-
Notifications
You must be signed in to change notification settings - Fork 39
/
OWASP_SCVS-1.0.xml
executable file
·91 lines (90 loc) · 12.4 KB
/
OWASP_SCVS-1.0.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?xml version="1.0" encoding="UTF-8"?>
<scvs>
<requirement id="1.1" l1="true" l2="true" l3="true">All direct and transitive components and their versions are known at completion of a build</requirement>
<requirement id="1.2" l1="true" l2="true" l3="true">Package managers are used to manage all third-party binary components</requirement>
<requirement id="1.3" l1="true" l2="true" l3="true">An accurate inventory of all third-party components is available in a machine-readable format</requirement>
<requirement id="1.4" l1="true" l2="true" l3="true">Software bill of materials are generated for publicly or commercially available applications</requirement>
<requirement id="1.5" l1="false" l2="true" l3="true">Software bill of materials are required for new procurements</requirement>
<requirement id="1.6" l1="false" l2="false" l3="true">Software bill of materials continuously maintained and current for all systems</requirement>
<requirement id="1.7" l1="true" l2="true" l3="true">Components are uniquely identified in a consistent, machine-readable format</requirement>
<requirement id="1.8" l1="false" l2="false" l3="true">The component type is known throughout inventory</requirement>
<requirement id="1.9" l1="false" l2="false" l3="true">The component function is known throughout inventory </requirement>
<requirement id="1.10" l1="false" l2="false" l3="true">Point of origin is known for all components</requirement>
<requirement id="2.1" l1="true" l2="true" l3="true">A structured, machine readable software bill of materials (SBOM) format is present</requirement>
<requirement id="2.2" l1="false" l2="true" l3="true">SBOM creation is automated and reproducible</requirement>
<requirement id="2.3" l1="true" l2="true" l3="true">Each SBOM has a unique identifier</requirement>
<requirement id="2.4" l1="false" l2="true" l3="true">SBOM has been signed by publisher, supplier, or certifying authority</requirement>
<requirement id="2.5" l1="false" l2="true" l3="true">SBOM signature verification exists</requirement>
<requirement id="2.6" l1="false" l2="false" l3="true">SBOM signature verification is performed</requirement>
<requirement id="2.7" l1="true" l2="true" l3="true">SBOM is timestamped</requirement>
<requirement id="2.8" l1="true" l2="true" l3="true">SBOM is analyzed for risk</requirement>
<requirement id="2.9" l1="true" l2="true" l3="true">SBOM contains a complete and accurate inventory of all components the SBOM describes</requirement>
<requirement id="2.10" l1="false" l2="true" l3="true">SBOM contains an accurate inventory of all test components for the asset or application it describes</requirement>
<requirement id="2.11" l1="false" l2="true" l3="true">SBOM contains metadata about the asset or software the SBOM describes</requirement>
<requirement id="2.12" l1="true" l2="true" l3="true">Component identifiers are derived from their native ecosystems (if applicable)</requirement>
<requirement id="2.13" l1="false" l2="false" l3="true">Component point of origin is identified in a consistent, machine readable format (e.g. PURL)</requirement>
<requirement id="2.14" l1="true" l2="true" l3="true">Components defined in SBOM have accurate license information</requirement>
<requirement id="2.15" l1="false" l2="true" l3="true">Components defined in SBOM have valid SPDX license ID's or expressions (if applicable)</requirement>
<requirement id="2.16" l1="false" l2="false" l3="true">Components defined in SBOM have valid copyright statements</requirement>
<requirement id="2.17" l1="false" l2="false" l3="true">Components defined in SBOM which have been modified from the original have detailed provenance and pedigree information </requirement>
<requirement id="2.18" l1="false" l2="false" l3="true">Components defined in SBOM have one or more file hashes (SHA-256, SHA-512, etc)</requirement>
<requirement id="3.1" l1="true" l2="true" l3="true">Application uses a repeatable build</requirement>
<requirement id="3.2" l1="true" l2="true" l3="true">Documentation exists on how the application is built and instructions for repeating the build</requirement>
<requirement id="3.3" l1="true" l2="true" l3="true">Application uses a continuous integration build pipeline</requirement>
<requirement id="3.4" l1="false" l2="true" l3="true">Application build pipeline prohibits alteration of build outside of the job performing the build</requirement>
<requirement id="3.5" l1="false" l2="true" l3="true">Application build pipeline prohibits alteration of package management settings</requirement>
<requirement id="3.6" l1="false" l2="true" l3="true">Application build pipeline prohibits the execution of arbitrary code outside of the context of a jobs build script</requirement>
<requirement id="3.7" l1="true" l2="true" l3="true">Application build pipeline may only perform builds of source code maintained in version control systems</requirement>
<requirement id="3.8" l1="false" l2="false" l3="true">Application build pipeline prohibits alteration of DNS and network settings during build</requirement>
<requirement id="3.9" l1="false" l2="false" l3="true">Application build pipeline prohibits alteration of certificate trust stores</requirement>
<requirement id="3.10" l1="false" l2="true" l3="true">Application build pipeline enforces authentication and defaults to deny</requirement>
<requirement id="3.11" l1="false" l2="true" l3="true">Application build pipeline enforces authorization and defaults to deny</requirement>
<requirement id="3.12" l1="false" l2="false" l3="true">Application build pipeline requires separation of concerns for the modification of system settings</requirement>
<requirement id="3.13" l1="false" l2="false" l3="true">Application build pipeline maintains a verifiable audit log of all system changes</requirement>
<requirement id="3.14" l1="false" l2="false" l3="true">Application build pipeline maintains a verifiable audit log of all build job changes</requirement>
<requirement id="3.15" l1="false" l2="true" l3="true">Application build pipeline has required maintenance cadence where the entire stack is updated, patched, and re-certified for use</requirement>
<requirement id="3.16" l1="false" l2="false" l3="true">Compilers, version control clients, development utilities, and software development kits are analyzed and monitored for tampering, trojans, or malicious code</requirement>
<requirement id="3.17" l1="true" l2="true" l3="true">All build-time manipulations to source or binaries are known and well defined</requirement>
<requirement id="3.18" l1="true" l2="true" l3="true">Checksums of all first-party and third-party components are documented for every build</requirement>
<requirement id="3.19" l1="false" l2="true" l3="true">Checksums of all components are accessible and delivered out-of-band whenever those components are packaged or distributed</requirement>
<requirement id="3.20" l1="false" l2="false" l3="true">Unused direct and transitive components have been identified</requirement>
<requirement id="3.21" l1="false" l2="false" l3="true">Unused direct and transitive components have been removed from the application</requirement>
<requirement id="4.1" l1="true" l2="true" l3="true">Binary components are retrieved from a package repository</requirement>
<requirement id="4.2" l1="true" l2="true" l3="true">Package repository contents are congruent to an authoritative point of origin for open source components</requirement>
<requirement id="4.3" l1="false" l2="true" l3="true">Package repository requires strong authentication</requirement>
<requirement id="4.4" l1="false" l2="true" l3="true">Package repository supports multi-factor authentication component publishing</requirement>
<requirement id="4.5" l1="false" l2="false" l3="true">Package repository components have been published with multi-factor authentication</requirement>
<requirement id="4.6" l1="false" l2="true" l3="true">Package repository supports security incident reporting</requirement>
<requirement id="4.7" l1="false" l2="false" l3="true">Package repository automates security incident reporting</requirement>
<requirement id="4.8" l1="false" l2="true" l3="true">Package repository notifies publishers of security issues</requirement>
<requirement id="4.9" l1="false" l2="false" l3="true">Package repository notifies users of security issues</requirement>
<requirement id="4.10" l1="false" l2="true" l3="true">Package repository provides a verifiable way of correlating component versions to specific source codes in version control</requirement>
<requirement id="4.11" l1="true" l2="true" l3="true">Package repository provides auditability when components are updated</requirement>
<requirement id="4.12" l1="false" l2="true" l3="true">Package repository requires code signing to publish packages to production repositories</requirement>
<requirement id="4.13" l1="true" l2="true" l3="true">Package manager verifies the integrity of packages when they are retrieved from remote repository</requirement>
<requirement id="4.14" l1="true" l2="true" l3="true">Package manager verifies the integrity of packages when they are retrieved from file system</requirement>
<requirement id="4.15" l1="true" l2="true" l3="true">Package repository enforces use of TLS for all interactions</requirement>
<requirement id="4.16" l1="true" l2="true" l3="true">Package manager validates TLS certificate chain to repository and fails securely when validation fails</requirement>
<requirement id="4.17" l1="false" l2="false" l3="true">Package repository requires and/or performs static code analysis prior to publishing a component and makes results available for others to consume</requirement>
<requirement id="4.18" l1="true" l2="true" l3="true">Package manager does not execute component code</requirement>
<requirement id="4.19" l1="true" l2="true" l3="true">Package manager documents package installation in machine-readable form</requirement>
<requirement id="5.1" l1="true" l2="true" l3="true">Component can be analyzed with linters and/or static analysis tools</requirement>
<requirement id="5.2" l1="false" l2="true" l3="true">Component is analyzed using linters and/or static analysis tools prior to use</requirement>
<requirement id="5.3" l1="false" l2="true" l3="true">Linting and/or static analysis is performed with every upgrade of a component</requirement>
<requirement id="5.4" l1="true" l2="true" l3="true">An automated process of identifying all publicly disclosed vulnerabilities in third-party and open source components is used</requirement>
<requirement id="5.5" l1="false" l2="false" l3="true">An automated process of identifying confirmed dataflow exploitability is used</requirement>
<requirement id="5.6" l1="true" l2="true" l3="true">An automated process of identifying non-specified component versions is used</requirement>
<requirement id="5.7" l1="true" l2="true" l3="true">An automated process of identifying out-of-date components is used</requirement>
<requirement id="5.8" l1="false" l2="false" l3="true">An automated process of identifying end-of-life / end-of-support components is used</requirement>
<requirement id="5.9" l1="false" l2="true" l3="true">An automated process of identifying component type is used</requirement>
<requirement id="5.10" l1="false" l2="false" l3="true">An automated process of identifying component function is used</requirement>
<requirement id="5.11" l1="true" l2="true" l3="true">An automated process of identifying component quantity is used</requirement>
<requirement id="5.12" l1="true" l2="true" l3="true">An automated process of identifying component license is used</requirement>
<requirement id="6.1" l1="false" l2="true" l3="true">Point of origin is verifiable for source code and binary components</requirement>
<requirement id="6.2" l1="false" l2="false" l3="true">Chain of custody if auditable for source code and binary components</requirement>
<requirement id="6.3" l1="true" l2="true" l3="true">Provenance of modified components is known and documented</requirement>
<requirement id="6.4" l1="false" l2="true" l3="true">Pedigree of component modification is documented and verifiable</requirement>
<requirement id="6.5" l1="false" l2="true" l3="true">Modified components are uniquely identified and distinct from origin component</requirement>
<requirement id="6.6" l1="true" l2="true" l3="true">Modified components are analyzed with the same level of precision as unmodified components</requirement>
<requirement id="6.7" l1="true" l2="true" l3="true">Risk unique to modified components can be analyzed and associated specifically to modified variant</requirement>
</scvs>