SCVS-INV-03 may way to specify machine readable (or add additional requirement)

OWASP / Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)

https://owasp.org/scvs

Creative Commons Attribution Share Alike 4.0 International

135 stars 39 forks source link

SCVS-INV-03 may way to specify machine readable (or add additional requirement) #2

Closed garretfick closed 4 years ago

garretfick commented 5 years ago

Problem:

It is relatively common that build logs contain information that can be extracted to generating an accurate inventory. However, this is normally difficult to audit.

Recommendation:

Add a new requirement that specifies that the inventory is available in a format that is readily machine readable format (I'm hesitant to specify a particular format).

stevespringett commented 5 years ago

Wouldn't this be covered by SBOM or should there be a specific call out to being machine readable so that someone doesn't confuse SBOM with spreadsheet (or whatever)?

garretfick commented 5 years ago

My thinking was more in ensuring that the inventory is centralized, but perhaps having it centralized is what "inventory" means.

stevespringett commented 4 years ago

I belive requirement is done.

v1.3 - An accurate inventory of all third-party components is available in a machine-readable format