Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Security Baseline criterion OSPS-QA-03 #289

Open
mesembria opened this issue Jan 27, 2025 · 1 comment · May be fixed by #307
Open

Implement Security Baseline criterion OSPS-QA-03 #289

mesembria opened this issue Jan 27, 2025 · 1 comment · May be fixed by #307
Assignees
@eleftherias
Labels
P0 Fix Now: These are urgent issues that preempt other work in the current sprint

Comments

@mesembria
Copy link
Contributor

Criterion: All released software assets MUST be delivered with a machine-readable list of all direct and transitive internal software dependencies with their associated version identifiers.

Maturity Level: 2

Rationale: Provide transparency and accountability for the project’s dependencies, enabling users and contributors to understand the software’s dependencies and versions.

Details: This may take the form of a software bill of materials (SBOM) or a dependency file that lists all direct and transitive dependencies such as package.json, Gemfile.lock, or go.sum.

It is recommended to use a CycloneDX or SPDX file that is auto-generated at build time by a tool that has been vetted for accuracy. This enables users to ingest this data in a standardized approach alongside other projects in their environment.
@mesembria mesembria added the P1 Fix Soon: High priority items that should be considered in the next Sprint planning cycle label Jan 27, 2025
@mesembria
Copy link
Contributor Author

Note, this is still Level 2 at the moment. A PR has been opened to move it to Level 1 and tweak the definition.

@mesembria mesembria added P0 Fix Now: These are urgent issues that preempt other work in the current sprint and removed P1 Fix Soon: High priority items that should be considered in the next Sprint planning cycle labels Jan 28, 2025
@mesembria mesembria moved this to Ready in Planned Work Jan 28, 2025
@eleftherias eleftherias self-assigned this Jan 30, 2025
@eleftherias eleftherias moved this from Ready to In Progress in Planned Work Jan 30, 2025
eleftherias added a commit that referenced this issue Jan 31, 2025
@eleftherias
Add ruletype for OSPS-QA-03
bbd9b66 
Fix #289
@eleftherias eleftherias linked a pull request Jan 31, 2025 that will close this issue
Open
@eleftherias eleftherias moved this from In Progress to Review in Planned Work Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
P0 Fix Now: These are urgent issues that preempt other work in the current sprint
Projects
Planned Work
Status: Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ruletype for OSPS-QA-03 mindersec/minder-rules-and-profiles
2 participants
@mesembria @eleftherias