From c66634f865f1a2bc13c07ab2a1d6d187ab31e09a Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Tue, 31 Dec 2024 17:50:00 +0200 Subject: [PATCH 1/2] Resolve #2467 by splitting and clarifying the 3rd party vuln requirements --- 5.0/en/0x18-V10-Coding.md | 3 ++- 5.0/en/0x22-V14-Config.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x18-V10-Coding.md b/5.0/en/0x18-V10-Coding.md index 8fe54a2ad0..9aae004d7c 100644 --- a/5.0/en/0x18-V10-Coding.md +++ b/5.0/en/0x18-V10-Coding.md @@ -16,6 +16,7 @@ This chapter also contains requirements to prevent the introduction of malicious | **1.10.2** | [MODIFIED, MOVED FROM 14.2.5, MERGED FROM 14.2.4] Verify that an inventory catalog, such as software bill of materials (SBOM), is maintained of all third-party libraries in use, including verifying that components come from pre-defined, trusted, and continually maintained repositories. | | ✓ | ✓ | | | **1.10.3** | [ADDED, SPLIT FROM 14.2.6] Verify that application documentation highlights "risky" third party libraries which should include: libraries which perform operations which are dangerous from a security perspective, libraries which are poorly maintained, unsupported, or end of life, libraries which have historically had several significant vulnerabilities, etc. | | | ✓ | 1061 | | **1.10.4** | [ADDED, SPLIT FROM 1.14.5] Verify that application documentation highlights parts of the application where "risky" operations are being performed. "Risky" in this context means those with a high likelihood of being dangerously exploited such as: deserialization of untrusted data, raw file parsing, direct memory manipulation, etc. | | | ✓ | | +| **1.10.4** | [ADDED, SPLIT FROM 14.2.1] Verify that application documentation defines risk based remediation time frames for 3rd party component versions with vulnerabilities and for updating libraries in general, to minimize the risk from these components. | ✓ | ✓ | ✓ | | ## V10.1 Code Integrity @@ -75,7 +76,7 @@ Dependency management is critical to the safe operation of any application of an | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **10.6.1** | [MODIFIED, MOVED FROM 14.2.1] Verify that all components are up to date. | ✓ | ✓ | ✓ | | +| **10.6.1** | [SPLIT FROM 14.2.1] Verify that the application only contains components which have not breached the documented update and remediation time frames. | ✓ | ✓ | ✓ | | | **10.6.2** | [MODIFIED, MOVED FROM 10.3.2] Verify that third-party components and all of their transitive dependencies are included from the expected repository, whether internally owned or an external source, and that there is no risk of a dependency confusion attack. | ✓ | ✓ | ✓ | 427 | ## V10.7 Concurrency diff --git a/5.0/en/0x22-V14-Config.md b/5.0/en/0x22-V14-Config.md index 01000b2062..2e9d46d8af 100644 --- a/5.0/en/0x22-V14-Config.md +++ b/5.0/en/0x22-V14-Config.md @@ -48,7 +48,7 @@ Compliance with this section requires an automated build system, and access to b | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **14.2.1** | [MOVED TO 10.6.1] | | | | | +| **14.2.1** | [SPLIT TO 1.10.5, 10.6.1] | | | | | | **14.2.2** | [MOVED TO 14.1.6] | | | | | | **14.2.3** | [MOVED TO 50.7.1] | | | | | | **14.2.4** | [DELETED, MERGED TO 1.10.2] | | | | | From 65642ccd97a8db9d1d428bf4c242ec6a6b68f954 Mon Sep 17 00:00:00 2001 From: Elar Lang <47597707+elarlang@users.noreply.github.com> Date: Wed, 1 Jan 2025 11:43:25 +0200 Subject: [PATCH 2/2] tag fix --- 5.0/en/0x18-V10-Coding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/5.0/en/0x18-V10-Coding.md b/5.0/en/0x18-V10-Coding.md index 9aae004d7c..cb1404f8e3 100644 --- a/5.0/en/0x18-V10-Coding.md +++ b/5.0/en/0x18-V10-Coding.md @@ -76,7 +76,7 @@ Dependency management is critical to the safe operation of any application of an | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **10.6.1** | [SPLIT FROM 14.2.1] Verify that the application only contains components which have not breached the documented update and remediation time frames. | ✓ | ✓ | ✓ | | +| **10.6.1** | [ADDED, SPLIT FROM 14.2.1] Verify that the application only contains components which have not breached the documented update and remediation time frames. | ✓ | ✓ | ✓ | | | **10.6.2** | [MODIFIED, MOVED FROM 10.3.2] Verify that third-party components and all of their transitive dependencies are included from the expected repository, whether internally owned or an external source, and that there is no risk of a dependency confusion attack. | ✓ | ✓ | ✓ | 427 | ## V10.7 Concurrency