s2c2f icon indicating copy to clipboard operation
s2c2f copied to clipboard

Published 20 hours ago verified publisher icon ossf

Clarify that SCA-5 is about tool-based analysis

Open joshuagl opened this issue 10 months ago • 3 comments

SCA-5 "Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer" is a very proactive measure requiring a high-level of infrastructure, knowledge and upstream engagment. My interpretation of the requirement is that it's similar to, and builds upon, the practices in maturity level 4. Especially FIX-1, as SCA-5 states "confidentially contribute fixes back to the upstream maintainer".

The other requirements in maturity level 3 are readily automatable controls and I fear that SCA-5 makes this level a lot harder for organisations to reach.

OR perhaps I have misinterpreted the requirement and instead we need to update the text in the specification. Is SCA-5 about manually performing security review (code audit) of the upstream source code, or is it trying to encourage the more easily automatable task of using source code analysis tools (i.e., static analysis tools) on the source mirrored per ING-4?

(Note: I have a similar concern about AUD-5 increasingly the difficulty of attaining maturity level 3, but I'm currently less clear on how to achieve that requirement.)

joshuagl avatar Apr 09 '24 12:04 joshuagl

Looking further at the recommended free tools for SCA-5, I'm leaning towards the expectation that the requirement is for automated security scanning tools. If that's the case, I'd be happy to open a PR with alternative phrasing.

joshuagl avatar Apr 09 '24 15:04 joshuagl

Thanks for this feedback! After discussion from the group today, we do believe that SCA-5 is only about running tools to search for yet-to-be-discovered security issues. However, I can see how the text in the Benefit column next to the requirement title does make it seem like a fix should be contributed upstream as part of that requirement (when in reality, the requirement of contributing fixes is part of FIX-1, which is Maturity Level 4). This is an area that we are happy to bring more clarity. Please let us know your alternative phrasing

adriandiglio avatar Apr 23 '24 22:04 adriandiglio

Thanks Adrian. I'll open a PR to propose alternative phrasing, it's likelier easier discuss through the PR interface.

joshuagl avatar May 01 '24 10:05 joshuagl