diff --git a/baseline/OSPS-AC.yaml b/baseline/OSPS-AC.yaml index 7d507b8..59b9784 100644 --- a/baseline/OSPS-AC.yaml +++ b/baseline/OSPS-AC.yaml @@ -30,7 +30,12 @@ criteria: authentication when accessing sensitive data or modifying repository settings. Passkeys are acceptable for this criterion. - control_mappings: # TODO + control_mappings: + BPB: CC-G-1 + CRA: 1.2d, 1.2e, 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564, 347-352, 333-858, 152-725, 201-246 security_insights_value: # TODO @@ -50,7 +55,11 @@ criteria: permissions to collaborators by default when added, granting additional permissions only when necessary. - control_mappings: # TODO + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR:AA-02 + OCRE: 486-813, 124-564, 802-056, 368-633, 152-725 security_insights_value: # TODO @@ -80,7 +89,12 @@ criteria: first proposed in another repository, and merging changes into the primary repository requires a specific separate act. - control_mappings: # TODO + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564, 152-725 + security_insights_value: # TODO - id: OSPS-AC-04 maturity_level: 1 @@ -97,7 +111,12 @@ criteria: Set branch protection on the primary branch in the project's version control system to prevent deletion. - control_mappings: # TODO + control_mappings: + CRA: 1.2b, 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564,123-124, 152-725 + security_insights_value: # TODO - id: OSPS-AC-05 maturity_level: 2 @@ -119,8 +138,14 @@ criteria: may be possible at the organizational or repository level. If not, set permissions at the top level of the pipeline. - control_mappings: # TODO + control_mappings: + CRA: 1.2d, 1.2e, 1.2f + SSDF: PO2, PO3.2, PS1 + CSF: PR.AA-02, PR.AA-05 + OCRE: 486-813, 124-564,347-507, 263-284, 123-124 + security_insights_value: # TODO + - id: OSPS-AC-07 maturity_level: 3 criterion: | @@ -141,5 +166,10 @@ criteria: alternatives include hardware tokens, mobile authenticator apps, or biometric authentication. - control_mappings: # TODO + control_mappings: + BPB: CC-G-1 + CRA: 1.2d + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564,333-858, 102-811, 354-752 security_insights_value: # TODO diff --git a/baseline/OSPS-BR.yaml b/baseline/OSPS-BR.yaml index b179399..53a078e 100644 --- a/baseline/OSPS-BR.yaml +++ b/baseline/OSPS-BR.yaml @@ -25,8 +25,13 @@ criteria: that accept externally-controlled input (e.g. git branch names) do not use input in ways that could provide unintended access to privileged resources. - control_mappings: # TODO - + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 483-813, 124-564, 357-352 + security_insights_value: # TODO + - id: OSPS-BR-02 maturity_level: 2 criterion: | @@ -47,7 +52,11 @@ criteria: scheme. Examples include SemVer, CalVer, or git commit id. - control_mappings: # TODO + control_mappings: + BPB: CC-B-5, CC-B-6, CC-B-7 + CRA: 1.2f + SSDF: PO3.2, PS1, PS2, PS3 + OCRE: 483-813, 124-564 security_insights_value: # TODO - id: OSPS-BR-03 @@ -67,7 +76,11 @@ criteria: responses, and other services to use encrypted channels such as SSH or HTTPS for data transmission. - control_mappings: # TODO + control_mappings: + BPB: B-B-11 + CRA: 1.2d, 1.2e, 1.2f, 1.2i, 1.2j, 1.2k + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 263-184 security_insights_value: # TODO - id: OSPS-BR-04 @@ -87,8 +100,12 @@ criteria: recommended to ensure consistency and automation in the build and release processes. - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + BPB: Q-B-7 + CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 347-352, 263-184, 208-355 + security_insights_value: project-lifecycle.release-process - id: OSPS-BR-05 maturity_level: 2 @@ -110,7 +127,11 @@ criteria: dependency file, lock file, or manifest to specify the required dependencies, which are then pulled in by the build system. - control_mappings: # TODO + control_mappings: + BPB: Q-B-2 + CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j, 2.1 + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 347-352, 715-334 security_insights_value: # TODO - id: OSPS-BR-06 @@ -133,7 +154,11 @@ criteria: beyond commit messages, such as descriptions of the security impact or relevance to different use cases. - control_mappings: # TODO + control_mappings: + BPB: CC-B-8, CC-B-9 + CRA: 1.2l, 2.2 + SSDF: PS1, PS2, PS3, PW1.2 + OCRE: 483-813, 124-564, 745-356 security_insights_value: # TODO - id: OSPS-BR-08 @@ -155,5 +180,8 @@ criteria: VSAs. Include the cryptographic hashes of each asset in a signed manifest or metadata file. - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + SSDF: PO5.2, PS2.1, PW6.2 + security_insights_value: + Signed-Releases + diff --git a/baseline/OSPS-DO.yaml b/baseline/OSPS-DO.yaml index 8092c4f..6efd650 100644 --- a/baseline/OSPS-DO.yaml +++ b/baseline/OSPS-DO.yaml @@ -25,7 +25,13 @@ criteria: use the project's features. If there are any known dangerous or destructive actions available, include highly-visible warnings. - control_mappings: # TODO + control_mappings: + BPB: B-B-1, B-B-9, B-S-7, B-S-9 + CRA: 1.2b, 1.2j, 1.2k + SSDF: PW1.2 + CSF: GV.OC-04, GV.OC-05 + OC: 4.1.4 + OCRE: 036-275 security_insights_value: # TODO - id: OSPS-DO-05 @@ -51,7 +57,12 @@ criteria: It is recommended that project documentation also sets expectations for how defects will be triaged and resolved. - control_mappings: # TODO + control_mappings: + BPB: B-B-3, R-B-1+, R-B-1, R-B-2, R-S-2 + CRA: 1.2c, 1.2l, 2.1, 2.2,2.5, 2.6 + SSDF: PW1.2, RV1.1, RV2.1, RV1.2 + CSF: RS.MA-02, GV.RM-05 + OC: 4.2.1 security_insights_value: # TODO - id: OSPS-DO-12 @@ -75,7 +86,11 @@ criteria: expected identity may be in the form of key IDs used to sign, issuer and identity from a sigstore certificate, or other similar forms. - control_mappings: # TODO + control_mappings: + BPB: CC-B-8 + CRA: 1.2d + SSDF: PO4.2, PS.2, PS2.1, PS3.1, RV1.3 + OCRE: 171-222 security_insights_value: # TODO - id: OSPS-DO-13 @@ -87,7 +102,10 @@ criteria: duration of support. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: R-B-3 + SSDF: PO4.2, PS3.1, RV1.3 + OC: 4.1, 4.3.1 security_insights_value: # TODO - id: OSPS-DO-14 @@ -100,7 +118,10 @@ criteria: will no longer receive security updates. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + CRA: 1.2c, 2.6 + OC: 4.1.1, 4.3.1 + OCRE: 673-475, 053-751 security_insights_value: # TODO - id: OSPS-DO-15 @@ -112,5 +133,10 @@ criteria: obtains, and tracks its dependencies. rationale: # TODO implementation: # TODO - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + BPB: A-S-1 + CRA: 2.1 + OCRE: 613-286, 053-751 + security_insights_value: + Pinned-Dependencies + diff --git a/baseline/OSPS-GV.yaml b/baseline/OSPS-GV.yaml index 4808447..0b61b11 100644 --- a/baseline/OSPS-GV.yaml +++ b/baseline/OSPS-GV.yaml @@ -14,7 +14,9 @@ criteria: project. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: B-S-3, B-S-4 + OCRE: 013-021 security_insights_value: # TODO - id: OSPS-GV-02 @@ -35,7 +37,13 @@ criteria: mailing lists, instant messaging, or issue trackers, to facilitate open communication and feedback. - control_mappings: # TODO + control_mappings: + BPB: B-B-3, B-B-12 + CRA: 1.2l, 2.3, 2.4, 2.6 + SSDF: PS3, PW1.2 + CSF: + OC: + OCRE: security_insights_value: # TODO - id: OSPS-GV-03 @@ -54,7 +62,10 @@ criteria: process including the steps for submitting changes, and engaging with the project maintainers. - control_mappings: # TODO + control_mappings: + BPB: B-B-4, B-S-3, B-B-4+, R-B-1, Q-G-2 + CRA: 1.2l, 2.4 + SSDF: PW1.2 security_insights_value: # TODO - id: OSPS-GV-04 @@ -80,7 +91,10 @@ criteria: It is recommended that this guide is the source of truth for both contributors and approvers. - control_mappings: # TODO + control_mappings: + BPB: B-B-5, B-S-3, B-B-4+, Q-G-2 + CRA: 1.2l, 2.1, 2.2, 2.5, 2.6 + OC: 4.1.2 security_insights_value: # TODO - id: OSPS-GV-05 @@ -109,5 +123,9 @@ criteria: identity such as confirming the contributor's association with a known trusted organization. - control_mappings: # TODO + control_mappings: + CRA: 1.2d + SSDF: PO2, PO3.2 + CSF: PR.AA-02, PR.AA-05 + OCRE: 123-124, 152-725 security_insights_value: # TODO diff --git a/baseline/OSPS-LE.yaml b/baseline/OSPS-LE.yaml index 33feb61..9e79add 100644 --- a/baseline/OSPS-LE.yaml +++ b/baseline/OSPS-LE.yaml @@ -29,7 +29,10 @@ criteria: commit the associated contributions on every commit. Use a status check to ensure the assertion is made. - control_mappings: # TODO + control_mappings: + BPB: B-S-1 + CRA: 1.2b, 1.2f + SSDF: PO3.2, PS1, PW1.2, PW2.1 security_insights_value: # TODO - id: OSPS-LE-02 @@ -59,7 +62,11 @@ criteria: Releasing to the public domain (e.g., CC0) meets this criterion if there are no other encumbrances (e.g., patents). - control_mappings: # TODO + control_mappings: + BPB: B-B-6, B-B-7 + CRA: 1.2b + SSDF: PO3.2 + CSF: GV.OC-03 security_insights_value: # TODO - id: OSPS-LE-03 @@ -81,7 +88,10 @@ criteria: directory to provide visibility and clarity on the licensing terms. The filename MAY have an extension. - control_mappings: # TODO + control_mappings: + BPB: B-B-8 + CRA: 1.2b + SSDF: PO3.2 security_insights_value: # TODO - id: OSPS-LE-04 @@ -111,5 +121,9 @@ criteria: Note that the license for the released software assets may be different than the source code. - control_mappings: # TODO + control_mappings: + BPB: B-B-6, B-B-7 + CRA: 1.2b + SSDF: PO3.2 + CSF: GV.OC-03 security_insights_value: # TODO diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 28db732..953dc4c 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -27,7 +27,11 @@ criteria: documentation clarifies the primary source. Avoid frequent changes to the repository that would impact the repository URL. - control_mappings: # TODO + control_mappings: + BPB: CC-B-1 + CRA: 1.2b, 1.2j + SSDF: PS1, PS2, PS3, PW1.2 + OCRE: 486-813, 124-564 security_insights_value: # TODO - id: OSPS-QA-02 @@ -48,7 +52,13 @@ criteria: commit history. Avoid squashing or rewriting commits in a way that would obscure the author of any commits. - control_mappings: # TODO + control_mappings: + BPB: CC-B-2, CC-B-3, R-B-5 + CRA: 1.2b, 1.2f, 1.2j + SSDF: PO3.2, PS1, PS2, PS3, PW1.2, PW2.1, + CSF: ID.AM-02, ID.RA-01, ID.RA-08 + OC: 4.1.4 + OCRE: 486-813, 124-564, 757-271 security_insights_value: # TODO - id: OSPS-QA-03 @@ -77,7 +87,13 @@ criteria: This enables users to ingest this data in a standardized approach alongside other projects in their environment. - control_mappings: # TODO + control_mappings: + BPB: Q-S-9 + CRA: 1.2b, 2.1 + SSDF: PO4, PS1 + CSF: ID.AM-02 + OC: 4.3.1 + OCRE: 