Skip to content
This repository has been archived by the owner on Nov 14, 2023. It is now read-only.

Use Case: Attestations of alignment to S2C2F and org overlays #14

Open
johnandersen777 opened this issue Sep 7, 2022 · 0 comments
Open

Use Case: Attestations of alignment to S2C2F and org overlays #14

johnandersen777 opened this issue Sep 7, 2022 · 0 comments

Comments

@johnandersen777
Copy link

johnandersen777 commented Sep 7, 2022
edited
Loading

This issue is to track the creation of a use case example which also serves as the plan between members of the OpenSSF, IETF, DFFML, and other communities as they work on said use case.

Collection of metric data into shared database (crowdsourcable OpenSSF Metrics).
There are many repos to search, we want to enable self reporting and granularity
as applicable to ad-hoc formed policy as desired by end-user. We want this to
work across fully decentrailized, federated, and central forges/factories.

  • Related: https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt
  • This use case will be mostly focused on the policy / gatekeeper component and federation components of SCITT.
    • 5.2.2: Registration Policies
    • 7: Federation
  • This use case is a specialization of (cross between) the following use cases from the Detailed Software Supply Chain Uses Cases for SCITT doc.
    • 3.3: Security Analysis of a Software Product
      • We'll cover OpenSSF Scorecard and other analysis mechanisms including meta static analysis / aggregation (example: GUAC).
    • 3.4: Promotion of a Software Component by multiple entities
      • We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment.
        • Future use cases could explore semantic patching to patch across functionally similar

Info can later be checked when others downstream build models based on the crowdsourced scraped data.

WIP DRAFT: https://github.com/pdxjohnny/use-cases/blob/openssf_metrics/openssf_metrics.md

References:
johnandersen777 pushed a commit to johnandersen777/use-cases that referenced this issue Sep 27, 2022
@pdxjohnny
Create openssf_metrics.md
5599054 
Related: ietf-scitt#14
@johnandersen777 johnandersen777 mentioned this issue Sep 27, 2022
Draft
@johnandersen777 johnandersen777 mentioned this issue Feb 3, 2023
Open
2 tasks
This was referenced Feb 28, 2023
Open
Open
Closed
@johnandersen777 johnandersen777 mentioned this issue Mar 8, 2023
Open
@johnandersen777 johnandersen777 mentioned this issue Mar 18, 2023
Open
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
@pdxjohnny
docs: tutorials: rolling alice: coach alice: cartographer extraordina…
79789b1 
…ire: Update link to OpenSSF Metrics IETF SCITT use case to RFCv4.1

Related: ietf-scitt/use-cases#14
@johnandersen777 johnandersen777 mentioned this issue Mar 24, 2023
Open
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 30, 2023
@pdxjohnny
examples: tutorials: rolling alice: federated forge: alice and bob: d…
6509653 
…ocker-compose: Add scitt API emulator

Related: scitt-community/scitt-api-emulator#25
Related: ietf-scitt/use-cases#14
Related: https://codeberg.org/forgejo/discussions/issues/12
Related: ietf-scitt/use-cases#18
Signed-off-by: John Andersen <[email protected]>
@johnandersen777 johnandersen777 mentioned this issue Mar 30, 2023
Open
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 30, 2023
@pdxjohnny
examples: tutorials: rolling alice: federated forge: alice and bob: R…
51f0765 
…EADME: Add more todos and basic explainer

Related: ietf-scitt/use-cases#18
Related: #1421
Related: ietf-scitt/use-cases#14
Related: https://github.com/ossf/s2c2f/blame/2bf86e4df77ace51853443a3dc2e64e6107ce92a/specification/framework.md#L355
Signed-off-by: John Andersen <[email protected]>
@johnandersen777 johnandersen777 changed the title OpenSSF Metrics Use Case: Attestations of alignment to S2C2F and org specific overlays Apr 1, 2023
@johnandersen777 johnandersen777 changed the title Use Case: Attestations of alignment to S2C2F and org specific overlays Use Case: Attestations of alignment to S2C2F and Org Overlays Apr 1, 2023
@johnandersen777 johnandersen777 changed the title Use Case: Attestations of alignment to S2C2F and Org Overlays Use Case: Attestations of alignment to S2C2F and org overlays Apr 1, 2023
@johnandersen777 johnandersen777 mentioned this issue Apr 1, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnandersen777