|
SCA-2
|
G.1.2 Software license conflict
|
|
REB-3
REB-4
|
G.1.5 Deliver SBOM
|
|
INV-1
|
G.2.5 Asset inventory
|
|
ING-1
|
G.3.1 Security-related contract terms
|
|
REB-2
|
P.1.2 Software release integrity
|
|
ING-3
|
P.3.1 Component and container choice
|
|
ING-1
|
P.3.2 Trusted repositories
|
|
SCA-1
SCA-4
SCA-5
ING-2
ING-4
ENF-2
|
P.3.4 Vetted third-party component and container repositories
|
|
AUD-2
|
P.3.5 Prevent component vetting bypass
|
|
SCA-1, SCA-3
|
P.4.5 Regular third-party compliance
|
|
UPD-1, UPD-2, UPD-3
|
P.5.2 Dependency update
|
|
AUD-1
AUD-3
AUD-4
|
E.2.2 Verify dependencies and environment
|
|
REB-1
|
E.2.3 Defensive compilation and build
|
|
REB-1
|
E.2.6 Reproducible builds
|
|
SCA-5
|
D.1.1 Vulnerability analysis
|
|
INV-2
|
D.1.3 Vulnerability disclosure
|
|
FIX-1
|
D.1.5 Emergency artifact fix
|