Skip to content

Revising Vuln Management controls based on feedback#205

Merged
eddie-knight merged 7 commits intoossf:mainfrom
eddie-knight:feat/merge-sca
Feb 24, 2025
Merged

Revising Vuln Management controls based on feedback#205
eddie-knight merged 7 commits intoossf:mainfrom
eddie-knight:feat/merge-sca

Conversation

@eddie-knight
Copy link
Contributor

@eddie-knight eddie-knight commented Feb 22, 2025
edited
Loading

  • merged SCA requirements into one control
  • added requirements so that SAST and SCA are handled similarly
  • renumbered the resulting SCA control to the bottom, a stylistic pre-release choice since all of these requirements are level
  • added an explicit requirement for VEX at level 3
  • also I'm pretty sure the impacted controls mappings are irreparably jankified, I'm sorry @SecurityCRob

@eddie-knight eddie-knight changed the title merged SCA requirements into one control Revising Vuln Management controls based on feedback Feb 22, 2025
xee5ch
xee5ch reviewed Feb 22, 2025
View reviewed changes
@eddie-knight
Updated SCA and SAST checks
f0c75ee 
Signed-off-by: Eddie Knight <knight@linux.com>
@eddie-knight
improved SCA requirement text
c5c685d 
Signed-off-by: Eddie Knight <knight@linux.com>
@eddie-knight
Adjusted to have a separate requirement for VEX
39507ac 
Signed-off-by: Eddie Knight <knight@linux.com>
@eddie-knight eddie-knight mentioned this pull request Feb 22, 2025
Closed
TheFoxAtWork
TheFoxAtWork approved these changes Feb 22, 2025
View reviewed changes
Copy link
Contributor

@TheFoxAtWork TheFoxAtWork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 spelling correction. LGTM

@eddie-knight @TheFoxAtWork
Update baseline/OSPS-VM.yaml
57d9f8f 
Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com>
Signed-off-by: Eddie Knight <knight@linux.com>
funnelfiasco
funnelfiasco approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me.

puerco
puerco reviewed Feb 24, 2025
View reviewed changes
Copy link
Member

@puerco puerco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal with vex should be to provide a stream of machine-readable data of non-exploitability while, at the same time, discouraging human content (PDFs, blog posts) as the only messaging channel for false positive data. But we should only require it when it needs to exist.

I suggested some changes below, feel free to english them good 👇

eddie-knight and others added 3 commits February 24, 2025 10:28
@eddie-knight @puerco
Update baseline/OSPS-VM.yaml
39cb2e6 
Co-authored-by: Puerco <puerco@users.noreply.github.com>
Signed-off-by: Eddie Knight <knight@linux.com>
@eddie-knight @puerco
Update baseline/OSPS-VM.yaml
80018d0 
Co-authored-by: Puerco <puerco@users.noreply.github.com>
Signed-off-by: Eddie Knight <knight@linux.com>
@SecurityCRob
Merge branch 'main' into feat/merge-sca
698f070
@eddie-knight eddie-knight merged commit fcc7d01 into ossf:main Feb 24, 2025
3 checks passed
@eddie-knight eddie-knight deleted the feat/merge-sca branch February 24, 2025 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@puerco puerco puerco left review comments

@funnelfiasco funnelfiasco funnelfiasco approved these changes

@SecurityCRob SecurityCRob SecurityCRob approved these changes

+2 more reviewers

@xee5ch xee5ch xee5ch left review comments

@TheFoxAtWork TheFoxAtWork TheFoxAtWork approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@eddie-knight @xee5ch @funnelfiasco @puerco @TheFoxAtWork @SecurityCRob