score-json · aschemmel-tech · Nov 10, 2025 · Erikhu1 · Nov 11, 2025 · Erikhu1
diff --git a/TSF/trustable/assertions/TA-INPUTS.md b/TSF/trustable/assertions/TA-INPUTS.md
@@ -7,3 +7,13 @@ references:
 ---
 
 All inputs to nlohmann/json library are assessed, to identify potential risks and issues.
+
+aschemmel-tech: I think it needs more verbose content to describe why the above statement is true. For example copy from the TA template:
+
+Evidence
+
+- List of components used in construction of nlohman/json
+- Record of component assessment
+- List of tools used in construction and verification
+- Record of tool impact assessments
+- Record of tool qualification reviews
diff --git a/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md b/TSF/trustable/assertions/TA-SUPPLY_CHAIN.md
@@ -7,3 +7,13 @@ references:
 ---
 
 All sources for nlohmann/json library and tools are mirrored in our controlled environment.
+
+aschemmel-tech: I think it needs more verbose content to describe why the above statement is true. For example copy from the TA template:
+
+Evidence
+
+- list of all nlohmann/json (external) components
+- successful build of nlohmann/json from source
+- update logs for mirrored projects
+- mirrors reject history rewrites
+- mirroring is configured via infrastructure under direct control
diff --git a/TSF/trustable/assumptions-of-use/AOU-02.md b/TSF/trustable/assumptions-of-use/AOU-02.md
@@ -3,4 +3,6 @@ level: 1.1
 normative: true
 ---
 
-The integrator shall ensure that the build environment used for nlohmann/json is supplied with consistent dependencies in every integrating system.
+The integrator shall ensure that the build environment used for nlohmann/json is supplied with consistent dependencies in every integrating system.
+
+aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS. I would not know what to do as a integrator based on this.
diff --git a/TSF/trustable/assumptions-of-use/AOU-03.md b/TSF/trustable/assumptions-of-use/AOU-03.md
@@ -3,4 +3,6 @@ level: 1.1
 normative: true
 ---
 
-The integrator shall ensure that integrator-controlled mirrors of the dependencies are persistently and accessibly stored as long as the library nlohmann/json is used.
+The integrator shall ensure that integrator-controlled mirrors of the dependencies are persistently and accessibly stored as long as the library nlohmann/json is used.
+
+aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS.
diff --git a/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md b/TSF/trustable/assumptions-of-use/AOU-10_COMBINED.md
@@ -3,4 +3,6 @@ level: 1.1
 normative: true
 ---
 
-The integrator shall evaluate the provided evidence and supplement it where necessary, whenever the trustability documentation of nlohmann/json is reviewed.
+The integrator shall evaluate the provided evidence and supplement it where necessary, whenever the trustability documentation of nlohmann/json is reviewed.
+
+aschemmel-tech: AOUs are supposed to be linked to TA-CONSTRAINTS
diff --git a/TSF/trustable/statements/JLS-04.md b/TSF/trustable/statements/JLS-04.md
@@ -18,6 +18,15 @@ evidence:
 score:
     Jonas-Kirchhoff: 1.0
     Erikhu1: 1.0
+    aschemmel-tech: 0.0
 ---
 
 External dependencies are checked for potential security vulnerabilities with each pull request to main. Merging is blocked until all warnings are resolved.
+
+aschemmel-tech: Evidences asked for are:
+
+- List of components used in construction of nlohman/json - this is not given by JLS-04: recommend to create this list of dependencies within another "statement"
+- Record of component assessment - this is not given by JLS-04: recommend to check based on the above list whether the components have an ASIL certification
+- List of tools used in construction and verification - this is not given by JLS-04: recommend to create this list of tools used by nlohman within another "statement"
+- Record of tool impact assessments - this is not given by JLS-04 and also not by nlohman/json, need to create a tool evaluation of the tools used by nlohman/json and not also by S-CORE or consider how those can be replaced - needs another "statement"
+- Record of tool qualification reviews - this is not given by JLS-04 and also not by nlohman/json, need to create a tool qualification of nlohman/json used tools as result of evaluation, can also refer to S-CORE if same tools are used - needs another "statement"
diff --git a/TSF/trustable/statements/JLS-23.md b/TSF/trustable/statements/JLS-23.md
@@ -17,6 +17,16 @@ evidence:
                     - "https://github.com/eclipse-score/inc_nlohmann_json"
 score:
     mishu-dev: 1.0
+    aschemmel-tech: 1.0
 ---
 
-The Eclipse S-CORE organization mirrors the nlohmann/json project in a github fork.
+The Eclipse S-CORE organization mirrors the nlohmann/json project in a github fork.
+
+aschemmel-tech: Evidences asked for are:
+
+- list of all nlohmann/json components - list as asked for in TA-INPUTS plus the nlohman/json component sources, expect nlohman/json has no external libs it depends on
+- successful build of nlohmann/json from source - needs "statement" and evidence that no external source and caching is used (need to find out about caching, we qualified bazel caching)
+- update logs for mirrored projects - ???
+- mirrors reject history rewrites - ???
+- mirroring is configured via infrastructure under direct - control covered already???
+can you think about these last three and maybe add here