github.com/gemaraproj/gemara@v1.3.0

test/test-data/pvtr-baseline-scan.yaml raw

   1metadata:
   2  id: PVTR-BASELINE-SCAN
   3  type: EvaluationLog
   4  gemara-version: "1.1.0"
   5  version: 1.0.0
   6  description: PVTR baseline scan evaluation results
   7  author:
   8    id: pvtr
   9    name: PVTR
  10    type: Software
  11result: Failed
  12target:
  13  id: github-repo
  14  name: GitHub Repository
  15  type: Software
  16evaluations:
  17- name: ''
  18  assessment-logs:
  19  - requirement:
  20      entry-id: OSPS-AC-01.01
  21    applicability:
  22    - Maturity Level 1
  23    - Maturity Level 2
  24    - Maturity Level 3
  25    steps:
  26    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.orgRequiresMFA
  27    description: When a user attempts to access a sensitive resource in the project's
  28      version control system, the system MUST require the user to complete a multi-factor
  29      authentication process.
  30    result: Passed
  31    message: Two-factor authentication is configured as required by the parent organization
  32    steps-executed: 1
  33    start: 2025-08-22T16:02:00.000000000Z
  34    end: 2025-08-22T16:02:00.000003708Z
  35    evidence:
  36    - id: EV-AC-01-01
  37      type: api-response
  38      collected-at: 2025-08-22T16:02:00.000003000Z
  39      payload:
  40        login: revanite-io
  41        two_factor_requirement_enabled: true
  42      description: Organization settings showing org-wide MFA enforcement
  43  control:
  44    reference-id: OSPS-B
  45    entry-id: OSPS-AC-01
  46  result: Passed
  47  message: Two-factor authentication is configured as required by the parent organization
  48- name: ''
  49  assessment-logs:
  50  - requirement:
  51      entry-id: OSPS-AC-02.01
  52    applicability:
  53    - Maturity Level 1
  54    - Maturity Level 2
  55    - Maturity Level 3
  56    steps:
  57    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
  58    description: When a new collaborator is added, the version control system MUST
  59      require manual permission assignment, or restrict the collaborator permissions
  60      to the lowest available privileges by default.
  61    result: Passed
  62    message: This control is enforced by GitHub for all projects
  63    steps-executed: 1
  64    start: 2025-08-22T16:02:00.000000000Z
  65    end: 2025-08-22T16:02:00.000001208Z
  66  control:
  67    reference-id: OSPS-B
  68    entry-id: OSPS-AC-02
  69  result: Passed
  70  message: This control is enforced by GitHub for all projects
  71- name: ''
  72  assessment-logs:
  73  - requirement:
  74      entry-id: OSPS-AC-03.01
  75    applicability:
  76    - Maturity Level 1
  77    - Maturity Level 2
  78    - Maturity Level 3
  79    steps:
  80    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
  81    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionRestrictsPushes
  82    description: When a direct commit is attempted on the project's primary branch,
  83      an enforcement mechanism MUST prevent the change from being applied.
  84    result: Passed
  85    message: Branch protection rule requires approving reviews
  86    steps-executed: 2
  87    start: 2025-08-22T16:02:00.000000000Z
  88    end: 2025-08-22T16:02:00.000002750Z
  89  - requirement:
  90      entry-id: OSPS-AC-03.02
  91    applicability:
  92    - Maturity Level 1
  93    - Maturity Level 2
  94    - Maturity Level 3
  95    steps:
  96    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionPreventsDeletion
  97    description: When an attempt is made to delete the project's primary branch, the
  98      version control system MUST treat this as a sensitive activity and require explicit
  99      confirmation of intent.
 100    result: Passed
 101    message: Branch protection rule prevents deletions
 102    steps-executed: 1
 103    start: 2025-08-22T16:02:00.000000000Z
 104    end: 2025-08-22T16:02:00.000001167Z
 105  control:
 106    reference-id: OSPS-B
 107    entry-id: OSPS-AC-03
 108  result: Passed
 109  message: Branch protection rule prevents deletions
 110- name: ''
 111  assessment-logs:
 112  - requirement:
 113      entry-id: OSPS-AC-04.01
 114    applicability:
 115    - Maturity Level 2
 116    - Maturity Level 3
 117    steps:
 118    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.workflowDefaultReadPermissions
 119    description: When a CI/CD task is executed with no permissions specified, the
 120      project's version control system MUST default to the lowest available permissions
 121      for all activities in the pipeline.
