As a FedRAMP Automation Team developer, to have precise understanding and control of my how source code and data are processed, I would like the build tool and how it executes npx oscal ... to use pinned versions and explicitly define which version CI/CD uses and not just the most recent version by use of the npx oscal use latest alias.
Goals
[ ] Clearer understanding of what tools with which features are used
[ ] Better security and stability guarantees for internal staff, contractors, and community members of what was built how
[ ] Follow best practices with tools: even if slightly more work, prefer pinning over not pinning
Dependencies
N/A
Acceptance Criteria
[ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.See the deep link to the current Makefile we need to change.
[ ] Ensure npx oscal use uses a specific oscal-cli version defined in the Makefile change
[ ] Additionally, choose to either 1) put the version explicitly after oscal@ with NPX or consider the use of a package.json and backing manifest file with npm install or npx (if supported) so that dependabot can update it simply but upstream releases
This is a ...
improvement - something could be better
This relates to ...
User Story
As a FedRAMP Automation Team developer, to have precise understanding and control of my how source code and data are processed, I would like the build tool and how it executes
npx oscal ...
to use pinned versions and explicitly define which version CI/CD uses and not just the most recent version by use of thenpx oscal use latest
alias.Goals
Dependencies
N/A
Acceptance Criteria
Makefile
we need to change.npx oscal use
uses a specificoscal-cli
version defined in the Makefile changeoscal@
with NPX or consider the use of a package.json and backing manifest file withnpm install
ornpx
(if supported) so that dependabot can update it simply but upstream releasesOther information
N/A