shanecoughlan
commented
1 year ago This feedback has been accepted into the current draft of 2.0 with the following changes at each instance of "comprised" in the context above.
Section 3.3.1 Intro changed from:
A process shall exist for creating and maintaining a bill of materials that includes each Open Source Software component from which the Supplied Software is comprised.
To:
A process shall exist for creating and maintaining a bill of materials that includes each Open Source Software component incorporated in the Supplied Software.
Section 3.3.2 Rationale changed from:
To ensure the Program is sufficiently robust to handle the identified Known Vulnerabilities for the Open Source Software from which the Supplied Software is comprised. That a procedure exists to support this activity and that the procedure is followed.
To ensure the Program is sufficiently robust to handle the identified Known Vulnerabilities for the Open Source Software included in the Supplied Software. That a procedure exists to support this activity and that the procedure is followed.
Commit to Spec here: https://github.com/OpenChain-Project/Security-Assurance-Specification/commit/b987255f2e64dcb79ffab0bb794a1296b5f5770c
SMK04: 1: in "comprised of Open Source Software", would "comprised of" be better as "incorporating", "including", etc? Not all the Supplied Software may be OSS, but the definition of OSS in this doc does merely say "subject to a license", so does actually work).