Map threats to maturity level

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

Other

179 stars 24 forks source link

Map threats to maturity level #47

Closed joshuagl closed 4 months ago

joshuagl commented 5 months ago

When thinking about S2C2F adoption I found myself wanting to easily understand at what level of maturity the different common OSS supply chain threats would be mitigated. I thought this information could be generally useful to other readers and potential adopters, so updated the specification text to include this as a column in the supply chain threats table.

joshuagl commented 5 months ago

I've just updated this PR to account for the removal of AUD-5 in #51

joshuagl commented 5 months ago

Any thoughts on this? It feels like a simple change which provides a readability win for new readers.

joshuagl commented 5 months ago

I just added a commit here which adds a threat entirely mitigated by maturity level 1, the node-ipc relicence to DBAD, to fix #49.

It felt appropriate to include it in this PR because both changes edit the same table (and were inspired by the same detailed readthrough).

tombedfordgit commented 4 months ago

I've started to review this