search

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Other
167 stars 23 forks source link

Clarify that SCA-5 is about tool-based analysis #48

Closed joshuagl closed 1 month ago

joshuagl commented 3 months ago

SCA-5 "Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer" is a very proactive measure requiring a high-level of infrastructure, knowledge and upstream engagment. My interpretation of the requirement is that it's similar to, and builds upon, the practices in maturity level 4. Especially FIX-1, as SCA-5 states "confidentially contribute fixes back to the upstream maintainer".

The other requirements in maturity level 3 are readily automatable controls and I fear that SCA-5 makes this level a lot harder for organisations to reach.

OR perhaps I have misinterpreted the requirement and instead we need to update the text in the specification. Is SCA-5 about manually performing security review (code audit) of the upstream source code, or is it trying to encourage the more easily automatable task of using source code analysis tools (i.e., static analysis tools) on the source mirrored per ING-4?

(Note: I have a similar concern about AUD-5 increasingly the difficulty of attaining maturity level 3, but I'm currently less clear on how to achieve that requirement.)

joshuagl commented 3 months ago

Looking further at the recommended free tools for SCA-5, I'm leaning towards the expectation that the requirement is for automated security scanning tools. If that's the case, I'd be happy to open a PR with alternative phrasing.

adriandiglio commented 2 months ago

Thanks for this feedback! After discussion from the group today, we do believe that SCA-5 is only about running tools to search for yet-to-be-discovered security issues. However, I can see how the text in the Benefit column next to the requirement title does make it seem like a fix should be contributed upstream as part of that requirement (when in reality, the requirement of contributing fixes is part of FIX-1, which is Maturity Level 4). This is an area that we are happy to bring more clarity. Please let us know your alternative phrasing

joshuagl commented 2 months ago

Thanks Adrian. I'll open a PR to propose alternative phrasing, it's likelier easier discuss through the PR interface.