Light

microsoft / oss-ssc-framework Goto Github PK

View Code? Open in Web Editor NEW

232.0 12.0 9.0 2.76 MB

Open Source Software Secure Supply Chain Framework

Home Page: https://www.microsoft.com/en-us/securityengineering/opensource

License: Other

oss-ssc-framework's Introduction

Open Source Software (OSS) Secure Supply Chain (SSC) Framework

THIS REPO HAS BEEN CONTRIBUTED TO THE OPENSSF. THE NEW REPO IS HERE https://github.com/ossf/s2c2f/.

Overview

This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.

The OSS SSC Framework is complete with:

A high-level solution-agnostic set of practices
A detailed list of requirements
A list of real-world supply chain threats specific to OSS, and how our Framework requirements mitigates them
A maturity model-based implementation guide, with links to tools from across the industry
A process for assessing your organization’s maturity
A mapping of the Framework requirements to 6 other supply chain specifications

View or Download the OSS SSC Framework Specification

⭐: Click here for the PDF of the specification

: Click here to view the specification in markdown

Contributing

The general Community Specification Contributing Policy is captured on the Contributing section. Specific guidelines based on the policy for how best to contribute to the OSS SSC Framework specification is here. The living OSS SSC Framework is captured in markdown and is where all updates will take place.

SLA to Triage Issues:

The OSS SSC Framework working group will review, triage, and respond to issues during each Community Meeting.

Meeting Times

Community and Technical Meetings:

iCal Subscription Link
OSS SSC Framework community meetings are held the 3rd Tuesday of every month @ 12:00 PM Pacific. Please click the iCal Subscription link above or email [email protected] to be added to the meeting invitation.

Technical Meetings:

OSS SSC Framework technical meetings are held the last Monday of every month @ 2:00 PM Pacific. Please click the iCal Subscription link above or email [email protected] to be added to the meeting invitation.

Meeting minutes and agenda

Chat channels:

We have a Slack channel on the OpenSSF Slack instance:

oss-ssc-framework's People

Contributors

Stargazers

Watchers

Forkers

supplychaintechnology smbowen nanderoo ashwilliams magnologan xee5ch panickervinod sumodgeorge fuzzyun1c0rn

oss-ssc-framework's Issues

Need to change definition of open source software (or use different term)

The definition of "open source software" in this document isn't a standard definition. I suggest just using a standard definition. I often use the Free Software Definition (because it's short) and then refer to the Open Source Definition for more details (because that provides more detail/clarity).

Good job

Suggestion: Move "Deny List" from maturity level 2 to level 3

Based on continued discussions, "deny list" capabilities best aligns with the Theme of Maturity Level 3, which is all about preventing the consumption of malicious/compromised packages into your development workflow.

Update copyright statement

The framework includes these lines:

©2022 Microsoft Corporation. All rights reserved.

Licensed under Community Specification License 1.0

These are mutually exclusive. Either all rights are reserved or it's licensed under CSL-1.0.

This should be corrected anywhere it occurs in the repo, removing the errant "All rights reserved."

Make it clear projects don't all have to be at the top level

Proposal: Ensure that it’s clear that not all projects will want to be the top level & you may want a mix of levels (e.g., level 2 for some criteria, 3 for others). Potentially add more clarification around Level 4 being aspirational in most cases

How does this relate to SCITT?

How does oss-ssc compare/contrast with SCITT (https://github.com/ietf-scitt) the other supply chain framework Microsoft is helping to drive?

OSCAL Support

Howdy, club manager from oscal.club. I am obviously a biased fan of OSCAL. Do you have plans to support it that as a publication format for the OSS SSC Framework controls? Would you consider a user-contributed addition if it could be developed as part of automation implemented with GitHub Actions?

Thanks for contributing this framework as open source to the community.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs