CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

test/test-data/pvtr-baseline-scan.yaml raw

   1metadata:
   2  id: PVTR-BASELINE-SCAN
   3  type: EvaluationLog
   4  gemara-version: 0.20.0
   5  version: 1.0.0
   6  description: PVTR baseline scan evaluation results
   7  author:
   8    id: pvtr
   9    name: PVTR
  10    type: Software
  11result: Failed
  12target:
  13  id: github-repo
  14  name: GitHub Repository
  15  type: Software
  16evaluations:
  17- name: ''
  18  assessment-logs:
  19  - requirement:
  20      entry-id: OSPS-AC-01.01
  21    applicability:
  22    - Maturity Level 1
  23    - Maturity Level 2
  24    - Maturity Level 3
  25    steps:
  26    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.orgRequiresMFA
  27    description: When a user attempts to access a sensitive resource in the project's
  28      version control system, the system MUST require the user to complete a multi-factor
  29      authentication process.
  30    result: Passed
  31    message: Two-factor authentication is configured as required by the parent organization
  32    steps-executed: 1
  33    start: 2025-08-22T16:02:00.000000000Z
  34    end: 2025-08-22T16:02:00.000003708Z
  35  control:
  36    reference-id: OSPS-B
  37    entry-id: OSPS-AC-01
  38  result: Passed
  39  message: Two-factor authentication is configured as required by the parent organization
  40- name: ''
  41  assessment-logs:
  42  - requirement:
  43      entry-id: OSPS-AC-02.01
  44    applicability:
  45    - Maturity Level 1
  46    - Maturity Level 2
  47    - Maturity Level 3
  48    steps:
  49    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
  50    description: When a new collaborator is added, the version control system MUST
  51      require manual permission assignment, or restrict the collaborator permissions
  52      to the lowest available privileges by default.
  53    result: Passed
  54    message: This control is enforced by GitHub for all projects
  55    steps-executed: 1
  56    start: 2025-08-22T16:02:00.000000000Z
  57    end: 2025-08-22T16:02:00.000001208Z
  58  control:
  59    reference-id: OSPS-B
  60    entry-id: OSPS-AC-02
  61  result: Passed
  62  message: This control is enforced by GitHub for all projects
  63- name: ''
  64  assessment-logs:
  65  - requirement:
  66      entry-id: OSPS-AC-03.01
  67    applicability:
  68    - Maturity Level 1
  69    - Maturity Level 2
  70    - Maturity Level 3
  71    steps:
  72    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
  73    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionRestrictsPushes
  74    description: When a direct commit is attempted on the project's primary branch,
  75      an enforcement mechanism MUST prevent the change from being applied.
  76    result: Passed
  77    message: Branch protection rule requires approving reviews
  78    steps-executed: 2
  79    start: 2025-08-22T16:02:00.000000000Z
  80    end: 2025-08-22T16:02:00.000002750Z
  81  - requirement:
  82      entry-id: OSPS-AC-03.02
  83    applicability:
  84    - Maturity Level 1
  85    - Maturity Level 2
  86    - Maturity Level 3
  87    steps:
  88    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionPreventsDeletion
  89    description: When an attempt is made to delete the project's primary branch, the
  90      version control system MUST treat this as a sensitive activity and require explicit
  91      confirmation of intent.
  92    result: Passed
  93    message: Branch protection rule prevents deletions
  94    steps-executed: 1
  95    start: 2025-08-22T16:02:00.000000000Z
  96    end: 2025-08-22T16:02:00.000001167Z
  97  control:
  98    reference-id: OSPS-B
  99    entry-id: OSPS-AC-03
 100  result: Passed
 101  message: Branch protection rule prevents deletions
 102- name: ''
 103  assessment-logs:
 104  - requirement:
 105      entry-id: OSPS-AC-04.01
 106    applicability:
 107    - Maturity Level 2
 108    - Maturity Level 3
 109    steps:
 110    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.workflowDefaultReadPermissions
 111    description: When a CI/CD task is executed with no permissions specified, the
 112      project's version control system MUST default to the lowest available permissions
 113      for all activities in the pipeline.
