From a29501ba8eaffa006dbb08697f67206f6dc3e7bc Mon Sep 17 00:00:00 2001
From: Ben Cotton <ben@kusari.dev>
Date: Thu, 16 Jan 2025 19:35:08 -0500
Subject: [PATCH] Clarify OSPS-BR-01 (#140)

Try to make it better match the original intent.

Fixes #63

Signed-off-by: Ben Cotton <ben@kusari.dev>
Signed-off-by: Eddie Knight <knight@linux.com>
Co-authored-by: Eddie Knight <knight@linux.com>
---
 baseline/OSPS-BR.yaml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/baseline/OSPS-BR.yaml b/baseline/OSPS-BR.yaml
index 4d5d90d..53a078e 100644
--- a/baseline/OSPS-BR.yaml
+++ b/baseline/OSPS-BR.yaml
@@ -12,17 +12,19 @@ criteria:
     maturity_level: 1
     criterion: |
       The project's build and release pipelines
-      MUST NOT execute arbitrary code that is
-      input from outside of the build script.
+      MUST NOT permit arbitrary input that allows
+      access to privileged resources.
     rationale: |
       Reduce the risk of code injection or other
       security vulnerabilities in the project's
-      build and release processes by restricting
-      the execution of external code.
+      build and release by preventing untrusted input
+      to access privileged resources (code execution,
+      secret exfiltration, etc.)
     details: |
-      Ensure that the project's build and release
-      pipelines do not execute arbitrary code
-      provided from external sources.
+      Ensure that any build and release pipeline actions
+      that accept externally-controlled input (e.g. git
+      branch names) do not use input in ways that could
+      provide unintended access to privileged resources.
     control_mappings:
       CRA: 1.2f
       SSDF: PO3.2, PS1