This repository was archived by the owner on Nov 14, 2023. It is now read-only.
This repository was archived by the owner on Nov 14, 2023. It is now read-only.
Use Case: Attestations of alignment to S2C2F and org overlays #14
Open
Description
This issue is to track the creation of a use case example which also serves as the plan between members of the OpenSSF, IETF, DFFML, and other communities as they work on said use case.
Collection of metric data into shared database (crowdsourcable OpenSSF Metrics).
There are many repos to search, we want to enable self reporting and granularity
as applicable to ad-hoc formed policy as desired by end-user. We want this to
work across fully decentrailized, federated, and central forges/factories.
- Related: https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt
- This use case will be mostly focused on the policy / gatekeeper component and federation components of SCITT.
- 5.2.2: Registration Policies
- 7: Federation
- This use case is a specialization of (cross between) the following use cases from the Detailed Software Supply Chain Uses Cases for SCITT doc.
- 3.3: Security Analysis of a Software Product
- We'll cover OpenSSF Scorecard and other analysis mechanisms including meta static analysis / aggregation (example: GUAC).
- 3.4: Promotion of a Software Component by multiple entities
- We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment.
- Future use cases could explore semantic patching to patch across functionally similar
- We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment.
- 3.3: Security Analysis of a Software Product
Info can later be checked when others downstream build models based on the crowdsourced scraped data.
WIP DRAFT: https://github.com/pdxjohnny/use-cases/blob/openssf_metrics/openssf_metrics.md
References:
- https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt
- Alice Engineering Comms: 2022-07-20 Identifying Security Threats WG
- CI/CD Event Federation codeberg.org/forgejo-contrib#12
- VOTE - Adopt OpenVEX as project within the OpenSSF under Vuln Disclosure Working Group (WG) ossf/wg-vulnerability-disclosures#125 (comment)
- https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst
- https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md
- https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681
- Considering the impact of claim semantics on policy layer ietf-wg-scitt/draft-ietf-scitt-architecture#12
- Refine Definition of Feed ietf-wg-scitt/draft-ietf-scitt-architecture#11
Metadata
Metadata
Assignees
Labels
No labels