-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
13d4a61
commit c4e5bc8
Showing
5 changed files
with
181 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| id,text,l1,l2,l3,file | ||
| 1.1,All direct and transitive components and their versions are known at completion of a build,True,True,True,0x10-V1-Inventory.md | ||
| 1.2,Package managers are used to manage all third-party binary components,True,True,True,0x10-V1-Inventory.md | ||
| 1.3,An accurate inventory of all third-party components is available in a machine-readable format,True,True,True,0x10-V1-Inventory.md | ||
| 1.4,Software bill of materials are generated for publicly or commercially available applications,True,True,True,0x10-V1-Inventory.md | ||
| 1.5,Software bill of materials are required for new procurements,False,True,True,0x10-V1-Inventory.md | ||
| 1.6,Software bill of materials continuously maintained and current for all systems,False,False,True,0x10-V1-Inventory.md | ||
| 1.7,"Components are uniquely identified in a consistent, machine-readable format",True,True,True,0x10-V1-Inventory.md | ||
| 1.8,The component type is known throughout inventory,False,False,True,0x10-V1-Inventory.md | ||
| 1.9,The component function is known throughout inventory ,False,False,True,0x10-V1-Inventory.md | ||
| 1.10,Point of origin is known for all components,False,False,True,0x10-V1-Inventory.md | ||
| 2.1,"A structured, machine readable software bill of materials (SBOM) format is present",True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.2,SBOM creation is automated and reproducible,False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.3,Each SBOM has a unique identifier,True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.4,"SBOM has been signed by publisher, supplier, or certifying authority",False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.5,SBOM signature verification exists,False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.6,SBOM signature verification is performed,False,False,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.7,SBOM is timestamped,True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.8,SBOM is analyzed for risk,True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.9,SBOM contains a complete and accurate inventory of all components the SBOM describes,True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.10,SBOM contains an accurate inventory of all test components for the asset or application it describes,False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.11,SBOM contains metadata about the asset or software the SBOM describes,False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.12,Component identifiers are derived from their native ecosystems (if applicable),True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.13,"Component point of origin is identified in a consistent, machine readable format (e.g. PURL)",False,False,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.14,Components defined in SBOM have accurate license information,True,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.15,Components defined in SBOM have valid SPDX license ID's or expressions (if applicable),False,True,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.16,Components defined in SBOM have valid copyright statements,False,False,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.17,Components defined in SBOM which have been modified from the original have detailed provenance and pedigree information ,False,False,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 2.18,"Components defined in SBOM have one or more file hashes (SHA-256, SHA-512, etc)",False,False,True,0x11-V2-Software_Bill_of_Materials.md | ||
| 3.1,Application uses a repeatable build,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.2,Documentation exists on how the application is built and instructions for repeating the build,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.3,Application uses a continuous integration build pipeline,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.4,Application build pipeline prohibits alteration of build outside of the job performing the build,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.5,Application build pipeline prohibits alteration of package management settings,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.6,Application build pipeline prohibits the execution of arbitrary code outside of the context of a jobs build script,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.7,Application build pipeline may only perform builds of source code maintained in version control systems,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.8,Application build pipeline prohibits alteration of DNS and network settings during build,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.9,Application build pipeline prohibits alteration of certificate trust stores,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.10,Application build pipeline enforces authentication and defaults to deny,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.11,Application build pipeline enforces authorization and defaults to deny,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.12,Application build pipeline requires separation of concerns for the modification of system settings,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.13,Application build pipeline maintains a verifiable audit log of all system changes,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.14,Application build pipeline maintains a verifiable audit log of all build job changes,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.15,"Application build pipeline has required maintenance cadence where the entire stack is updated, patched, and re-certified for use",False,True,True,0x12-V3-Build_Environment.md | ||
| 3.16,"Compilers, version control clients, development utilities, and software development kits are analyzed and monitored for tampering, trojans, or malicious code",False,False,True,0x12-V3-Build_Environment.md | ||
| 3.17,All build-time manipulations to source or binaries are known and well defined,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.18,Checksums of all first-party and third-party components are documented for every build,True,True,True,0x12-V3-Build_Environment.md | ||
| 3.19,Checksums of all components are accessible and delivered out-of-band whenever those components are packaged or distributed,False,True,True,0x12-V3-Build_Environment.md | ||
| 3.20,Unused direct and transitive components have been identified,False,False,True,0x12-V3-Build_Environment.md | ||
| 3.21,Unused direct and transitive components have been removed from the application,False,False,True,0x12-V3-Build_Environment.md | ||
| 4.1,Binary components are retrieved from a package repository,True,True,True,0x13-V4-Package_Management.md | ||
| 4.2,Package repository contents are congruent to an authoritative point of origin for open source components,True,True,True,0x13-V4-Package_Management.md | ||
| 4.3,Package repository requires strong authentication,False,True,True,0x13-V4-Package_Management.md | ||
| 4.4,Package repository supports multi-factor authentication component publishing,False,True,True,0x13-V4-Package_Management.md | ||
| 4.5,Package repository components have been published with multi-factor authentication,False,False,True,0x13-V4-Package_Management.md | ||
| 4.6,Package repository supports security incident reporting,False,True,True,0x13-V4-Package_Management.md | ||
| 4.7,Package repository automates security incident reporting,False,False,True,0x13-V4-Package_Management.md | ||
| 4.8,Package repository notifies publishers of security issues,False,True,True,0x13-V4-Package_Management.md | ||
| 4.9,Package repository notifies users of security issues,False,False,True,0x13-V4-Package_Management.md | ||
| 4.10,Package repository provides a verifiable way of correlating component versions to specific source codes in version control,False,True,True,0x13-V4-Package_Management.md | ||
| 4.11,Package repository provides auditability when components are updated,True,True,True,0x13-V4-Package_Management.md | ||
| 4.12,Package repository requires code signing to publish packages to production repositories,False,True,True,0x13-V4-Package_Management.md | ||
| 4.13,Package manager verifies the integrity of packages when they are retrieved from remote repository,True,True,True,0x13-V4-Package_Management.md | ||
| 4.14,Package manager verifies the integrity of packages when they are retrieved from file system,True,True,True,0x13-V4-Package_Management.md | ||
| 4.15,Package repository enforces use of TLS for all interactions,True,True,True,0x13-V4-Package_Management.md | ||
| 4.16,Package manager validates TLS certificate chain to repository and fails securely when validation fails,True,True,True,0x13-V4-Package_Management.md | ||
| 4.17,Package repository requires and/or performs static code analysis prior to publishing a component and makes results available for others to consume,False,False,True,0x13-V4-Package_Management.md | ||
| 4.18,Package manager does not execute component code,True,True,True,0x13-V4-Package_Management.md | ||
| 4.19,Package manager documents package installation in machine-readable form,True,True,True,0x13-V4-Package_Management.md | ||
| 5.1,Component can be analyzed with linters and/or static analysis tools,True,True,True,0x14-V5-Component_Analysis.md | ||
| 5.2,Component is analyzed using linters and/or static analysis tools prior to use,False,True,True,0x14-V5-Component_Analysis.md | ||
| 5.3,Linting and/or static analysis is performed with every upgrade of a component,False,True,True,0x14-V5-Component_Analysis.md | ||
| 5.4,An automated process of identifying all publicly disclosed vulnerabilities in third-party and open source components is used,True,True,True,0x14-V5-Component_Analysis.md | ||
| 5.5,An automated process of identifying confirmed dataflow exploitability is used,False,False,True,0x14-V5-Component_Analysis.md | ||
| 5.6,An automated process of identifying non-specified component versions is used,True,True,True,0x14-V5-Component_Analysis.md | ||
| 5.7,An automated process of identifying out-of-date components is used,True,True,True,0x14-V5-Component_Analysis.md | ||
| 5.8,An automated process of identifying end-of-life / end-of-support components is used,False,False,True,0x14-V5-Component_Analysis.md | ||
| 5.9,An automated process of identifying component type is used,False,True,True,0x14-V5-Component_Analysis.md | ||
| 5.10,An automated process of identifying component function is used,False,False,True,0x14-V5-Component_Analysis.md | ||
| 5.11,An automated process of identifying component quantity is used,True,True,True,0x14-V5-Component_Analysis.md | ||
| 5.12,An automated process of identifying component license is used,True,True,True,0x14-V5-Component_Analysis.md | ||
| 6.1,Point of origin is verifiable for source code and binary components,False,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.2,Chain of custody if auditable for source code and binary components,False,False,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.3,Provenance of modified components is known and documented,True,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.4,Pedigree of component modification is documented and verifiable,False,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.5,Modified components are uniquely identified and distinct from origin component,False,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.6,Modified components are analyzed with the same level of precision as unmodified components,True,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
| 6.7,Risk unique to modified components can be analyzed and associated specifically to modified variant,True,True,True,0x15-V6-Pedigree_and_Provenance.md | ||
|
|
Oops, something went wrong.