 122    result: Not Run
 123    message: '""'
 124    steps-executed: 0
 125    start: 2025-08-22T16:02:00.000000000Z
 126  control:
 127    reference-id: OSPS-B
 128    entry-id: OSPS-AC-04
 129  result: Not Run
 130  message: '""'
 131- name: ''
 132  assessment-logs:
 133  - requirement:
 134      entry-id: OSPS-BR-01.01
 135    applicability:
 136    - Maturity Level 1
 137    - Maturity Level 2
 138    - Maturity Level 3
 139    steps:
 140    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 141    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.cicdSanitizedInputParameters
 142    description: When a CI/CD pipeline accepts an input parameter, that parameter
 143      MUST be sanitized and validated prior to use in the pipeline.
 144    result: Passed
 145    message: GitHub Workflows variables do not contain untrusted inputs
 146    steps-executed: 2
 147    start: 2025-08-22T16:02:00.000000000Z
 148    end: 2025-08-22T16:02:01.711621250Z
 149  - requirement:
 150      entry-id: OSPS-BR-01.02
 151    applicability:
 152    - Maturity Level 1
 153    - Maturity Level 2
 154    - Maturity Level 3
 155    steps:
 156    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 157    description: When a CI/CD pipeline uses a branch name in its functionality, that
 158      name value MUST be sanitized and validated prior to use in the pipeline.
 159    result: Needs Review
 160    message: Not implemented
 161    steps-executed: 1
 162    start: 2025-08-22T16:02:00.000000000Z
 163    end: 2025-08-22T16:02:00.000000708Z
 164  control:
 165    reference-id: OSPS-B
 166    entry-id: OSPS-BR-01
 167  result: Needs Review
 168  message: Not implemented
 169- name: ''
 170  assessment-logs:
 171  - requirement:
 172      entry-id: OSPS-BR-02.01
 173    applicability:
 174    - Maturity Level 2
 175    - Maturity Level 3
 176    steps:
 177    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 178    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.releaseHasUniqueIdentifier
 179    description: When an official release is created, that release MUST be assigned
 180      a unique version identifier.
 181    result: Not Run
 182    message: '""'
 183    steps-executed: 0
 184    start: 2025-08-22T16:02:00.000000000Z
 185  control:
 186    reference-id: OSPS-B
 187    entry-id: OSPS-BR-02
 188  result: Not Run
 189  message: '""'
 190- name: ''
 191  assessment-logs:
 192  - requirement:
 193      entry-id: OSPS-BR-03.01
 194    applicability:
 195    - Maturity Level 1
 196    - Maturity Level 2
 197    - Maturity Level 3
 198    steps:
 199    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 200    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureInsightsLinksUseHTTPS
 201    description: When the project lists a URI as an official project channel, that
 202      URI MUST be exclusively delivered using encrypted channels.
 203    result: Needs Review
 204    message: All links use HTTPS
 205    steps-executed: 2
 206    start: 2025-08-22T16:02:00.000000000Z
 207    end: 2025-08-22T16:02:00.000003417Z
 208  - requirement:
 209      entry-id: OSPS-BR-03.02
 210    applicability:
 211    - Maturity Level 1
 212    - Maturity Level 2
 213    - Maturity Level 3
 214    steps:
 215    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.distributionPointsUseHTTPS
 216    description: When the project lists a URI as an official distribution channel,
 217      that URI MUST be exclusively delivered using encrypted channels.
 218    result: Passed
 219    message: No official distribution points found in Security Insights data
 220    steps-executed: 1
 221    start: 2025-08-22T16:02:00.000000000Z
 222    end: 2025-08-22T16:02:00.000000584Z
 223  control:
 224    reference-id: OSPS-B
 225    entry-id: OSPS-BR-03
 226  result: Needs Review
 227  message: No official distribution points found in Security Insights data
 228- name: ''
 229  assessment-logs:
 230  - requirement:
 231      entry-id: OSPS-BR-04.01
 232    applicability:
 233    - Maturity Level 2
 234    - Maturity Level 3
 235    steps:
 236    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 237    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureLatestReleaseHasChangelog
 238    description: When an official release is created, that release MUST contain a
 239      descriptive log of functional and security modifications.
 240    result: Not Run
 241    message: '""'
 242    steps-executed: 0
 243    start: 2025-08-22T16:02:00.000000000Z
 244  control:
 245    reference-id: OSPS-B
 246    entry-id: OSPS-BR-04
 247  result: Not Run
 248  message: '""'
 249- name: ''
 250  assessment-logs:
 251  - requirement:
 252      entry-id: OSPS-BR-05.01
 253    applicability:
 254    - Maturity Level 2
 255    - Maturity Level 3
 256    steps:
 257    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 258    description: When a build and release pipeline ingests dependencies, it MUST use
 259      standardized tooling where available.