 114    result: Not Run
 115    message: '""'
 116    steps-executed: 0
 117    start: 2025-08-22T16:02:00.000000000Z
 118  control:
 119    reference-id: OSPS-B
 120    entry-id: OSPS-AC-04
 121  result: Not Run
 122  message: '""'
 123- name: ''
 124  assessment-logs:
 125  - requirement:
 126      entry-id: OSPS-BR-01.01
 127    applicability:
 128    - Maturity Level 1
 129    - Maturity Level 2
 130    - Maturity Level 3
 131    steps:
 132    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 133    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.cicdSanitizedInputParameters
 134    description: When a CI/CD pipeline accepts an input parameter, that parameter
 135      MUST be sanitized and validated prior to use in the pipeline.
 136    result: Passed
 137    message: GitHub Workflows variables do not contain untrusted inputs
 138    steps-executed: 2
 139    start: 2025-08-22T16:02:00.000000000Z
 140    end: 2025-08-22T16:02:01.711621250Z
 141  - requirement:
 142      entry-id: OSPS-BR-01.02
 143    applicability:
 144    - Maturity Level 1
 145    - Maturity Level 2
 146    - Maturity Level 3
 147    steps:
 148    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 149    description: When a CI/CD pipeline uses a branch name in its functionality, that
 150      name value MUST be sanitized and validated prior to use in the pipeline.
 151    result: Needs Review
 152    message: Not implemented
 153    steps-executed: 1
 154    start: 2025-08-22T16:02:00.000000000Z
 155    end: 2025-08-22T16:02:00.000000708Z
 156  control:
 157    reference-id: OSPS-B
 158    entry-id: OSPS-BR-01
 159  result: Needs Review
 160  message: Not implemented
 161- name: ''
 162  assessment-logs:
 163  - requirement:
 164      entry-id: OSPS-BR-02.01
 165    applicability:
 166    - Maturity Level 2
 167    - Maturity Level 3
 168    steps:
 169    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 170    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.releaseHasUniqueIdentifier
 171    description: When an official release is created, that release MUST be assigned
 172      a unique version identifier.
 173    result: Not Run
 174    message: '""'
 175    steps-executed: 0
 176    start: 2025-08-22T16:02:00.000000000Z
 177  control:
 178    reference-id: OSPS-B
 179    entry-id: OSPS-BR-02
 180  result: Not Run
 181  message: '""'
 182- name: ''
 183  assessment-logs:
 184  - requirement:
 185      entry-id: OSPS-BR-03.01
 186    applicability:
 187    - Maturity Level 1
 188    - Maturity Level 2
 189    - Maturity Level 3
 190    steps:
 191    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 192    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureInsightsLinksUseHTTPS
 193    description: When the project lists a URI as an official project channel, that
 194      URI MUST be exclusively delivered using encrypted channels.
 195    result: Needs Review
 196    message: All links use HTTPS
 197    steps-executed: 2
 198    start: 2025-08-22T16:02:00.000000000Z
 199    end: 2025-08-22T16:02:00.000003417Z
 200  - requirement:
 201      entry-id: OSPS-BR-03.02
 202    applicability:
 203    - Maturity Level 1
 204    - Maturity Level 2
 205    - Maturity Level 3
 206    steps:
 207    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.distributionPointsUseHTTPS
 208    description: When the project lists a URI as an official distribution channel,
 209      that URI MUST be exclusively delivered using encrypted channels.
 210    result: Passed
 211    message: No official distribution points found in Security Insights data
 212    steps-executed: 1
 213    start: 2025-08-22T16:02:00.000000000Z
 214    end: 2025-08-22T16:02:00.000000584Z
 215  control:
 216    reference-id: OSPS-B
 217    entry-id: OSPS-BR-03
 218  result: Needs Review
 219  message: No official distribution points found in Security Insights data
 220- name: ''
 221  assessment-logs:
 222  - requirement:
 223      entry-id: OSPS-BR-04.01
 224    applicability:
 225    - Maturity Level 2
 226    - Maturity Level 3
 227    steps:
 228    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 229    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureLatestReleaseHasChangelog
 230    description: When an official release is created, that release MUST contain a
 231      descriptive log of functional and security modifications.
 232    result: Not Run
 233    message: '""'
 234    steps-executed: 0
 235    start: 2025-08-22T16:02:00.000000000Z
 236  control:
 237    reference-id: OSPS-B
 238    entry-id: OSPS-BR-04
 239  result: Not Run
 240  message: '""'
 241- name: ''
 242  assessment-logs:
 243  - requirement:
 244      entry-id: OSPS-BR-05.01
 245    applicability:
 246    - Maturity Level 2
 247    - Maturity Level 3
 248    steps:
 249    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 250    description: When a build and release pipeline ingests dependencies, it MUST use
 251      standardized tooling where available.
 252    result: Not Run
 253    message: '""'
 254    steps-executed: 0
 255    start: 2025-08-22T16:02:00.000000000Z
 256  control:
 257    reference-id: OSPS-B
 258    entry-id: OSPS-BR-05
 259  result: Not Run
 260  message: '""'
 261- name: ''
 262  assessment-logs:
 263  - requirement:
 264      entry-id: OSPS-BR-06.01
 265    applicability:
 266    - Maturity Level 2
 267    - Maturity Level 3
 268    steps:
 269    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 270    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 271    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.insightsHasSlsaAttestation
 272    description: When an official release is created, that release MUST be signed
 273      or accounted for in a signed manifest including each asset's cryptographic hashes.
 274    result: Not Run
 275    message: '""'
 276    steps-executed: 0
 277    start: 2025-08-22T16:02:00.000000000Z
 278  control:
 279    reference-id: OSPS-B
 280    entry-id: OSPS-BR-06
 281  result: Not Run
 282  message: '""'
 283- name: ''
 284  assessment-logs:
 285  - requirement:
 286      entry-id: OSPS-DO-01.01
 287    applicability:
 288    - Maturity Level 1
 289    - Maturity Level 2
 290    - Maturity Level 3
 291    steps:
 292    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 293    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 294    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasUserGuides
 295    description: When the project has made a release, the project documentation MUST
 296      include user guides for all basic functionality.
 297    result: Failed
 298    message: User guide was NOT specified in Security Insights data
 299    steps-executed: 3
 300    start: 2025-08-22T16:02:00.000000000Z
 301  control:
 302    reference-id: OSPS-B
 303    entry-id: OSPS-DO-01
 304  result: Failed
 305  message: User guide was NOT specified in Security Insights data
 306- name: ''
 307  assessment-logs:
 308  - requirement:
 309      entry-id: OSPS-DO-02.01
 310    applicability:
 311    - Maturity Level 1
 312    - Maturity Level 2
 313    - Maturity Level 3
 314    steps:
 315    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 316    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
 317    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.acceptsVulnReports
 318    description: When the project has made a release, the project documentation MUST
 319      include a guide for reporting defects.
 320    result: Failed
 321    message: Repository does not accept vulnerability reports
 322    steps-executed: 3
 323    start: 2025-08-22T16:02:00.000000000Z
 324  control:
 325    reference-id: OSPS-B
 326    entry-id: OSPS-DO-02
 327  result: Failed
 328  message: Repository does not accept vulnerability reports
 329- name: ''
 330  assessment-logs:
 331  - requirement:
 332      entry-id: OSPS-DO-03.01
 333    applicability:
 334    - Maturity Level 3
 335    steps:
 336    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 337    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 338    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSignatureVerificationGuide
 339    description: When the project has made a release, the project documentation MUST
 340      contain instructions to verify the integrity and authenticity of the release
 341      assets.
 342    result: Not Run
 343    message: '""'
 344    steps-executed: 0
 345    start: 2025-08-22T16:02:00.000000000Z
 346  control:
 347    reference-id: OSPS-B
 348    entry-id: OSPS-DO-03
 349  result: Not Run
 350  message: '""'
 351- name: ''
 352  assessment-logs:
 353  - requirement:
 354      entry-id: OSPS-DO-04.01
 355    applicability:
 356    - Maturity Level 3
 357    steps:
 358    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
 359    description: When the project has made a release, the project documentation MUST
 360      include a descriptive statement about the scope and duration of support for
 361      each release.
 362    result: Not Run
 363    message: '""'
 364    steps-executed: 0
 365    start: 2025-08-22T16:02:00.000000000Z
 366  control:
 367    reference-id: OSPS-B
 368    entry-id: OSPS-DO-04
 369  result: Not Run
 370  message: '""'
 371- name: ''
 372  assessment-logs:
 373  - requirement:
 374      entry-id: OSPS-DO-05.01
 375    applicability:
 376    - Maturity Level 3
 377    steps:
 378    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
 379    description: When the project has made a release, the project documentation MUST
 380      provide a descriptive statement when releases or versions will no longer receive
 381      security updates.
 382    result: Not Run
 383    message: '""'
 384    steps-executed: 0
 385    start: 2025-08-22T16:02:00.000000000Z
 386  control:
 387    reference-id: OSPS-B
 388    entry-id: OSPS-DO-05
 389  result: Not Run
 390  message: '""'
 391- name: ''
 392  assessment-logs:
 393  - requirement:
 394      entry-id: OSPS-DO-06.01
 395    applicability:
 396    - Maturity Level 2
 397    - Maturity Level 3
 398    steps:
 399    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 400    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 401    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 402    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasDependencyManagementPolicy
 403    description: When the project has made a release, the project documentation MUST
 404      include a description of how the project selects, obtains, and tracks its dependencies.
