jkowalleck
commented
2 weeks ago Is this not covered already? see https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/lifecycle.md
Open AlexanderYukhanov opened 2 weeks ago
jkowalleck
commented
2 weeks ago Is this not covered already? see https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/lifecycle.md
AlexanderYukhanov
commented
2 weeks ago No, it's required to provide the level of support and justification both for level of support and the end of support date. Probably, we can extend cdx:lifecycle instead of declaring new fda:lifecycle like
cdx:lifecycle:suportLevel cdx:lifecycle:suportLevelComment or cdx:lifecycle:suportLevelJustification cdx:lifecycle: endOfSupportComment or cdx:lifecycle: endOfSupportJustification ?
stevespringett
commented
2 weeks ago Is there a definition of support level?
See also: Common Lifecycle Enumeration.
AlexanderYukhanov
commented
2 weeks ago No, there is no formal definition or additional guidance from the FDA on this. That's why including a justification field alongside the support level is beneficial. It allows vendors to apply their own criteria (for example, using the OSSF Scorecard's 'Maintained' score).
The Common Lifecycle Enumeration currently covers different use-cases and is not well-suited for describing the support levels of dependencies, especially OSS one.
FDA requires (https://www.fda.gov/media/119933/download) suppliers to provide two additional attributes: "
It would be beneficial to create taxonomy containing 4 additional attributes to meet this requirement: fda:lifecycle:suport_level fda:lifecycle:suport_level_comment fda:lifecycle:end_of_support fda:lifecycle:end_of_support_comment
The comment attributes are required to provide the justification for the provided attributes or the conducted effort description if those attributes were not detected