From 382ff95851835249009d96f774563aa829583033 Mon Sep 17 00:00:00 2001 From: Ben Cotton Date: Thu, 16 Jan 2025 13:47:52 -0500 Subject: [PATCH 01/10] Add details for OSPS-VM-07 (#138) Signed-off-by: Ben Cotton --- baseline/OSPS-VM.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml index c72092b..1f8c278 100644 --- a/baseline/OSPS-VM.yaml +++ b/baseline/OSPS-VM.yaml @@ -134,7 +134,11 @@ criteria: Consumers of the project must be informed about known vulnerabilities found within the project. details: | - # TODO + Provide information about known vulnerabilities in a predictable + public channel, such as a CVE entry, blog post, or other + medium. To the degree possible, this information should include + affected version(s), how a consumer can determine if they are + vulnerable, and instructions for mitigation or remediation. control_mappings: # TODO security_insights_value: # TODO From e61e3d65792e15b80a08ad3715c56f879253fa9a Mon Sep 17 00:00:00 2001 From: Ben Cotton Date: Thu, 16 Jan 2025 13:48:11 -0500 Subject: [PATCH 02/10] Add rationale for OSPS-VM-05 (#139) Signed-off-by: Ben Cotton --- baseline/OSPS-VM.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml index 1f8c278..9704dd9 100644 --- a/baseline/OSPS-VM.yaml +++ b/baseline/OSPS-VM.yaml @@ -101,7 +101,11 @@ criteria: The project publishes contacts and process for reporting vulnerabilities. rationale: | - # TODO + Reports from researchers and users are an important source for + identifying vulnerabilities in a project. People with + vulnerabilities to report should have a clear understanding of + the process so that they can quickly submit the report to the + project. details: | Create a security.md (or similarly-named) file that contains security contacts for the project and provide project's From 18144dde564abb78480d7198388d149f9dfd55ec Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Thu, 16 Jan 2025 15:06:08 -0600 Subject: [PATCH 03/10] fix: Control mappings are now map[string]string (#147) Signed-off-by: Eddie Knight --- cmd/baseline.go | 18 +++++++++--------- cmd/template.md | 10 ++++------ 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/cmd/baseline.go b/cmd/baseline.go index e56ca5b..7ed7204 100644 --- a/cmd/baseline.go +++ b/cmd/baseline.go @@ -13,15 +13,15 @@ import ( // Struct for representing each entry type Criterion struct { - ID string `yaml:"id"` - MaturityLevel int `yaml:"maturity_level"` - Category string `yaml:"category"` - CriterionText string `yaml:"criterion"` - Rationale string `yaml:"rationale"` - Implementation string `yaml:"implementation"` - Details string `yaml:"details"` - ControlMappings []string `yaml:"control_mappings"` - SecurityInsightsValue string `yaml:"security_insights_value"` + ID string `yaml:"id"` + MaturityLevel int `yaml:"maturity_level"` + Category string `yaml:"category"` + CriterionText string `yaml:"criterion"` + Rationale string `yaml:"rationale"` + Implementation string `yaml:"implementation"` + Details string `yaml:"details"` + ControlMappings map[string]string `yaml:"control_mappings"` + SecurityInsightsValue string `yaml:"security_insights_value"` } // Struct for holding the entire YAML structure diff --git a/cmd/template.md b/cmd/template.md index 5c0a84b..41c2dc8 100644 --- a/cmd/template.md +++ b/cmd/template.md @@ -63,16 +63,14 @@ For more information on the project and to make contributions, visit the [GitHub **Maturity Level:** {{ .MaturityLevel }} **Rationale:** {{ .Rationale | addLinks}} - -{{- if .Implementation -}} +{{ if .Implementation -}} **Implementation:** {{ .Implementation | addLinks}} -{{- end -}} - +{{- end }} **Details:** {{ .Details | addLinks }} {{ if .ControlMappings }} **Control Mappings:** -{{ range .ControlMappings }} -- {{ . }} +{{ range $key, $value := .ControlMappings }} +- {{ $key }}: {{ $value }} {{- end }} {{- end }} {{ if .SecurityInsightsValue }} From 10ed24e1f2d4c3a8472cb4274805ce71fc78af9c Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:26:31 -0500 Subject: [PATCH 04/10] Adding Regulatory crosswalk mappings to VM category items (#149) * Adding Regulatory crosswalk mappings to VM category items Adding Regulatory crosswalk mappings to VM category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/OSPS-VM.yaml Signed-off-by: Eddie Knight --------- Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- baseline/OSPS-VM.yaml | 50 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml index 9704dd9..493b39d 100644 --- a/baseline/OSPS-VM.yaml +++ b/baseline/OSPS-VM.yaml @@ -26,7 +26,13 @@ criteria: licenses. Include the process for identifying, prioritizing, and remediating these findings. - control_mappings: # TODO + control_mappings: + BPB: Q-B-12, Q-S-9, S-B-14, S-B-15, A-B-3, A-B-8 + CRA: 1.2a, 1.2b, 1.2c, 2.1, 2.2, 2.3 + SSDF: PO.4, PW1.2, PW8.1, RV2.1, RV 2.2 + CSF: GV.RM-05, GV.RM-06, GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08, ID.IM-02 + OC: 4.1.5, 4.2.1, 4.3.2 + OCRE: 124-564, 832-555, 611-158, 207-435, 088-377 security_insights_value: # TODO - id: OSPS-VM-02 @@ -46,7 +52,13 @@ criteria: results before any release, and add status checks that verify compliance with that policy prior to release. - control_mappings: # TODO + control_mappings: + BPB: S-B-14, S-B-15, A-B-3, A-B-8 + CRA: 1,2a, 1.2c, 2.2, 2.3 + SSDF: PW8.1 + CSF: GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08 + OC: 4.1.5 + OCRE: 486-813, 833-442, 611-158, 207-435, 088-377 security_insights_value: # TODO - id: OSPS-VM-03 @@ -69,7 +81,13 @@ criteria: vulnerabilities. Set expectations for the how the project will respond and address reported issues. - control_mappings: # TODO + control_mappings: + BPB: R-B-6, R-B-8, R-S-2, S-B-14, S-B-15 + CRA: 2.1, 2.3, 2.6, 2.7, 2.8 + SSDF: RV1.3 + CSF: GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08 + OC: 4.1.5, 4.2.1, 4.3.2 + OCRE: 887-750 security_insights_value: # TODO - id: OSPS-VM-04 @@ -93,7 +111,13 @@ criteria: all changes to the codebase. Require that the status check passes before changes can be merged. - control_mappings: # TODO + control_mappings: + BPB: CC-B-9, A-B-1, A-S-1 + CRA: 1.2a, 1.2b + SSDF: PO4.1, RV1.2, RV2.1, RV2.2 + OC: 4.1.5 + OCRE: 486-813, 124-564, 757-271 + security_insights_value: # TODO - id: OSPS-VM-05 maturity_level: 1 @@ -110,7 +134,13 @@ criteria: Create a security.md (or similarly-named) file that contains security contacts for the project and provide project's process for handling vulnerabilities in the project or dependencies. - control_mappings: # TODO + control_mappings: + BPB: B-S-8 + CRA: 2.5 + SSDF: RV1.3 + CSF: GV.PO-01, GV.PO-02, ID.RA-01 + OC: 4.1.1, 4.1.3, 4.1.5, 4.2.2 + OCRE: 464-513 security_insights_value: # TODO - id: OSPS-VM-06 @@ -127,7 +157,11 @@ criteria: details: | Enable private bug reporting through VCS or other infrastrucuture. - control_mappings: # TODO + control_mappings: + BPB: + CRA: 1.2a, 1.2b, 2.1, 2.4, 2.6 + OCRE: 308-514 + security_insights_value: # TODO - id: OSPS-VM-07 maturity_level: 2 @@ -143,6 +177,6 @@ criteria: medium. To the degree possible, this information should include affected version(s), how a consumer can determine if they are vulnerable, and instructions for mitigation or remediation. - control_mappings: # TODO - + control_mappings: + CRA: 1.2a, 1.2b, 2.1, 2.4, 2.6 security_insights_value: # TODO From 30a7c02b6b29ae15e9a6c3677b60c9cd9131a308 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:32:16 -0500 Subject: [PATCH 05/10] Adding