486-813, 124-564, 863-521 security_insights_value: # TODO - id: OSPS-QA-04 @@ -104,7 +120,10 @@ criteria: status checks are NOT configured as a pass or fail requirement that approvers may be tempted to bypass. - control_mappings: # TODO + control_mappings: + CRA: 1.2f, 1.2k + SSDF: PO4.1, PS1 + CSF: ID.IM-02 security_insights_value: # TODO - id: OSPS-QA-05 @@ -134,7 +153,10 @@ criteria: be held to a lower standard if they have lower levels of adoption or are not intended for general use. - control_mappings: # TODO + control_mappings: + CRA: 1.2b, 1.2f + SSDF: PO3.2, PO4.1, PS1 + OCRE: 486-813, 124-564 security_insights_value: # TODO - id: OSPS-QA-06 @@ -158,7 +180,11 @@ criteria: should be instead be generated at build time or stored separately and fetched during a specific well-documented pipeline step. - control_mappings: # TODO + control_mappings: + CRA: 1.2b + SSDF: PS1 + OCRE: 486-813, 124-564 + security_insights_value: # TODO - id: OSPS-QA-08 maturity_level: 3 @@ -169,9 +195,15 @@ criteria: are run. rationale: # TODO details: # TODO - control_mappings: # TODO + control_mappings: + BPB: Q-B-4 + CRA: 2.3 + SSDF: PW8.2 + OC: 4.1.5 + OCRE: 207-435, 088-377 security_insights_value: # TODO + - id: OSPS-QA-09 maturity_level: 3 criterion: | @@ -182,9 +214,16 @@ criteria: in an automated test suite. rationale: # TODO details: # TODO - control_mappings: # TODO + control_mappings: + BPB: Q-B-8, Q-B-9, Q-B-10, Q-S-2 + CRA: 2.3 + SSDF: PW8.2 + CSF: ID.IM-02 + OC: 4.1.5 + OCRE: 207-435, 088-377 security_insights_value: # TODO + - id: OSPS-QA-10 maturity_level: 3 category: Governance @@ -195,5 +234,6 @@ criteria: primary branch. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: B-G-3 security_insights_value: # TODO diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml index c72092b..493b39d 100644 --- a/baseline/OSPS-VM.yaml +++ b/baseline/OSPS-VM.yaml @@ -26,7 +26,13 @@ criteria: licenses. Include the process for identifying, prioritizing, and remediating these findings. - control_mappings: # TODO + control_mappings: + BPB: Q-B-12, Q-S-9, S-B-14, S-B-15, A-B-3, A-B-8 + CRA: 1.2a, 1.2b, 1.2c, 2.1, 2.2, 2.3 + SSDF: PO.4, PW1.2, PW8.1, RV2.1, RV 2.2 + CSF: GV.RM-05, GV.RM-06, GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08, ID.IM-02 + OC: 4.1.5, 4.2.1, 4.3.2 + OCRE: 124-564, 832-555, 611-158, 207-435, 088-377 security_insights_value: # TODO - id: OSPS-VM-02 @@ -46,7 +52,13 @@ criteria: results before any release, and add status checks that verify compliance with that policy prior to release. - control_mappings: # TODO + control_mappings: + BPB: S-B-14, S-B-15, A-B-3, A-B-8 + CRA: 1,2a, 1.2c, 2.2, 2.3 + SSDF: PW8.1 + CSF: GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08 + OC: 4.1.5 + OCRE: 486-813, 833-442, 611-158, 207-435, 088-377 security_insights_value: # TODO - id: OSPS-VM-03 @@ -69,7 +81,13 @@ criteria: vulnerabilities. Set expectations for the how the project will respond and address reported issues. - control_mappings: # TODO + control_mappings: + BPB: R-B-6, R-B-8, R-S-2, S-B-14, S-B-15 + CRA: 2.1, 2.3, 2.6, 2.7, 2.8 + SSDF: RV1.3 + CSF: GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08 + OC: 4.1.5, 4.2.1, 4.3.2 + OCRE: 887-750 security_insights_value: # TODO - id: OSPS-VM-04 @@ -93,7 +111,13 @@ criteria: all changes to the codebase. Require that the status check passes before changes can be merged. - control_mappings: # TODO + control_mappings: + BPB: CC-B-9, A-B-1, A-S-1 + CRA: 1.2a, 1.2b + SSDF: PO4.1, RV1.2, RV2.1, RV2.2 + OC: 4.1.5 + OCRE: 486-813, 124-564, 757-271 + security_insights_value: # TODO - id: OSPS-VM-05 maturity_level: 1 @@ -101,12 +125,22 @@ criteria: The project publishes contacts and process for reporting vulnerabilities. rationale: | - # TODO + Reports from researchers and users are an important source for + identifying vulnerabilities in a project. People with + vulnerabilities to report should have a clear understanding of + the process so that they can quickly submit the report to the + project. details: | Create a security.md (or similarly-named) file that contains security contacts for the project and provide project's process for handling vulnerabilities in the project or dependencies. - control_mappings: # TODO + control_mappings: + BPB: B-S-8 + CRA: 2.5 + SSDF: RV1.3 + CSF: GV.PO-01, GV.PO-02, ID.RA-01 + OC: 4.1.1, 4.1.3, 4.1.5, 4.2.2 + OCRE: 464-513 security_insights_value: # TODO - id: OSPS-VM-06 @@ -123,7 +157,11 @@ criteria: details: | Enable private bug reporting through VCS or other infrastrucuture. - control_mappings: # TODO + control_mappings: + BPB: + CRA: 1.2a, 1.2b, 2.1, 2.4, 2.6 + OCRE: 308-514 + security_insights_value: # TODO - id: OSPS-VM-07 maturity_level: 2 @@ -134,7 +172,11 @@ criteria: Consumers of the project must be informed about known vulnerabilities found within the project. details: | - # TODO - control_mappings: # TODO - + Provide information about known vulnerabilities in a predictable + public channel, such as a CVE entry, blog post, or other + medium. To the degree possible, this information should include + affected version(s), how a consumer can determine if they are + vulnerable, and instructions for mitigation or remediation. + control_mappings: + CRA: 1.2a, 1.2b, 2.1, 2.4, 2.6 security_insights_value: # TODO diff --git a/cmd/baseline.go b/cmd/baseline.go index e56ca5b..7ed7204 100644 --- a/cmd/baseline.go +++ b/cmd/baseline.go @@ -13,15 +13,15 @@ import ( // Struct for representing each entry type Criterion struct { - ID string `yaml:"id"` - MaturityLevel int `yaml:"maturity_level"` - Category string `yaml:"category"` - CriterionText string `yaml:"criterion"` - Rationale string `yaml:"rationale"` - Implementation string `yaml:"implementation"` - Details string `yaml:"details"` - ControlMappings []string `yaml:"control_mappings"` - SecurityInsightsValue string `yaml:"security_insights_value"` + ID string `yaml:"id"` + MaturityLevel int `yaml:"maturity_level"` + Category string `yaml:"category"` + CriterionText string `yaml:"criterion"` + Rationale string `yaml:"rationale"` + Implementation string `yaml:"implementation"` + Details string `yaml:"details"` + ControlMappings map[string]string `yaml:"control_mappings"` + SecurityInsightsValue string `yaml:"security_insights_value"` } // Struct for holding the entire YAML structure diff --git a/cmd/template.md b/cmd/template.md index 5c0a84b..41c2dc8 100644 --- a/cmd/template.md +++ b/cmd/template.md @@ -63,16 +63,14 @@ For more information on the project and to make contributions, visit the [GitHub **Maturity Level:** {{ .MaturityLevel }} **Rationale:** {{ .Rationale | addLinks}} - -{{- if .Implementation -}} +{{ if .Implementation -}} **Implementation:** {{ .Implementation | addLinks}} -{{- end -}} - +{{- end }} **Details:** {{ .Details | addLinks }} {{ if .ControlMappings }} **Control Mappings:** -{{ range .ControlMappings }} -- {{ . }} +{{ range $key, $value := .ControlMappings }} +- {{ $key }}: {{ $value }} {{- end }} {{- end }} {{ if .SecurityInsightsValue }}