 405    result: Not Run
 406    message: '""'
 407    steps-executed: 0
 408    start: 2025-08-22T16:02:00.000000000Z
 409  control:
 410    reference-id: OSPS-B
 411    entry-id: OSPS-DO-06
 412  result: Not Run
 413  message: '""'
 414- name: ''
 415  assessment-logs:
 416  - requirement:
 417      entry-id: OSPS-GV-01.01
 418    applicability:
 419    - Maturity Level 2
 420    - Maturity Level 3
 421    steps:
 422    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 423    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 424    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.coreTeamIsListed
 425    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.projectAdminsListed
 426    description: While active, the project documentation MUST include a list of project
 427      members with access to sensitive resources.
 428    result: Not Run
 429    message: '""'
 430    steps-executed: 0
 431    start: 2025-08-22T16:02:00.000000000Z
 432  - requirement:
 433      entry-id: OSPS-GV-01.02
 434    applicability:
 435    - Maturity Level 2
 436    - Maturity Level 3
 437    steps:
 438    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasRolesAndResponsibilities
 439    description: While active, the project documentation MUST include descriptions
 440      of the roles and responsibilities for members of the project.
 441    result: Not Run
 442    message: '""'
 443    steps-executed: 0
 444    start: 2025-08-22T16:02:00.000000000Z
 445  control:
 446    reference-id: OSPS-B
 447    entry-id: OSPS-GV-01
 448  result: Not Run
 449  message: '""'
 450- name: ''
 451  assessment-logs:
 452  - requirement:
 453      entry-id: OSPS-GV-02.01
 454    applicability:
 455    - Maturity Level 1
 456    - Maturity Level 2
 457    - Maturity Level 3
 458    steps:
 459    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
 460    description: While active, the project MUST have one or more mechanisms for public
 461      discussions about proposed changes and usage obstacles.
 462    result: Passed
 463    message: Issues are enabled for the repository
 464    steps-executed: 1
 465    start: 2025-08-22T16:02:00.000000000Z
 466    end: 2025-08-22T16:02:00.000000292Z
 467  control:
 468    reference-id: OSPS-B
 469    entry-id: OSPS-GV-02
 470  result: Passed
 471  message: Issues are enabled for the repository
 472- name: ''
 473  assessment-logs:
 474  - requirement:
 475      entry-id: OSPS-GV-03.01
 476    applicability:
 477    - Maturity Level 1
 478    - Maturity Level 2
 479    - Maturity Level 3
 480    steps:
 481    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionGuide
 482    description: While active, the project documentation MUST include an explanation
 483      of the contribution process.
 484    result: Needs Review
 485    message: '"Contributing guide was found via GitHub API (Recommendation: Add code
 486      of conduct location to Security Insights data)"'
 487    steps-executed: 1
 488    start: 2025-08-22T16:02:00.000000000Z
 489    end: 2025-08-22T16:02:00.000000792Z
 490  - requirement:
 491      entry-id: OSPS-GV-03.02
 492    applicability:
 493    - Maturity Level 2
 494    - Maturity Level 3
 495    steps:
 496    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 497    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 498    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 499    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionReviewPolicy
 500    description: While active, the project documentation MUST include a guide for
 501      code contributors that includes requirements for acceptable contributions.
 502    result: Not Run
 503    message: '""'
 504    steps-executed: 0
 505    start: 2025-08-22T16:02:00.000000000Z
 506  control:
 507    reference-id: OSPS-B
 508    entry-id: OSPS-GV-03
 509  result: Needs Review
 510  message: '"Contributing guide was found via GitHub API (Recommendation: Add code
 511    of conduct location to Security Insights data)"'
 512- name: ''
 513  assessment-logs:
 514  - requirement:
 515      entry-id: OSPS-GV-04.01
 516    applicability:
 517    - Maturity Level 3
 518    steps:
 519    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 520    description: While active, the project documentation MUST have a policy that code
 521      contributors are reviewed prior to granting escalated permissions to sensitive
 522      resources.
 523    result: Not Run
 524    message: '""'
 525    steps-executed: 0
 526    start: 2025-08-22T16:02:00.000000000Z
 527  control:
 528    reference-id: OSPS-B
 529    entry-id: OSPS-GV-04
 530  result: Not Run
 531  message: '""'
 532- name: ''
 533  assessment-logs:
 534  - requirement:
 535      entry-id: OSPS-LE-01.01
 536    applicability:
 537    - Maturity Level 2
 538    - Maturity Level 3
 539    steps:
 540    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubTermsOfService
 541    description: While active, the version control system MUST require all code contributors
 542      to assert that they are legally authorized to make the associated contributions
 543      on every commit.