 260    result: Not Run
 261    message: '""'
 262    steps-executed: 0
 263    start: 2025-08-22T16:02:00.000000000Z
 264  control:
 265    reference-id: OSPS-B
 266    entry-id: OSPS-BR-05
 267  result: Not Run
 268  message: '""'
 269- name: ''
 270  assessment-logs:
 271  - requirement:
 272      entry-id: OSPS-BR-06.01
 273    applicability:
 274    - Maturity Level 2
 275    - Maturity Level 3
 276    steps:
 277    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 278    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 279    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.insightsHasSlsaAttestation
 280    description: When an official release is created, that release MUST be signed
 281      or accounted for in a signed manifest including each asset's cryptographic hashes.
 282    result: Not Run
 283    message: '""'
 284    steps-executed: 0
 285    start: 2025-08-22T16:02:00.000000000Z
 286  control:
 287    reference-id: OSPS-B
 288    entry-id: OSPS-BR-06
 289  result: Not Run
 290  message: '""'
 291- name: ''
 292  assessment-logs:
 293  - requirement:
 294      entry-id: OSPS-DO-01.01
 295    applicability:
 296    - Maturity Level 1
 297    - Maturity Level 2
 298    - Maturity Level 3
 299    steps:
 300    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 301    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 302    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasUserGuides
 303    description: When the project has made a release, the project documentation MUST
 304      include user guides for all basic functionality.
 305    result: Failed
 306    message: User guide was NOT specified in Security Insights data
 307    steps-executed: 3
 308    start: 2025-08-22T16:02:00.000000000Z
 309  control:
 310    reference-id: OSPS-B
 311    entry-id: OSPS-DO-01
 312  result: Failed
 313  message: User guide was NOT specified in Security Insights data
 314- name: ''
 315  assessment-logs:
 316  - requirement:
 317      entry-id: OSPS-DO-02.01
 318    applicability:
 319    - Maturity Level 1
 320    - Maturity Level 2
 321    - Maturity Level 3
 322    steps:
 323    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 324    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
 325    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.acceptsVulnReports
 326    description: When the project has made a release, the project documentation MUST
 327      include a guide for reporting defects.
 328    result: Failed
 329    message: Repository does not accept vulnerability reports
 330    steps-executed: 3
 331    start: 2025-08-22T16:02:00.000000000Z
 332  control:
 333    reference-id: OSPS-B
 334    entry-id: OSPS-DO-02
 335  result: Failed
 336  message: Repository does not accept vulnerability reports
 337- name: ''
 338  assessment-logs:
 339  - requirement:
 340      entry-id: OSPS-DO-03.01
 341    applicability:
 342    - Maturity Level 3
 343    steps:
 344    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 345    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 346    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSignatureVerificationGuide
 347    description: When the project has made a release, the project documentation MUST
 348      contain instructions to verify the integrity and authenticity of the release
 349      assets.
 350    result: Not Run
 351    message: '""'
 352    steps-executed: 0
 353    start: 2025-08-22T16:02:00.000000000Z
 354  control:
 355    reference-id: OSPS-B
 356    entry-id: OSPS-DO-03
 357  result: Not Run
 358  message: '""'
 359- name: ''
 360  assessment-logs:
 361  - requirement:
 362      entry-id: OSPS-DO-04.01
 363    applicability:
 364    - Maturity Level 3
 365    steps:
 366    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
 367    description: When the project has made a release, the project documentation MUST
 368      include a descriptive statement about the scope and duration of support for
 369      each release.
 370    result: Not Run
 371    message: '""'
 372    steps-executed: 0
 373    start: 2025-08-22T16:02:00.000000000Z
 374  control:
 375    reference-id: OSPS-B
 376    entry-id: OSPS-DO-04
 377  result: Not Run
 378  message: '""'
 379- name: ''
 380  assessment-logs:
 381  - requirement:
 382      entry-id: OSPS-DO-05.01
 383    applicability:
 384    - Maturity Level 3
 385    steps:
 386    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
 387    description: When the project has made a release, the project documentation MUST
 388      provide a descriptive statement when releases or versions will no longer receive
 389      security updates.
 390    result: Not Run
 391    message: '""'
 392    steps-executed: 0
 393    start: 2025-08-22T16:02:00.000000000Z
 394  control:
 395    reference-id: OSPS-B
 396    entry-id: OSPS-DO-05
 397  result: Not Run
 398  message: '""'
 399- name: ''
 400  assessment-logs:
 401  - requirement:
 402      entry-id: OSPS-DO-06.01
 403    applicability:
 404    - Maturity Level 2
 405    - Maturity Level 3
 406    steps:
 407    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 408    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
 409    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 410    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasDependencyManagementPolicy
 411    description: When the project has made a release, the project documentation MUST
 412      include a description of how the project selects, obtains, and tracks its dependencies.
