security-baseline icon indicating copy to clipboard operation
security-baseline copied to clipboard
verified publisher icon ossf

Proposal to add a packaging metdata license requirement

Open hyandell opened this issue 3 months ago • 1 comments

Addition Suggestion

CISA's new proposed minimal sbom elements shows they intend to require SBOMs contain licensing elements. I would recommend adding a 1st or 2nd level Baseline along the lines of:

OSPOS-LE-04.01: When package formats support it, machine-readable licensing metadata (e.g. SPDX Expressions) must be present in package metadata files (e.g. pom.xml, package.json. setup.py).

hyandell avatar Oct 03 '25 21:10 hyandell

I don't think this is in scope for a security baseline, but we need to resolve #403 and then we can come back to this discussion.

funnelfiasco avatar Oct 06 '25 13:10 funnelfiasco