Skip to content

Add UKSSCOP reference-ids and claims to OSPS-BR.yaml #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add UKSSCOP reference-ids and claims to OSPS-BR.yaml #428

wants to merge 6 commits into from

Conversation

@SecurityCRob
Copy link
Contributor

@SecurityCRob SecurityCRob commented Nov 18, 2025
edited
Loading

Added UKSSCOP reference IDs and claims to multiple sections.

Dependent upon merge of #426

BR mappings to UKSSCOP framework

@SecurityCRob SecurityCRob changed the title Add UKSSCOP reference IDs and claims Add UKSSCOP reference-ids and claims to OSPS-BR.yaml Nov 18, 2025
This was referenced Nov 18, 2025
Open
Merged
Open
Merged
Merged
@SecurityCRob
Copy link
Contributor Author

SecurityCRob commented Nov 18, 2025

Related to:
#427
#428
#429
#430
#431
#432
#433

@SecurityCRob SecurityCRob mentioned this pull request Nov 18, 2025
Open
funnelfiasco
funnelfiasco reviewed Nov 21, 2025
View reviewed changes
baseline/OSPS-BR.yaml
- reference-id: CM-7
- reference-id: SI-7
- reference-id: UKSSCOP
entries:
Copy link
Contributor

@funnelfiasco funnelfiasco Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels a little tenuous, especially 2.1.2. I can certainly see an argument though, so I'll just leave this comment for now and see if anyone else weighs in. If not, I think we proceed as-is.

Copy link
Contributor Author

@SecurityCRob SecurityCRob Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claim 2.1.2 "Users of the build environment are required to authenticate on a regular basis." Is Partial coverage at best. A means of ensuring that actors & inputs are trusted to to periodically authenticate them.

Copy link
Contributor

@evankanderson evankanderson Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this may be a distinction between commercial and OSS software -- in OSS, we expect that attackers can do a lot more in the build system than you would expect for commercial software. So this hardening is roughly because OSS doesn't enforce 2.1.6 "Users with access to the build environment are regularly reviewed to ensure they still have a legitimate need".

baseline/OSPS-BR.yaml
entries:
- reference-id: Claim 1.1.4
- reference-id: Claim 2.2.3
- reference-id: Claim 3.1.1
Copy link
Contributor

@funnelfiasco funnelfiasco Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the connection here. I read 3.1.1 as being about cryptographic hash validation.

baseline/OSPS-BR.yaml
- reference-id: SI-7(14)
- reference-id: UKSSCOP
entries:
- reference-id: Claim 1.2.2
Copy link
Contributor

@funnelfiasco funnelfiasco Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This control is more about output than input. 1.2.2 is about input, and 3.1.1 is output, so we should drop 1.2.2 here imo.

funnelfiasco
funnelfiasco reviewed Nov 21, 2025
View reviewed changes
@SecurityCRob @trumant
Add UKSSCOP reference IDs and claims
a46e661 
Added UKSSCOP reference IDs and claims to multiple sections.

Dependent upon merge of #426

BR mapping sot UKSSCOP framework

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@trumant trumant force-pushed the SecurityCRob-patch-4 branch from 838a9cb to a46e661 Compare November 23, 2025 20:10
SecurityCRob and others added 5 commits November 25, 2025 08:29
@SecurityCRob
Remove reference-id 'Claim 2.1.2' from entries
2137bd6 
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob
Update OSPS-BR.yaml
8bd9626 
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob @funnelfiasco
Update baseline/OSPS-BR.yaml
99b1f21 
Co-authored-by: Ben Cotton <ben@kusari.dev>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob
Merge branch 'main' into SecurityCRob-patch-4
7d89dd8
@SecurityCRob
Add reference-id for Claim 3.4.2 in OSPS-BR.yaml
8d80db5 
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@funnelfiasco funnelfiasco funnelfiasco left review comments

@puerco puerco Awaiting requested review from puerco

@evankanderson evankanderson Awaiting requested review from evankanderson

@eddie-knight eddie-knight Awaiting requested review from eddie-knight

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SecurityCRob @funnelfiasco @evankanderson