SCVS-CAN-14 uses "component type" but the standard does not define the term

OWASP / Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)

https://owasp.org/scvs

Creative Commons Attribution Share Alike 4.0 International

135 stars 39 forks source link

SCVS-CAN-14 uses "component type" but the standard does not define the term #1

Closed garretfick closed 4 years ago

garretfick commented 5 years ago

Problem:

As a user of the specification, I need to be able to determine whether I comply with the standard. The term "component type" leaves a lot of possibilities for interpretation. For example, this could mean "3rd party or open source", "development language", among other interpretations.

Recommendation:

Either add a list of definitions (probably the best) or clarify what this means here.

stevespringett commented 5 years ago

There's a paragraph about 'Component Type' here: https://www.owasp.org/index.php/Component_Analysis#Component_Type

Component type is also defined in CycloneDX which lists:

application
framework
library
operating-system
device
file

https://cyclonedx.org/docs/1.1/#type_classification

Currently the term used in SCVS is 'Component Type'.

Do we want to continue using that term? Do we want to use 'Component Classification'? Something else?

garretfick commented 5 years ago

I'd suggest to just give a definition of what the term means, but not make it tied to a particular standard. I'm ok with the overall term (unless I can find a different term in an existing standard elsewhere).

stevespringett commented 4 years ago

This has been added to the glossary and to the control itself.