 544    result: Not Run
 545    message: '""'
 546    steps-executed: 0
 547    start: 2025-08-22T16:02:00.000000000Z
 548  control:
 549    reference-id: OSPS-B
 550    entry-id: OSPS-LE-01
 551  result: Not Run
 552  message: '""'
 553- name: ''
 554  assessment-logs:
 555  - requirement:
 556      entry-id: OSPS-LE-02.01
 557    applicability:
 558    - Maturity Level 1
 559    - Maturity Level 2
 560    - Maturity Level 3
 561    steps:
 562    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
 563    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.goodLicense
 564    description: While active, the license for the source code MUST meet the OSI Open
 565      Source Definition or the FSF Free Software Definition.
 566    result: Needs Review
 567    message: All license found are OSI or FSF approved
 568    steps-executed: 2
 569    start: 2025-08-22T16:02:00.000000000Z
 570    end: 2025-08-22T16:02:00.269504834Z
 571  control:
 572    reference-id: OSPS-B
 573    entry-id: OSPS-LE-02
 574  result: Needs Review
 575  message: All license found are OSI or FSF approved
 576- name: ''
 577  assessment-logs:
 578  - requirement:
 579      entry-id: OSPS-LE-03.01
 580    applicability:
 581    - Maturity Level 1
 582    - Maturity Level 2
 583    - Maturity Level 3
 584    steps:
 585    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
 586    description: While active, the license for the source code MUST be maintained
 587      in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory.
 588    result: Passed
 589    message: License was found in a well known location via the GitHub API
 590    steps-executed: 1
 591    start: 2025-08-22T16:02:00.000000000Z
 592    end: 2025-08-22T16:02:00.000000875Z
 593  - requirement:
 594      entry-id: OSPS-LE-03.02
 595    applicability:
 596    - Maturity Level 1
 597    - Maturity Level 2
 598    - Maturity Level 3
 599    steps:
 600    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.releasesLicensed
 601    description: While active, the license for the released software assets MUST be
 602      included in the released source code, or in a LICENSE file, COPYING file, or
 603      LICENSE/ directory alongside the corresponding release assets.
 604    result: Passed
 605    message: GitHub releases include the license(s) in the released source code.
 606    steps-executed: 1
 607    start: 2025-08-22T16:02:00.000000000Z
 608    end: 2025-08-22T16:02:00.000000375Z
 609  control:
 610    reference-id: OSPS-B
 611    entry-id: OSPS-LE-03
 612  result: Passed
 613  message: GitHub releases include the license(s) in the released source code.
 614- name: ''
 615  assessment-logs:
 616  - requirement:
 617      entry-id: OSPS-QA-01.01
 618    applicability:
 619    - Maturity Level 1
 620    - Maturity Level 2
 621    - Maturity Level 3
 622    steps:
 623    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.repoIsPublic
 624    description: While active, the project's source code repository MUST be publicly
 625      readable at a static URL.
 626    result: Passed
 627    message: Repository is public
 628    steps-executed: 1
 629    start: 2025-08-22T16:02:00.000000000Z
 630    end: 2025-08-22T16:02:00.000000958Z
 631  - requirement:
 632      entry-id: OSPS-QA-01.02
 633    applicability:
 634    - Maturity Level 1
 635    - Maturity Level 2
 636    - Maturity Level 3
 637    steps:
 638    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
 639    description: The version control system MUST contain a publicly readable record
 640      of all changes made, who made the changes, and when the changes were made.
 641    result: Passed
 642    message: This control is enforced by GitHub for all projects
 643    steps-executed: 1
 644    start: 2025-08-22T16:02:00.000000000Z
 645    end: 2025-08-22T16:02:00.000000375Z
 646  control:
 647    reference-id: OSPS-B
 648    entry-id: OSPS-QA-01
 649  result: Passed
 650  message: This control is enforced by GitHub for all projects
 651- name: ''
 652  assessment-logs:
 653  - requirement:
 654      entry-id: OSPS-QA-02.01
 655    applicability:
 656    - Maturity Level 1
 657    - Maturity Level 2
 658    - Maturity Level 3
 659    steps:
 660    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.verifyDependencyManagement
 661    description: When the package management system supports it, the source code repository
 662      MUST contain a dependency list that accounts for the direct language dependencies.
 663    result: Passed
 664    message: Found 8 dependency manifests from GitHub API
 665    steps-executed: 1
 666    start: 2025-08-22T16:02:00.000000000Z
 667    end: 2025-08-22T16:02:00.000002667Z
 668  - requirement:
 669      entry-id: OSPS-QA-02.02
 670    applicability:
 671    - Maturity Level 3
 672    steps:
 673    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 674    description: When the project has made a release, all compiled released software
 675      assets MUST be delivered with a software bill of materials.