Regulatory crosswalk mappings to AC categories items (#141) Adding Regulatory crosswalk mappings to AC categories items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: Eddie Knight --- baseline/OSPS-AC.yaml | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/baseline/OSPS-AC.yaml b/baseline/OSPS-AC.yaml index 7d507b8..59b9784 100644 --- a/baseline/OSPS-AC.yaml +++ b/baseline/OSPS-AC.yaml @@ -30,7 +30,12 @@ criteria: authentication when accessing sensitive data or modifying repository settings. Passkeys are acceptable for this criterion. - control_mappings: # TODO + control_mappings: + BPB: CC-G-1 + CRA: 1.2d, 1.2e, 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564, 347-352, 333-858, 152-725, 201-246 security_insights_value: # TODO @@ -50,7 +55,11 @@ criteria: permissions to collaborators by default when added, granting additional permissions only when necessary. - control_mappings: # TODO + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR:AA-02 + OCRE: 486-813, 124-564, 802-056, 368-633, 152-725 security_insights_value: # TODO @@ -80,7 +89,12 @@ criteria: first proposed in another repository, and merging changes into the primary repository requires a specific separate act. - control_mappings: # TODO + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564, 152-725 + security_insights_value: # TODO - id: OSPS-AC-04 maturity_level: 1 @@ -97,7 +111,12 @@ criteria: Set branch protection on the primary branch in the project's version control system to prevent deletion. - control_mappings: # TODO + control_mappings: + CRA: 1.2b, 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564,123-124, 152-725 + security_insights_value: # TODO - id: OSPS-AC-05 maturity_level: 2 @@ -119,8 +138,14 @@ criteria: may be possible at the organizational or repository level. If not, set permissions at the top level of the pipeline. - control_mappings: # TODO + control_mappings: + CRA: 1.2d, 1.2e, 1.2f + SSDF: PO2, PO3.2, PS1 + CSF: PR.AA-02, PR.AA-05 + OCRE: 486-813, 124-564,347-507, 263-284, 123-124 + security_insights_value: # TODO + - id: OSPS-AC-07 maturity_level: 3 criterion: | @@ -141,5 +166,10 @@ criteria: alternatives include hardware tokens, mobile authenticator apps, or biometric authentication. - control_mappings: # TODO + control_mappings: + BPB: CC-G-1 + CRA: 1.2d + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 486-813, 124-564,333-858, 102-811, 354-752 security_insights_value: # TODO From eec2ba497a15da68ef40258141f5316bc486e489 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:32:39 -0500 Subject: [PATCH 06/10] Adding Regulatory crosswalk mappings to BR category items (#142) * Adding Regulatory crosswalk mappings to BR category items Adding Regulatory crosswalk mappings to BR category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/OSPS-BR.yaml Signed-off-by: Eddie Knight --------- Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- baseline/OSPS-BR.yaml | 48 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/baseline/OSPS-BR.yaml b/baseline/OSPS-BR.yaml index 9d6ac72..4d5d90d 100644 --- a/baseline/OSPS-BR.yaml +++ b/baseline/OSPS-BR.yaml @@ -23,8 +23,13 @@ criteria: Ensure that the project's build and release pipelines do not execute arbitrary code provided from external sources. - control_mappings: # TODO - + control_mappings: + CRA: 1.2f + SSDF: PO3.2, PS1 + CSF: PR.AA-02 + OCRE: 483-813, 124-564, 357-352 + security_insights_value: # TODO + - id: OSPS-BR-02 maturity_level: 2 criterion: | @@ -45,7 +50,11 @@ criteria: scheme. Examples include SemVer, CalVer, or git commit id. - control_mappings: # TODO + control_mappings: + BPB: CC-B-5, CC-B-6, CC-B-7 + CRA: 1.2f + SSDF: PO3.2, PS1, PS2, PS3 + OCRE: 483-813, 124-564 security_insights_value: # TODO - id: OSPS-BR-03 @@ -65,7 +74,11 @@ criteria: responses, and other services to use encrypted channels such as SSH or HTTPS for data transmission. - control_mappings: # TODO + control_mappings: + BPB: B-B-11 + CRA: 1.2d, 1.2e, 1.2f, 1.2i, 1.2j, 1.2k + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 263-184 security_insights_value: # TODO - id: OSPS-BR-04 @@ -85,8 +98,12 @@ criteria: recommended to ensure consistency and automation in the build and release processes. - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + BPB: Q-B-7 + CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 347-352, 263-184, 208-355 + security_insights_value: project-lifecycle.release-process - id: OSPS-BR-05 maturity_level: 2 @@ -108,7 +125,11 @@ criteria: dependency file, lock file, or manifest to specify the required dependencies, which are then pulled in by the build system. - control_mappings: # TODO + control_mappings: + BPB: Q-B-2 + CRA: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j, 2.1 + SSDF: PO3.2, PS1 + OCRE: 483-813, 124-564, 347-352, 715-334 security_insights_value: # TODO - id: OSPS-BR-06 @@ -131,7 +152,11 @@ criteria: beyond commit messages, such as descriptions of the security impact or relevance to different use cases. - control_mappings: # TODO + control_mappings: + BPB: CC-B-8, CC-B-9 + CRA: 1.2l, 2.2 + SSDF: PS1, PS2, PS3, PW1.2 + OCRE: 483-813, 124-564, 745-356 security_insights_value: # TODO - id: OSPS-BR-08 @@ -153,5 +178,8 @@ criteria: VSAs. Include the cryptographic hashes of each asset in a signed manifest or metadata file. - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + SSDF: PO5.2, PS2.1, PW6.2 + security_insights_value: + Signed-Releases + From 30c6535259b574c2ab1b6c362cc961c5a6a597ca Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:32:58 -0500 Subject: [PATCH 07/10] Adding Regulatory crosswalk mappings to DO category items (#143) Adding Regulatory crosswalk mappings to DO category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: Eddie Knight --- baseline/OSPS-DO.yaml | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/baseline/OSPS-DO.yaml b/baseline/OSPS-DO.yaml index 8092c4f..6efd650 100644 --- a/baseline/OSPS-DO.yaml +++ b/baseline/OSPS-DO.yaml @@ -25,7 +25,13 @@ criteria: use the project's features. If there are any known dangerous or destructive actions available, include highly-visible warnings. - control_mappings: # TODO + control_mappings: + BPB: B-B-1, B-B-9, B-S-7, B-S-9 + CRA: 1.2b, 1.2j, 1.2k + SSDF: PW1.2 + CSF: GV.OC-04, GV.OC-05 + OC: 4.1.4 + OCRE: 036-275 security_insights_value: # TODO - id: OSPS-DO-05 @@ -51,7 +57,12 @@ criteria: It is recommended that project documentation also sets expectations for how defects will be triaged and resolved. - control_mappings: # TODO + control_mappings: + BPB: B-B-3, R-B-1+, R-B-1, R-B-2, R-S-2 + CRA: 1.2c, 1.2l, 2.1, 2.2,2.5, 2.6 + SSDF: PW1.2, RV1.1, RV2.1, RV1.2 + CSF: RS.MA-02, GV.RM-05 + OC: 4.2.1 security_insights_value: # TODO - id: OSPS-DO-12 @@ -75,7 +86,11 @@ criteria: expected identity may be in the form of key IDs used to sign, issuer and identity from a sigstore certificate, or other similar forms. - control_mappings: # TODO + control_mappings: + BPB: CC-B-8 + CRA: 1.2d + SSDF: PO4.2, PS.2, PS2.1, PS3.1, RV1.3 + OCRE: 171-222 security_insights_value: # TODO - id: OSPS-DO-13 @@ -87,7 +102,10 @@ criteria: duration of support. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: R-B-3 + SSDF: PO4.2, PS3.1, RV1.3 + OC: 4.1, 4.3.1 security_insights_value: # TODO - id: OSPS-DO-14 @@ -100,7 +118,10 @@ criteria: will no longer receive security updates. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + CRA: 1.2c, 2.6 + OC: 4.1.1, 4.3.1 + OCRE: 673-475, 053-751 security_insights_value: # TODO - id: OSPS-DO-15 @@ -112,5 +133,10 @@ criteria: obtains, and tracks its dependencies. rationale: # TODO implementation: # TODO - control_mappings: # TODO - security_insights_value: # TODO + control_mappings: + BPB: A-S-1 + CRA: 2.1 + OCRE: 613-286, 053-751 + security_insights_value: + Pinned-Dependencies + From a1ac321ab1b9ed1479ab2049202f6437dc8acde8 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:33:12 -0500 Subject: [PATCH 08/10] Adding Regulatory crosswalk mappings to GV category items (#144) Adding Regulatory crosswalk mappings to GV category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: Eddie Knight Co-authored-by: Puerco --- baseline/OSPS-GV.yaml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/baseline/OSPS-GV.yaml b/baseline/OSPS-GV.yaml index 4808447..0b61b11 100644 --- a/baseline/OSPS-GV.yaml +++ b/baseline/OSPS-GV.yaml @@ -14,7 +14,9 @@ criteria: project. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: B-S-3, B-S-4 + OCRE: 013-021 security_insights_value: # TODO - id: OSPS-GV-02 @@ -35,7 +37,13 @@ criteria: mailing lists, instant messaging, or issue trackers, to facilitate open communication and feedback. - control_mappings: # TODO + control_mappings: + BPB: B-B-3, B-B-12 + CRA: 1.2l, 2.3, 2.4, 2.6 + SSDF: PS3, PW1.2 + CSF: + OC: + OCRE: security_insights_value: # TODO - id: OSPS-GV-03 @@ -54,7 +62,10 @@ criteria: process including the steps for submitting changes, and engaging with the project maintainers. - control_mappings: # TODO + control_mappings: + BPB: B-B-4, B-S-3, B-B-4+, R-B-1, Q-G-2 + CRA: 1.2l, 2.4 + SSDF: PW1.2 security_insights_value: # TODO - id: OSPS-GV-04 @@ -80,7 +91,10 @@ criteria: It is recommended that this guide is the source of truth for both contributors and approvers. - control_mappings: # TODO + control_mappings: + BPB: B-B-5, B-S-3, B-B-4+, Q-G-2 + CRA: 1.2l, 2.1, 2.2, 2.5, 2.6 + OC: 4.1.2 security_insights_value: # TODO - id: OSPS-GV-05 @@ -109,5 +123,9 @@ criteria: identity such as confirming the contributor's association with a known trusted organization. - control_mappings: # TODO + control_mappings: + CRA: 1.2d + SSDF: PO2, PO3.2 + CSF: PR.AA-02, PR.AA-05 + OCRE: 123-124, 152-725 security_insights_value: # TODO From 9008ec04d1c1e83859799764a7a5d4a37c64eff7 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:33:28 -0500 Subject: [PATCH 09/10] Adding Regulatory crosswalk mappings to LE category items (#145) Adding Regulatory crosswalk mappings to LE category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: Eddie Knight --- baseline/OSPS-LE.yaml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/baseline/OSPS-LE.yaml b/baseline/OSPS-LE.yaml index 33feb61..9e79add 100644 --- a/baseline/OSPS-LE.yaml +++ b/baseline/OSPS-LE.yaml @@ -29,7 +29,10 @@ criteria: commit the associated contributions on every commit. Use a status check to ensure the assertion is made. - control_mappings: # TODO + control_mappings: + BPB: B-S-1 + CRA: 1.2b, 1.2f + SSDF: PO3.2, PS1, PW1.2, PW2.1 security_insights_value: # TODO - id: OSPS-LE-02 @@ -59,7 +62,11 @@ criteria: Releasing to the public domain (e.g., CC0) meets this criterion if there are no other encumbrances (e.g., patents). - control_mappings: # TODO + control_mappings: + BPB: B-B-6, B-B-7 + CRA: 1.2b + SSDF: PO3.2 + CSF: GV.OC-03 security_insights_value: # TODO - id: OSPS-LE-03 @@ -81,7 +88,10 @@ criteria: directory to provide visibility and clarity on the licensing terms. The filename MAY have an extension. - control_mappings: # TODO + control_mappings: + BPB: B-B-8 + CRA: 1.2b + SSDF: PO3.2 security_insights_value: # TODO - id: OSPS-LE-04 @@ -111,5 +121,9 @@ criteria: Note that the license for the released software assets may be different than the source code. - control_mappings: # TODO + control_mappings: + BPB: B-B-6, B-B-7 + CRA: 1.2b + SSDF: PO3.2 + CSF: GV.OC-03 security_insights_value: # TODO From 176ad340efe115ef376cabfc3a349ab7cae918b1 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:33:42 -0500 Subject: [PATCH 10/10] Adding Regulatory crosswalk mappings to QA category items (#146) * Adding Regulatory crosswalk mappings to QA category items Adding Regulatory crosswalk mappings to QA category items Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update baseline/OSPS-QA.yaml Signed-off-by: Eddie Knight --------- Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- baseline/OSPS-QA.yaml | 58 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 9 deletions(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 28db732..953dc4c 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -27,7 +27,11 @@ criteria: documentation clarifies the primary source. Avoid frequent changes to the repository that would impact the repository URL. - control_mappings: # TODO + control_mappings: + BPB: CC-B-1 + CRA: 1.2b, 1.2j + SSDF: PS1, PS2, PS3, PW1.2 + OCRE: 486-813, 124-564 security_insights_value: # TODO - id: OSPS-QA-02 @@ -48,7 +52,13 @@ criteria: commit history. Avoid squashing or rewriting commits in a way that would obscure the author of any commits. - control_mappings: # TODO + control_mappings: + BPB: CC-B-2, CC-B-3, R-B-5 + CRA: 1.2b, 1.2f, 1.2j + SSDF: PO3.2, PS1, PS2, PS3, PW1.2, PW2.1, + CSF: ID.AM-02, ID.RA-01, ID.RA-08 + OC: 4.1.4 + OCRE: 486-813, 124-564, 757-271 security_insights_value: # TODO - id: OSPS-QA-03 @@ -77,7 +87,13 @@ criteria: This enables users to ingest this data in a standardized approach alongside other projects in their environment. - control_mappings: # TODO + control_mappings: + BPB: Q-S-9 + CRA: 1.2b, 2.1 + SSDF: PO4, PS1 + CSF: ID.AM-02 + OC: 4.3.1 + OCRE: 486-813, 124-564, 863-521 security_insights_value: # TODO - id: OSPS-QA-04 @@ -104,7 +120,10 @@ criteria: status checks are NOT configured as a pass or fail requirement that approvers may be tempted to bypass. - control_mappings: # TODO + control_mappings: + CRA: 1.2f, 1.2k + SSDF: PO4.1, PS1 + CSF: ID.IM-02 security_insights_value: # TODO - id: OSPS-QA-05 @@ -134,7 +153,10 @@ criteria: be held to a lower standard if they have lower levels of adoption or are not intended for general use. - control_mappings: # TODO + control_mappings: + CRA: 1.2b, 1.2f + SSDF: PO3.2, PO4.1, PS1 + OCRE: 486-813, 124-564 security_insights_value: # TODO - id: OSPS-QA-06 @@ -158,7 +180,11 @@ criteria: should be instead be generated at build time or stored separately and fetched during a specific well-documented pipeline step. - control_mappings: # TODO + control_mappings: + CRA: 1.2b + SSDF: PS1 + OCRE: 486-813, 124-564 + security_insights_value: # TODO - id: OSPS-QA-08 maturity_level: 3 @@ -169,9 +195,15 @@ criteria: are run. rationale: # TODO details: # TODO - control_mappings: # TODO + control_mappings: + BPB: Q-B-4 + CRA: 2.3 + SSDF: PW8.2 + OC: 4.1.5 + OCRE: 207-435, 088-377 security_insights_value: # TODO + - id: OSPS-QA-09 maturity_level: 3 criterion: | @@ -182,9 +214,16 @@ criteria: in an automated test suite. rationale: # TODO details: # TODO - control_mappings: # TODO + control_mappings: + BPB: Q-B-8, Q-B-9, Q-B-10, Q-S-2 + CRA: 2.3 + SSDF: PW8.2 + CSF: ID.IM-02 + OC: 4.1.5 + OCRE: 207-435, 088-377 security_insights_value: # TODO + - id: OSPS-QA-10 maturity_level: 3 category: Governance @@ -195,5 +234,6 @@ criteria: primary branch. rationale: # TODO implementation: # TODO - control_mappings: # TODO + control_mappings: + BPB: B-G-3 security_insights_value: # TODO