-
Notifications
You must be signed in to change notification settings - Fork 39
/
OWASP_SCVS-1.0.json
executable file
·1 lines (1 loc) · 15.5 KB
/
OWASP_SCVS-1.0.json
1
[{"id": "1.1", "text": "All direct and transitive components and their versions are known at completion of a build", "l1": true, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.2", "text": "Package managers are used to manage all third-party binary components", "l1": true, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.3", "text": "An accurate inventory of all third-party components is available in a machine-readable format", "l1": true, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.4", "text": "Software bill of materials are generated for publicly or commercially available applications", "l1": true, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.5", "text": "Software bill of materials are required for new procurements", "l1": false, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.6", "text": "Software bill of materials continuously maintained and current for all systems", "l1": false, "l2": false, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.7", "text": "Components are uniquely identified in a consistent, machine-readable format", "l1": true, "l2": true, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.8", "text": "The component type is known throughout inventory", "l1": false, "l2": false, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.9", "text": "The component function is known throughout inventory ", "l1": false, "l2": false, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "1.10", "text": "Point of origin is known for all components", "l1": false, "l2": false, "l3": true, "file": "0x10-V1-Inventory.md"}, {"id": "2.1", "text": "A structured, machine readable software bill of materials (SBOM) format is present", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.2", "text": "SBOM creation is automated and reproducible", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.3", "text": "Each SBOM has a unique identifier", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.4", "text": "SBOM has been signed by publisher, supplier, or certifying authority", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.5", "text": "SBOM signature verification exists", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.6", "text": "SBOM signature verification is performed", "l1": false, "l2": false, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.7", "text": "SBOM is timestamped", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.8", "text": "SBOM is analyzed for risk", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.9", "text": "SBOM contains a complete and accurate inventory of all components the SBOM describes", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.10", "text": "SBOM contains an accurate inventory of all test components for the asset or application it describes", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.11", "text": "SBOM contains metadata about the asset or software the SBOM describes", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.12", "text": "Component identifiers are derived from their native ecosystems (if applicable)", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.13", "text": "Component point of origin is identified in a consistent, machine readable format (e.g. PURL)", "l1": false, "l2": false, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.14", "text": "Components defined in SBOM have accurate license information", "l1": true, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.15", "text": "Components defined in SBOM have valid SPDX license ID's or expressions (if applicable)", "l1": false, "l2": true, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.16", "text": "Components defined in SBOM have valid copyright statements", "l1": false, "l2": false, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.17", "text": "Components defined in SBOM which have been modified from the original have detailed provenance and pedigree information ", "l1": false, "l2": false, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "2.18", "text": "Components defined in SBOM have one or more file hashes (SHA-256, SHA-512, etc)", "l1": false, "l2": false, "l3": true, "file": "0x11-V2-Software_Bill_of_Materials.md"}, {"id": "3.1", "text": "Application uses a repeatable build", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.2", "text": "Documentation exists on how the application is built and instructions for repeating the build", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.3", "text": "Application uses a continuous integration build pipeline", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.4", "text": "Application build pipeline prohibits alteration of build outside of the job performing the build", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.5", "text": "Application build pipeline prohibits alteration of package management settings", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.6", "text": "Application build pipeline prohibits the execution of arbitrary code outside of the context of a jobs build script", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.7", "text": "Application build pipeline may only perform builds of source code maintained in version control systems", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.8", "text": "Application build pipeline prohibits alteration of DNS and network settings during build", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.9", "text": "Application build pipeline prohibits alteration of certificate trust stores", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.10", "text": "Application build pipeline enforces authentication and defaults to deny", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.11", "text": "Application build pipeline enforces authorization and defaults to deny", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.12", "text": "Application build pipeline requires separation of concerns for the modification of system settings", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.13", "text": "Application build pipeline maintains a verifiable audit log of all system changes", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.14", "text": "Application build pipeline maintains a verifiable audit log of all build job changes", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.15", "text": "Application build pipeline has required maintenance cadence where the entire stack is updated, patched, and re-certified for use", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.16", "text": "Compilers, version control clients, development utilities, and software development kits are analyzed and monitored for tampering, trojans, or malicious code", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.17", "text": "All build-time manipulations to source or binaries are known and well defined", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.18", "text": "Checksums of all first-party and third-party components are documented for every build", "l1": true, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.19", "text": "Checksums of all components are accessible and delivered out-of-band whenever those components are packaged or distributed", "l1": false, "l2": true, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.20", "text": "Unused direct and transitive components have been identified", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "3.21", "text": "Unused direct and transitive components have been removed from the application", "l1": false, "l2": false, "l3": true, "file": "0x12-V3-Build_Environment.md"}, {"id": "4.1", "text": "Binary components are retrieved from a package repository", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.2", "text": "Package repository contents are congruent to an authoritative point of origin for open source components", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.3", "text": "Package repository requires strong authentication", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.4", "text": "Package repository supports multi-factor authentication component publishing", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.5", "text": "Package repository components have been published with multi-factor authentication", "l1": false, "l2": false, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.6", "text": "Package repository supports security incident reporting", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.7", "text": "Package repository automates security incident reporting", "l1": false, "l2": false, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.8", "text": "Package repository notifies publishers of security issues", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.9", "text": "Package repository notifies users of security issues", "l1": false, "l2": false, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.10", "text": "Package repository provides a verifiable way of correlating component versions to specific source codes in version control", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.11", "text": "Package repository provides auditability when components are updated", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.12", "text": "Package repository requires code signing to publish packages to production repositories", "l1": false, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.13", "text": "Package manager verifies the integrity of packages when they are retrieved from remote repository", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.14", "text": "Package manager verifies the integrity of packages when they are retrieved from file system", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.15", "text": "Package repository enforces use of TLS for all interactions", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.16", "text": "Package manager validates TLS certificate chain to repository and fails securely when validation fails", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.17", "text": "Package repository requires and/or performs static code analysis prior to publishing a component and makes results available for others to consume", "l1": false, "l2": false, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.18", "text": "Package manager does not execute component code", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "4.19", "text": "Package manager documents package installation in machine-readable form", "l1": true, "l2": true, "l3": true, "file": "0x13-V4-Package_Management.md"}, {"id": "5.1", "text": "Component can be analyzed with linters and/or static analysis tools", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.2", "text": "Component is analyzed using linters and/or static analysis tools prior to use", "l1": false, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.3", "text": "Linting and/or static analysis is performed with every upgrade of a component", "l1": false, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.4", "text": "An automated process of identifying all publicly disclosed vulnerabilities in third-party and open source components is used", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.5", "text": "An automated process of identifying confirmed dataflow exploitability is used", "l1": false, "l2": false, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.6", "text": "An automated process of identifying non-specified component versions is used", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.7", "text": "An automated process of identifying out-of-date components is used", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.8", "text": "An automated process of identifying end-of-life / end-of-support components is used", "l1": false, "l2": false, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.9", "text": "An automated process of identifying component type is used", "l1": false, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.10", "text": "An automated process of identifying component function is used", "l1": false, "l2": false, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.11", "text": "An automated process of identifying component quantity is used", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "5.12", "text": "An automated process of identifying component license is used", "l1": true, "l2": true, "l3": true, "file": "0x14-V5-Component_Analysis.md"}, {"id": "6.1", "text": "Point of origin is verifiable for source code and binary components", "l1": false, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.2", "text": "Chain of custody if auditable for source code and binary components", "l1": false, "l2": false, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.3", "text": "Provenance of modified components is known and documented", "l1": true, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.4", "text": "Pedigree of component modification is documented and verifiable", "l1": false, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.5", "text": "Modified components are uniquely identified and distinct from origin component", "l1": false, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.6", "text": "Modified components are analyzed with the same level of precision as unmodified components", "l1": true, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}, {"id": "6.7", "text": "Risk unique to modified components can be analyzed and associated specifically to modified variant", "l1": true, "l2": true, "l3": true, "file": "0x15-V6-Pedigree_and_Provenance.md"}]