Could we add an example threat for maturity level 1?

[joshuagl]

None of the example threats in the Common OSS Supply Chain Threats section of the document are mitigated by maturity level 1, which might lead people to think that initial maturity level is not worthwhile. Is it? Can we add an example threat that would have been mitigated by maturity level 1 to demonstrate the kind of threat the first set of practices help defend against?

If nothing else, the local copy of an artifact would have mitigated against the left-pad incident. Are there better or more recent examples?

[adriandiglio]

Hi Josh, I do think that left-pad is a good example (and is already called out as being mitigated by ING-2, which is part of maturity level 1). Additionally, we could suggest node-ipc v9.2.2 when it switched from MIT over to DBAD license. While this isn't security-related, it is a license risk. This is mitigated by SCA-2, which is part of maturity level 1. The risk is having licenses change from one version to the next, and then not meeting your obligations of the new license.

Since UPD-1 is about manually updating OSS, we could add that to the list of S2C2F requirements that mitigate against the saltstack threat. We can add that to the list.

Please let me know your thoughts.

[david-a-wheeler]

It can become a security risk, because an incompatible license change sometimes means you can't upgrade AND there's no useful alternative. As a result, when (not if) a vulnerability is found, there's no practical upgrade path to fix it.

[joshuagl]

Thanks for the feedback both. I've added a commit to my PR to map threats to maturity levels (#47) to include the node-ipc relicence.