P.3.4 Vetted third-party component and container repositories

Control Details

Objective

Engineers can choose from organization-approved components

Definition

Components, binaries, containers, and AI models chosen from public ecosystems undergo a vetting process, including reviewing component meta-data and provenance data; secure composition analysis; binary composition analysis; and other security scanning. Rebuild software dependencies from source code when possible to remove additional software that may be contained in a compiled version. Establish repositories to host organization-approved components and containers.

Assessment Questions

1. Describe the vetting and scanning process you use when you choose components, containers, binaries and AI models from public ecosystems or from third-parties.
2. How do you arrange for a local component repository in which binaries and source code of third-party components are stored?
3. What are your policies for rebuilding components from source?

Reference sources

1. EO 4e(iii) 4e(vi) 4e(x)
2. SSDF PW.4.1
3. SSDF-AI PW.4.1
4. BSIMM SFD2.1 SFD3.2 SR2.4 SR2.7
5. SLSA Verifying artifacts Build L1: Provenance exists
6. 800-161 SI-3 SR-3 SR-4 SR-11
7. OWASP-SCVS 5
8. S2C2F SCA-1 SCA-4 SCA-5 ING-2 ING-4 ENF-2
9. CNCF-SSC A-CE Use a container registry that supports OCI image-spec images M-V: Verify third party artifacts and open source libraries; SM M-V Build libraries from source code M-A Run software composition analysis on ingested software
10. Self-attestation 2 3
11. SAMM I-SB-3-B
12. OSPS OSPS-DO-06