From 8478f3891dd6c31efd4eb86fb4cec7c8375b1491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Fri, 24 Jan 2025 13:17:05 -0600 Subject: [PATCH 1/7] Add dependency/SBOM critaria and leveling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit updates the dependency criteria to add increasing transparency requirements at each level. Signed-off-by: Adolfo GarcĂ­a Veytia (Puerco) --- baseline/OSPS-QA.yaml | 89 +++++++++++++++++++++++++++++++++---------- 1 file changed, 68 insertions(+), 21 deletions(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 953dc4c..9b47b3c 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -62,31 +62,21 @@ criteria: security_insights_value: # TODO - id: OSPS-QA-03 - maturity_level: 2 + maturity_level: 1 criterion: | - All released software assets MUST be - delivered with a machine-readable list of - all direct and transitive internal software - dependencies with their associated version - identifiers. + The code repository MUST contain a dependency + list that accounts for the direct language dependencies + when the package management system supports it. rationale: | Provide transparency and accountability for - the project's dependencies, enabling users - and contributors to understand the - software's dependencies and versions. + the project's dependencies by fixing the desired versions + while enabling users and contributors to understand the + software's direct dependencies. details: | - This may take the form of a software bill of - materials (SBOM) or a dependency file that - lists all direct and transitive dependencies - such as package.json, Gemfile.lock, or - go.sum. - - It is recommended to use a CycloneDX or SPDX - file that is auto-generated at build time by - a tool that has been vetted for accuracy. - This enables users to ingest this data in a - standardized approach alongside other - projects in their environment. + This may take the form a package manager or + language dependency lock file that ennumerates all + direct and, ideally, transitive build dependencies such as + package.json, Gemfile.lock, or go.sum. control_mappings: BPB: Q-S-9 CRA: 1.2b, 2.1 @@ -237,3 +227,60 @@ criteria: control_mappings: BPB: B-G-3 security_insights_value: # TODO + + - id: OSPS-QA-11 + maturity_level: 2 + criterion: | + All released software assets MUST be + delivered with a software bill of materials + (SBOM) in SPDX or CycloneDX format accounting + all direct software dependencies with their + associated version identifiers. + rationale: | + Provide transparency and accountability for + the project's dependencies in a standard format + allowing automated systems to understand the + software's dependencies and versions. + details: | + It is recommended to use a CycloneDX or SPDX + file that is auto-generated at build time by + a tool that has been vetted for accuracy. + This enables users to ingest this data in a + standardized approach alongside other + projects in their environment. + control_mappings: + BPB: Q-S-9 + CRA: 13.24, I.II.1, VII.2 + SSDF: PS3, PW4 + CSF: ID.AM-02 + OC: 4.3.1 + OCRE: 486-813, 124-564, 863-521 + security_insights_value: # TODO + + - id: OSPS-QA-12 + maturity_level: 3 + criterion: | + The software bill of materials describing the release assets + should provide the following data elements for the components + used in the build: license, supplier name, filename of the component, + component name, component version, software identifiers, + relationship between the components, author of the + SBOM data and timestamp. + + Assitionally, for deployable and executable components + the SBOM should record their cryptgraphic hashes. + rationale: | + Provide the minimal data elements required to validate, + verify the integrity of software components and assess risk. + details: | + SBOM generation tools can specialize on one kind of data element. + Supplying the required data in multiple software bills of materials + can be done although, ideally, data should be combined into one. + control_mappings: + BPB: Q-S-9 + CRA: 13.24, I.II.1, II.2 + SSDF: PS3, PW4 + CSF: ID.AM-02 + OC: 4.3.1 + OCRE: 486-813, 124-564, 863-521 + security_insights_value: # TODO From 38442a7c769c2343a5fa8d1a09a82e0b2ae1ef09 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Jan 2025 09:50:25 -0500 Subject: [PATCH 2/7] Update baseline/OSPS-QA.yaml Co-authored-by: Ben Cotton Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- baseline/OSPS-QA.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 9b47b3c..12643d0 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -74,7 +74,7 @@ criteria: software's direct dependencies. details: | This may take the form a package manager or - language dependency lock file that ennumerates all + language dependency file that ennumerates all direct and, ideally, transitive build dependencies such as package.json, Gemfile.lock, or go.sum. control_mappings: From 3a1f91b10b59fecf88b61397e0b978cd5d5ec80a Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Mon, 27 Jan 2025 09:51:08 -0500 Subject: [PATCH 3/7] Update baseline/OSPS-QA.yaml Co-authored-by: Ben Cotton Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- baseline/OSPS-QA.