 676    result: Not Run
 677    message: '""'
 678    steps-executed: 0
 679    start: 2025-08-22T16:02:00.000000000Z
 680  control:
 681    reference-id: OSPS-B
 682    entry-id: OSPS-QA-02
 683  result: Passed
 684  message: Found 8 dependency manifests from GitHub API
 685- name: ''
 686  assessment-logs:
 687  - requirement:
 688      entry-id: OSPS-QA-03.01
 689    applicability:
 690    - Maturity Level 2
 691    - Maturity Level 3
 692    steps:
 693    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByRulesets
 694    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByBranchProtection
 695    description: When a commit is made to the primary branch, any automated status
 696      checks for commits MUST pass or be manually bypassed.
 697    result: Not Run
 698    message: '""'
 699    steps-executed: 0
 700    start: 2025-08-22T16:02:00.000000000Z
 701  control:
 702    reference-id: OSPS-B
 703    entry-id: OSPS-QA-03
 704  result: Not Run
 705  message: '""'
 706- name: ''
 707  assessment-logs:
 708  - requirement:
 709      entry-id: OSPS-QA-04.01
 710    applicability:
 711    - Maturity Level 1
 712    - Maturity Level 2
 713    - Maturity Level 3
 714    steps:
 715    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 716    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 717    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 718    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.insightsListsRepositories
 719    description: While active, the project documentation MUST contain a list of any
 720      codebases that are considered subprojects or additional repositories.
 721    result: Failed
 722    message: Insights does NOT contains a list of repositories
 723    steps-executed: 4
 724    start: 2025-08-22T16:02:00.000000000Z
 725  control:
 726    reference-id: OSPS-B
 727    entry-id: OSPS-QA-04
 728  result: Failed
 729  message: Insights does NOT contains a list of repositories
 730- name: ''
 731  assessment-logs:
 732  - requirement:
 733      entry-id: OSPS-QA-05.01
 734    applicability:
 735    - Maturity Level 1
 736    - Maturity Level 2
 737    - Maturity Level 3
 738    steps:
 739    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.noBinariesInRepo
 740    description: While active, the version control system MUST NOT contain generated
 741      executable artifacts.
 742    result: Passed
 743    message: No common binary file extensions were found in the repository
 744    steps-executed: 1
 745    start: 2025-08-22T16:02:00.000000000Z
 746    end: 2025-08-22T16:02:00.729000709Z
 747  control:
 748    reference-id: OSPS-B
 749    entry-id: OSPS-QA-05
 750  result: Passed
 751  message: No common binary file extensions were found in the repository
 752- name: ''
 753  assessment-logs:
 754  - requirement:
 755      entry-id: OSPS-QA-06.01
 756    applicability:
 757    - Maturity Level 2
 758    - Maturity Level 3
 759    steps:
 760    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 761    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.hasOneOrMoreStatusChecks
 762    description: Prior to a commit being accepted, the project's CI/CD pipelines MUST
 763      run at least one automated test suite to ensure the changes meet expectations.
 764    result: Not Run
 765    message: '""'
 766    steps-executed: 0
 767    start: 2025-08-22T16:02:00.000000000Z
 768  - requirement:
 769      entry-id: OSPS-QA-06.02
 770    applicability:
 771    - Maturity Level 3
 772    steps:
 773    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestExecution
 774    description: While active, project's documentation MUST clearly document when
 775      and how tests are run.
 776    result: Not Run
 777    message: '""'
 778    steps-executed: 0
 779    start: 2025-08-22T16:02:00.000000000Z
 780  - requirement:
 781      entry-id: OSPS-QA-06.03
 782    applicability:
 783    - Maturity Level 3
 784    steps:
 785    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 786    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestMaintenancePolicy
 787    description: While active, the project's documentation MUST include a policy that
 788      all major changes to the software produced by the project should add or update
 789      tests of the functionality in an automated test suite.
