SCVS-INV-03 may way to specify machine readable (or add additional requirement)

Question

SCVS-INV-03 may way to specify machine readable (or add additional requirement)

garretfick opened this issue 5 years ago · comments

Problem:

It is relatively common that build logs contain information that can be extracted to generating an accurate inventory. However, this is normally difficult to audit.

Recommendation:

Add a new requirement that specifies that the inventory is available in a format that is readily machine readable format (I'm hesitant to specify a particular format).

Steve Springett · Answer 1 · Wed Sep 11 2019 09:33:53 GMT+0800 (China Standard Time)

Wouldn't this be covered by SBOM or should there be a specific call out to being machine readable so that someone doesn't confuse SBOM with spreadsheet (or whatever)?

Garret Fick · Answer 2 · Fri Sep 13 2019 02:25:07 GMT+0800 (China Standard Time)

My thinking was more in ensuring that the inventory is centralized, but perhaps having it centralized is what "inventory" means.

Steve Springett · Answer 3 · Thu Jan 23 2020 23:34:26 GMT+0800 (China Standard Time)

I belive requirement is done.

v1.3 - An accurate inventory of all third-party components is available in a machine-readable format