SCVS-CAN-14 uses "component type" but the standard does not define the term

Question

SCVS-CAN-14 uses "component type" but the standard does not define the term

garretfick opened this issue 5 years ago · comments

Problem:

As a user of the specification, I need to be able to determine whether I comply with the standard. The term "component type" leaves a lot of possibilities for interpretation. For example, this could mean "3rd party or open source", "development language", among other interpretations.

Recommendation:

Either add a list of definitions (probably the best) or clarify what this means here.

Steve Springett · Answer 1 · Wed Sep 11 2019 09:41:17 GMT+0800 (China Standard Time)

There's a paragraph about 'Component Type' here: https://www.owasp.org/index.php/Component_Analysis#Component_Type

Component type is also defined in CycloneDX which lists:

application
framework
library
operating-system
device
file

https://cyclonedx.org/docs/1.1/#type_classification

Currently the term used in SCVS is 'Component Type'.

Do we want to continue using that term?
Do we want to use 'Component Classification'?
Something else?

Garret Fick · Answer 2 · Fri Sep 13 2019 02:22:04 GMT+0800 (China Standard Time)

I'd suggest to just give a definition of what the term means, but not make it tied to a particular standard. I'm ok with the overall term (unless I can find a different term in an existing standard elsewhere).

Steve Springett · Answer 3 · Sat Apr 04 2020 11:41:06 GMT+0800 (China Standard Time)

This has been added to the glossary and to the control itself.