 790    result: Not Run
 791    message: '""'
 792    steps-executed: 0
 793    start: 2025-08-22T16:02:00.000000000Z
 794  control:
 795    reference-id: OSPS-B
 796    entry-id: OSPS-QA-06
 797  result: Not Run
 798  message: '""'
 799- name: ''
 800  assessment-logs:
 801  - requirement:
 802      entry-id: OSPS-QA-07.01
 803    applicability:
 804    - Maturity Level 3
 805    steps:
 806    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.requiresNonAuthorApproval
 807    description: When a commit is made to the primary branch, the project's version
 808      control system MUST require at least one non-author approval of the changes
 809      before merging.
 810    result: Not Run
 811    message: '""'
 812    steps-executed: 0
 813    start: 2025-08-22T16:02:00.000000000Z
 814  control:
 815    reference-id: OSPS-B
 816    entry-id: OSPS-QA-07
 817  result: Not Run
 818  message: '""'
 819- name: ''
 820  assessment-logs:
 821  - requirement:
 822      entry-id: OSPS-SA-01.01
 823    applicability:
 824    - Maturity Level 2
 825    - Maturity Level 3
 826    steps:
 827    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 828    description: When the project has made a release, the project documentation MUST
 829      include design documentation demonstrating all actions and actors within the
 830      system.
 831    result: Not Run
 832    message: '""'
 833    steps-executed: 0
 834    start: 2025-08-22T16:02:00.000000000Z
 835  control:
 836    reference-id: OSPS-B
 837    entry-id: OSPS-SA-01
 838  result: Not Run
 839  message: '""'
 840- name: ''
 841  assessment-logs:
 842  - requirement:
 843      entry-id: OSPS-SA-02.01
 844    applicability:
 845    - Maturity Level 2
 846    - Maturity Level 3
 847    steps:
 848    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 849    description: When the project has made a release, the project documentation MUST
 850      include descriptions of all external software interfaces of the released software
 851      assets.
 852    result: Not Run
 853    message: '""'
 854    steps-executed: 0
 855    start: 2025-08-22T16:02:00.000000000Z
 856  control:
 857    reference-id: OSPS-B
 858    entry-id: OSPS-SA-02
 859  result: Not Run
 860  message: '""'
 861- name: ''
 862  assessment-logs:
 863  - requirement:
 864      entry-id: OSPS-SA-03.01
 865    applicability:
 866    - Maturity Level 2
 867    - Maturity Level 3
 868    steps:
 869    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 870    description: When the project has made a release, the project MUST perform a security
 871      assessment to understand the most likely and impactful potential security problems
 872      that could occur within the software.
 873    result: Not Run
 874    message: '""'
 875    steps-executed: 0
 876    start: 2025-08-22T16:02:00.000000000Z
 877  - requirement:
 878      entry-id: OSPS-SA-03.02
 879    applicability:
 880    - Maturity Level 3
 881    steps:
 882    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 883    description: When the project has made a release, the project MUST perform a threat
 884      modeling and attack surface analysis to understand and protect against attacks
 885      on critical code paths, functions, and interactions within the system.
 886    result: Not Run
 887    message: '""'
 888    steps-executed: 0
 889    start: 2025-08-22T16:02:00.000000000Z
 890  control:
 891    reference-id: OSPS-B
 892    entry-id: OSPS-SA-03
 893  result: Not Run
 894  message: '""'
 895- name: ''
 896  assessment-logs:
 897  - requirement:
 898      entry-id: OSPS-VM-01.01
 899    applicability:
 900    - Maturity Level 2
 901    - Maturity Level 3
 902    steps:
 903    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 904    description: While active, the project documentation MUST include a policy for
 905      coordinated vulnerability reporting, with a clear timeframe for response.
 906    result: Not Run
 907    message: '""'
 908    steps-executed: 0
 909    start: 2025-08-22T16:02:00.000000000Z
 910  control:
 911    reference-id: OSPS-B
 912    entry-id: OSPS-VM-01
 913  result: Not Run
 914  message: '""'
 915- name: ''
 916  assessment-logs:
 917  - requirement:
 918      entry-id: OSPS-VM-02.01
 919    applicability:
 920    - Maturity Level 1
 921    steps:
 922    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 923    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.hasSecContact
 924    description: While active, the project documentation MUST contain security contacts.
 925    result: Failed
 926    message: Security contacts were not specified in Security Insights data
 927    steps-executed: 2
 928    start: 2025-08-22T16:02:00.000000000Z
 929  control:
 930    reference-id: OSPS-B
 931    entry-id: OSPS-VM-02
 932  result: Failed
 933  message: Security contacts were not specified in Security Insights data
 934- name: ''
 935  assessment-logs:
 936  - requirement:
 937      entry-id: OSPS-VM-03.01
 938    applicability:
 939    - Maturity Level 2
 940    - Maturity Level 3
 941    steps:
 942    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 943    description: While active, the project documentation MUST provide a means for
 944      reporting security vulnerabilities privately to the security contacts within
 945      the project.
 946    result: Not Run
 947    message: '""'
 948    steps-executed: 0
 949    start: 2025-08-22T16:02:00.000000000Z
 950  control:
 951    reference-id: OSPS-B
 952    entry-id: OSPS-VM-03
 953  result: Not Run
 954  message: '""'
 955- name: ''
 956  assessment-logs:
 957  - requirement:
 958      entry-id: OSPS-VM-04.01
 959    applicability:
 960    - Maturity Level 2
 961    - Maturity Level 3
 962    steps:
 963    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 964    description: While active, the project documentation MUST publicly publish data
 965      about discovered vulnerabilities.
 966    result: Not Run
 967    message: '""'
 968    steps-executed: 0
 969    start: 2025-08-22T16:02:00.000000000Z
 970  - requirement:
 971      entry-id: OSPS-VM-04.02
 972    applicability:
 973    - Maturity Level 3
 974    steps:
 975    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 976    description: While active, any vulnerabilities in the software components not
 977      affecting the project MUST be accounted for in a VEX document, augmenting the
 978      vulnerability report with non-exploitability details.
 979    result: Not Run
 980    message: '""'
 981    steps-executed: 0
 982    start: 2025-08-22T16:02:00.000000000Z
 983  control:
 984    reference-id: OSPS-B
 985    entry-id: OSPS-VM-04
 986  result: Not Run
 987  message: '""'
 988- name: ''
 989  assessment-logs:
 990  - requirement:
 991      entry-id: OSPS-VM-05.01
 992    applicability:
 993    - Maturity Level 3
 994    steps:
 995    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 996    description: While active, the project documentation MUST include a policy that
 997      defines a threshold for remediation of SCA findings related to vulnerabilities
 998      and licenses.
 999    result: Not Run
1000    message: '""'
1001    steps-executed: 0
1002    start: 2025-08-22T16:02:00.000000000Z
1003  - requirement:
1004      entry-id: OSPS-VM-05.02
1005    applicability:
1006    - Maturity Level 3
1007    steps:
1008    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1009    description: While active, the project documentation MUST include a policy to
1010      address SCA violations prior to any release.
1011    result: Not Run
1012    message: '""'
1013    steps-executed: 0
1014    start: 2025-08-22T16:02:00.000000000Z
1015  - requirement:
1016      entry-id: OSPS-VM-05.03
1017    applicability:
1018    - Maturity Level 3
1019    steps:
1020    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1021    description: While active, all changes to the project's codebase MUST be automatically
1022      evaluated against a documented policy for malicious dependencies and known vulnerabilities
1023      in dependencies, then blocked in the event of violations, except when declared
1024      and suppressed as non-exploitable.
1025    result: Not Run
1026    message: '""'
1027    steps-executed: 0
1028    start: 2025-08-22T16:02:00.000000000Z
1029  control:
1030    reference-id: OSPS-B
1031    entry-id: OSPS-VM-05
1032  result: Not Run
1033  message: '""'
1034- name: ''
1035  assessment-logs:
1036  - requirement:
1037      entry-id: OSPS-VM-06.01
1038    applicability:
1039    - Maturity Level 3
1040    steps:
1041    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasDependencyManagementPolicy
1042    description: While active, the project documentation MUST include a policy that
1043      defines a threshold for remediation of SAST findings.
1044    result: Not Run
1045    message: '""'
1046    steps-executed: 0
1047    start: 2025-08-22T16:02:00.000000000Z
1048  - requirement:
1049      entry-id: OSPS-VM-06.02
1050    applicability:
1051    - Maturity Level 3
1052    steps:
1053    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
1054    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
1055    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.sastToolDefined
1056    description: While active, all changes to the project's codebase MUST be automatically
1057      evaluated against a documented policy for security weaknesses and blocked in
1058      the event of violations except when declared and suppressed as non-exploitable.
1059    result: Not Run
1060    message: '""'
1061    steps-executed: 0
1062    start: 2025-08-22T16:02:00.000000000Z
1063  control:
1064    reference-id: OSPS-B
1065    entry-id: OSPS-VM-06
1066  result: Not Run
1067  message: '""'