Adding Regulatory crosswalk mappings to DO category items (#143)

Adding Regulatory crosswalk mappings to DO category items Signed-off-by: CRob <[email protected]> Co-authored-by: Eddie Knight <[email protected]>
ossf · Jan 17, 2025 · 30c6535 · 30c6535
1 parent eec2ba4
commit 30c6535
Showing 1 changed file with 33 additions and 7 deletions.
diff --git a/baseline/OSPS-DO.yaml b/baseline/OSPS-DO.yaml
@@ -25,7 +25,13 @@ criteria:
       use the project's features. If there are any
       known dangerous or destructive actions
       available, include highly-visible warnings.
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: B-B-1, B-B-9, B-S-7, B-S-9
+      CRA: 1.2b, 1.2j, 1.2k
+      SSDF: PW1.2
+      CSF: GV.OC-04, GV.OC-05
+      OC: 4.1.4
+      OCRE: 036-275
     security_insights_value: # TODO
 
   - id: OSPS-DO-05
@@ -51,7 +57,12 @@ criteria:
       It is recommended that project documentation
       also sets expectations for how defects will
       be triaged and resolved.
-    control_mappings: # TODO
+    control_mappings:
+      BPB: B-B-3, R-B-1+, R-B-1, R-B-2, R-S-2
+      CRA: 1.2c, 1.2l, 2.1, 2.2,2.5, 2.6
+      SSDF: PW1.2, RV1.1, RV2.1, RV1.2
+      CSF: RS.MA-02, GV.RM-05
+      OC: 4.2.1
     security_insights_value: # TODO
 
   - id: OSPS-DO-12
@@ -75,7 +86,11 @@ criteria:
       expected identity may be in the form of key
       IDs used to sign, issuer and identity from a
       sigstore certificate, or other similar forms.
-    control_mappings: # TODO
+    control_mappings:  
+      BPB: CC-B-8
+      CRA: 1.2d
+      SSDF: PO4.2, PS.2, PS2.1, PS3.1, RV1.3
+      OCRE: 171-222 
     security_insights_value: # TODO
 
   - id: OSPS-DO-13
@@ -87,7 +102,10 @@ criteria:
       duration of support.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
+    control_mappings: 
+      BPB: R-B-3
+      SSDF: PO4.2, PS3.1, RV1.3 
+      OC: 4.1, 4.3.1
     security_insights_value: # TODO
 
   - id: OSPS-DO-14
@@ -100,7 +118,10 @@ criteria:
       will no longer receive security updates.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
+    control_mappings: 
+      CRA: 1.2c, 2.6
+      OC: 4.1.1, 4.3.1
+      OCRE: 673-475, 053-751
     security_insights_value: # TODO
 
   - id: OSPS-DO-15
@@ -112,5 +133,10 @@ criteria:
       obtains, and tracks its dependencies.
     rationale: # TODO
     implementation: # TODO
-    control_mappings: # TODO
-    security_insights_value: # TODO
+    control_mappings: 
+      BPB: A-S-1
+      CRA: 2.1
+      OCRE: 613-286, 053-751
+    security_insights_value: 
+      Pinned-Dependencies
+