,5 +133,10 @@ criteria:
       obtains, and tracks its dependencies.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
-    security_insights_value: # TODO
+    control_mappings: 
+      BPB: A-S-1
+      CRA: 2.1
+      OCRE: 613-286, 053-751
+    security_insights_value: 
+      Pinned-Dependencies
+
diff --git a/baseline/OSPS-GV.yaml b/baseline/OSPS-GV.yaml
@@ -14,7 +14,9 @@ criteria:
       project.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-S-3, B-S-4
+      OCRE: 013-021
     security_insights_value: # TODO
 
   - id: OSPS-GV-02
@@ -35,7 +37,13 @@ criteria:
       mailing lists, instant messaging, or issue
       trackers, to facilitate open communication
       and feedback.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-3, B-B-12 
+      CRA: 1.2l, 2.3, 2.4, 2.6
+      SSDF: PS3, PW1.2
+      CSF:
+      OC:
+      OCRE:
     security_insights_value: # TODO
 
   - id: OSPS-GV-03
@@ -54,7 +62,10 @@ criteria:
       process including the steps for submitting
       changes, and engaging with the project
       maintainers.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-4, B-S-3, B-B-4+, R-B-1, Q-G-2
+      CRA: 1.2l, 2.4
+      SSDF: PW1.2
     security_insights_value: # TODO
 
   - id: OSPS-GV-04
@@ -80,7 +91,10 @@ criteria:
       It is recommended that this guide is the
       source of truth for both contributors and
       approvers.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-5, B-S-3, B-B-4+, Q-G-2
+      CRA: 1.2l, 2.1, 2.2, 2.5, 2.6
+      OC: 4.1.2
     security_insights_value: # TODO
 
   - id: OSPS-GV-05
@@ -109,5 +123,9 @@ criteria:
       identity such as confirming the
       contributor's association with a known
       trusted organization.
-    control_mappings: # TODO
+    control_mappings: 
+      CRA: 1.2d
+      SSDF: PO2, PO3.2 
+      CSF: PR.AA-02, PR.AA-05
+      OCRE: 123-124, 152-725
     security_insights_value: # TODO
diff --git a/baseline/OSPS-LE.yaml b/baseline/OSPS-LE.yaml
@@ -29,7 +29,10 @@ criteria:
       commit the associated contributions on every
       commit. Use a status check to ensure the
       assertion is made.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-S-1
+      CRA: 1.2b, 1.2f
+      SSDF: PO3.2, PS1, PW1.2, PW2.1
     security_insights_value: # TODO
 
   - id: OSPS-LE-02
@@ -59,7 +62,11 @@ criteria:
       Releasing to the public domain (e.g., CC0)
       meets this criterion if there are no
       other encumbrances (e.g., patents).
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-6, B-B-7
+      CRA: 1.2b
+      SSDF: PO3.2
+      CSF: GV.OC-03
     security_insights_value: # TODO
 
   - id: OSPS-LE-03
@@ -81,7 +88,10 @@ criteria:
       directory to provide visibility and clarity
       on the licensing terms. The filename MAY
       have an extension.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-8
+      CRA: 1.2b
+      SSDF: PO3.2
     security_insights_value: # TODO
 
   - id: OSPS-LE-04
@@ -111,5 +121,9 @@ criteria:
       Note that the license for the released
       software assets may be different than the
       source code.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-6, B-B-7
+      CRA: 1.2b
+      SSDF: PO3.2
+      CSF: GV.OC-03
     security_insights_value: # TODO