diff --git a/TSF/trustable/assertions/TA-INPUTS.md b/TSF/trustable/assertions/TA-INPUTS.md index c1a2339f53..031f56a982 100644 --- a/TSF/trustable/assertions/TA-INPUTS.md +++ b/TSF/trustable/assertions/TA-INPUTS.md @@ -7,3 +7,13 @@ references: --- All inputs to nlohmann/json library are assessed, to identify potential risks and issues. + +aschemmel-tech: I think it needs more verbose content to describe why the above statement is true. For example copy from the TA template: + +Evidence + +- List of components used in construction of nlohman/json +- Record of component assessment +- List of tools used in construction and verification +- Record of tool impact assessments +- Record of tool qualification reviews diff --git a/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md b/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md index 90f6b08f52..b213f87497 100644 --- a/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md +++ b/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md @@ -7,3 +7,13 @@ references: --- All sources for nlohmann/json library and tools are mirrored in our controlled environment. + +aschemmel-tech: I think it needs more verbose content to describe why the above statement is true. For example copy from the TA template: + +Evidence + +- list of all nlohmann/json (external) components +- successful build of nlohmann/json from source +- update logs for mirrored projects +- mirrors reject history rewrites +- mirroring is configured via infrastructure under direct control \ No newline at end of file diff --git a/TSF/trustable/assumptions-of-use/AOU-02.md b/TSF/trustable/assumptions-of-use/AOU-02.md index f7acefa284..5712368914 100644 --- a/TSF/trustable/assumptions-of-use/AOU-02.md +++ b/TSF/trustable/assumptions-of-use/AOU-02.md @@ -3,4 +3,6 @@ level: 1.1 normative: true --- -The integrator shall ensure that the build environment used for nlohmann/json is supplied with consistent dependencies in every integrating system. \ No newline at end of file +The integrator shall ensure that the build environment used for nlohmann/json is supplied with consistent dependencies in every integrating system. + +aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS. I would not know what to do as a integrator based on this. \ No newline at end of file diff --git a/TSF/trustable/assumptions-of-use/AOU-03.md b/TSF/trustable/assumptions-of-use/AOU-03.md index f6f6e6b10a..a4c1a8b2bc 100644 --- a/TSF/trustable/assumptions-of-use/AOU-03.md +++ b/TSF/trustable/assumptions-of-use/AOU-03.md @@ -3,4 +3,6 @@ level: 1.1 normative: true --- -The integrator shall ensure that integrator-controlled mirrors of the dependencies are persistently and accessibly stored as long as the library nlohmann/json is used. \ No newline at end of file +The integrator shall ensure that integrator-controlled mirrors of the dependencies are persistently and accessibly stored as long as the library nlohmann/json is used. + +aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS. \ No newline at end of file diff --git a/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md b/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md index 3ecf6802c9..deae20b7b7 100644 --- a/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md +++ b/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md @@ -3,4 +3,6 @@ level: 1.1 normative: true --- -The integrator shall evaluate the provided evidence and supplement it where necessary, whenever the trustability documentation of nlohmann/json is reviewed. \ No newline at end of file +The integrator shall evaluate the provided evidence and supplement it where necessary, whenever the trustability documentation of nlohmann/json is reviewed. + +aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS \ No newline at end of file diff --git a/TSF/trustable/statements/JLS-04.md b/TSF/trustable/statements/JLS-04.md index b0524dbb3d..a100e9e45f 100644 --- a/TSF/trustable/statements/JLS-04.md +++ b/TSF/trustable/statements/JLS-04.md @@ -18,6 +18,15 @@ evidence: score: Jonas-Kirchhoff: 1.0 Erikhu1: 1.0 + aschemmel-tech: 0.0 --- External dependencies are checked for potential security vulnerabilities with each pull request to main. Merging is blocked until all warnings are resolved. + +aschemmel-tech: Evidences asked for are: + +- List of components used in construction of nlohman/json - this is not given by JLS-04: recommend to create this list of dependencies within another "statement" +- Record of component assessment - this is not given by JLS-04: recommend to check based on the above list whether the components have an ASIL certification +- List of tools used in construction and verification - this is not given by JLS-04: recommend to create this list of tools used by nlohman within another "statement" +- Record of tool impact assessments - this is not given by JLS-04 and also not by nlohman/json, need to create a tool evaluation of the tools used by nlohman/json and not also by S-CORE or consider how those can be replaced - needs another "statement" +- Record of tool qualification reviews - this is not given by JLS-04 and also not by nlohman/json, need to create a tool qualification of nlohman/json used tools as result of evaluation, can also refer to S-CORE if same tools are used - needs another "statement" \ No newline at end of file diff --git a/TSF/trustable/statements/JLS-23.md b/TSF/trustable/statements/JLS-23.md index 06388da9b0..d6c0725ea0 100644 --- a/TSF/trustable/statements/JLS-23.md +++ b/TSF/trustable/statements/JLS-23.md @@ -17,6 +17,16 @@ evidence: - "https://github.com/eclipse-score/inc_nlohmann_json" score: mishu-dev: 1.0 + aschemmel-tech: 1.0 --- -The Eclipse S-CORE organization mirrors the nlohmann/json project in a github fork. \ No newline at end of file +The Eclipse S-CORE organization mirrors the nlohmann/json project in a github fork. + +aschemmel-tech: Evidences asked for are: + +- list of all nlohmann/json components - list as asked for in TA-INPUTS plus the nlohman/json component sources, expect nlohman/json has no external libs it depends on +- successful build of nlohmann/json from source - needs "statement" and evidence that no external source and caching is used (need to find out about caching, we qualified bazel caching) +- update logs for mirrored projects - ??? +- mirrors reject history rewrites - ??? +- mirroring is configured via infrastructure under direct - control covered already??? +can you think about these last three and maybe add here \ No newline at end of file