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 12643d0..12006b3 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -69,7 +69,7 @@ criteria: when the package management system supports it. rationale: | Provide transparency and accountability for - the project's dependencies by fixing the desired versions + the project's dependencies while enabling users and contributors to understand the software's direct dependencies. details: | From 2ed4504b29cbf3edbbca77efafd3935f9884a64d Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 3 Feb 2025 13:27:04 -0800 Subject: [PATCH 4/7] Update baseline/OSPS-QA.yaml Co-authored-by: Eleftheria Stein-Kousathana Signed-off-by: Eddie Knight --- baseline/OSPS-QA.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 12006b3..8398d02 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -76,7 +76,7 @@ criteria: This may take the form a package manager or language dependency file that ennumerates all direct and, ideally, transitive build dependencies such as - package.json, Gemfile.lock, or go.sum. + package-lock.json, Gemfile.lock, or go.sum. control_mappings: BPB: Q-S-9 CRA: 1.2b, 2.1 From 87bebc8f830e7aac41ced569e969bf963e5d0da0 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 4 Feb 2025 09:35:34 -0500 Subject: [PATCH 5/7] Update OSPS-QA.yaml suggested update to QA-12 Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- baseline/OSPS-QA.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 8398d02..7cad3de 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -269,6 +269,20 @@ criteria: Assitionally, for deployable and executable components the SBOM should record their cryptgraphic hashes. + + Provide both source and build software bills of materials + the following data elements for the components used in the build: + - license + - supplier name + - filename of the component, + - component name + - component version + - software identifiers + - relationship between the components + - author of the SBOM data and timestamp. + + Additionally, for deployable and executable components + the SBOM should record their cryptographic hashes. rationale: | Provide the minimal data elements required to validate, verify the integrity of software components and assess risk. From 13ba028c5a903d37196ff7c27714c1792513ce59 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 4 Feb 2025 09:36:25 -0500 Subject: [PATCH 6/7] Update OSPS-QA.yaml better update than the last one Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- baseline/OSPS-QA.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index 7cad3de..ded548c 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -260,16 +260,6 @@ criteria: - id: OSPS-QA-12 maturity_level: 3 criterion: | - The software bill of materials describing the release assets - should provide the following data elements for the components - used in the build: license, supplier name, filename of the component, - component name, component version, software identifiers, - relationship between the components, author of the - SBOM data and timestamp. - - Assitionally, for deployable and executable components - the SBOM should record their cryptgraphic hashes. - Provide both source and build software bills of materials the following data elements for the components used in the build: - license From 39584f27bf8662069082e8e185e8de12ba4caef3 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Tue, 4 Feb 2025 09:43:32 -0500 Subject: [PATCH 7/7] Update OSPS-QA.yaml an even better update than the last two Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- baseline/OSPS-QA.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/baseline/OSPS-QA.yaml b/baseline/OSPS-QA.yaml index ded548c..d57958b 100644 --- a/baseline/OSPS-QA.yaml +++ b/baseline/OSPS-QA.yaml @@ -260,16 +260,17 @@ criteria: - id: OSPS-QA-12 maturity_level: 3 criterion: | - Provide both source and build software bills of materials - the following data elements for the components used in the build: + The project will provide both source and build software bills + of materials the following data elements for the components + used in the build: - license - supplier name - - filename of the component, + - filename of the component - component name - component version - software identifiers - relationship between the components - - author of the SBOM data and timestamp. + - author of the SBOM data and timestamp Additionally, for deployable and executable components the SBOM should record their cryptographic hashes.