 413    result: Not Run
 414    message: '""'
 415    steps-executed: 0
 416    start: 2025-08-22T16:02:00.000000000Z
 417  control:
 418    reference-id: OSPS-B
 419    entry-id: OSPS-DO-06
 420  result: Not Run
 421  message: '""'
 422- name: ''
 423  assessment-logs:
 424  - requirement:
 425      entry-id: OSPS-GV-01.01
 426    applicability:
 427    - Maturity Level 2
 428    - Maturity Level 3
 429    steps:
 430    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 431    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 432    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.coreTeamIsListed
 433    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.projectAdminsListed
 434    description: While active, the project documentation MUST include a list of project
 435      members with access to sensitive resources.
 436    result: Not Run
 437    message: '""'
 438    steps-executed: 0
 439    start: 2025-08-22T16:02:00.000000000Z
 440  - requirement:
 441      entry-id: OSPS-GV-01.02
 442    applicability:
 443    - Maturity Level 2
 444    - Maturity Level 3
 445    steps:
 446    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasRolesAndResponsibilities
 447    description: While active, the project documentation MUST include descriptions
 448      of the roles and responsibilities for members of the project.
 449    result: Not Run
 450    message: '""'
 451    steps-executed: 0
 452    start: 2025-08-22T16:02:00.000000000Z
 453  control:
 454    reference-id: OSPS-B
 455    entry-id: OSPS-GV-01
 456  result: Not Run
 457  message: '""'
 458- name: ''
 459  assessment-logs:
 460  - requirement:
 461      entry-id: OSPS-GV-02.01
 462    applicability:
 463    - Maturity Level 1
 464    - Maturity Level 2
 465    - Maturity Level 3
 466    steps:
 467    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
 468    description: While active, the project MUST have one or more mechanisms for public
 469      discussions about proposed changes and usage obstacles.
 470    result: Passed
 471    message: Issues are enabled for the repository
 472    steps-executed: 1
 473    start: 2025-08-22T16:02:00.000000000Z
 474    end: 2025-08-22T16:02:00.000000292Z
 475  control:
 476    reference-id: OSPS-B
 477    entry-id: OSPS-GV-02
 478  result: Passed
 479  message: Issues are enabled for the repository
 480- name: ''
 481  assessment-logs:
 482  - requirement:
 483      entry-id: OSPS-GV-03.01
 484    applicability:
 485    - Maturity Level 1
 486    - Maturity Level 2
 487    - Maturity Level 3
 488    steps:
 489    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionGuide
 490    description: While active, the project documentation MUST include an explanation
 491      of the contribution process.
 492    result: Needs Review
 493    message: '"Contributing guide was found via GitHub API (Recommendation: Add code
 494      of conduct location to Security Insights data)"'
 495    steps-executed: 1
 496    start: 2025-08-22T16:02:00.000000000Z
 497    end: 2025-08-22T16:02:00.000000792Z
 498  - requirement:
 499      entry-id: OSPS-GV-03.02
 500    applicability:
 501    - Maturity Level 2
 502    - Maturity Level 3
 503    steps:
 504    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 505    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 506    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 507    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionReviewPolicy
 508    description: While active, the project documentation MUST include a guide for
 509      code contributors that includes requirements for acceptable contributions.
 510    result: Not Run
 511    message: '""'
 512    steps-executed: 0
 513    start: 2025-08-22T16:02:00.000000000Z
 514  control:
 515    reference-id: OSPS-B
 516    entry-id: OSPS-GV-03
 517  result: Needs Review
 518  message: '"Contributing guide was found via GitHub API (Recommendation: Add code
 519    of conduct location to Security Insights data)"'
 520- name: ''
 521  assessment-logs:
 522  - requirement:
 523      entry-id: OSPS-GV-04.01
 524    applicability:
 525    - Maturity Level 3
 526    steps:
 527    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 528    description: While active, the project documentation MUST have a policy that code
 529      contributors are reviewed prior to granting escalated permissions to sensitive
 530      resources.
 531    result: Not Run
 532    message: '""'
 533    steps-executed: 0
 534    start: 2025-08-22T16:02:00.000000000Z
 535  control:
 536    reference-id: OSPS-B
 537    entry-id: OSPS-GV-04
 538  result: Not Run
 539  message: '""'
 540- name: ''
 541  assessment-logs:
 542  - requirement:
 543      entry-id: OSPS-LE-01.01
 544    applicability:
 545    - Maturity Level 2
 546    - Maturity Level 3
 547    steps:
 548    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubTermsOfService
 549    description: While active, the version control system MUST require all code contributors
 550      to assert that they are legally authorized to make the associated contributions
 551      on every commit.
 552    result: Not Run
 553    message: '""'
 554    steps-executed: 0
 555    start: 2025-08-22T16:02:00.000000000Z
 556  control:
 557    reference-id: OSPS-B
 558    entry-id: OSPS-LE-01
 559  result: Not Run
 560  message: '""'
 561- name: ''
 562  assessment-logs:
 563  - requirement:
 564      entry-id: OSPS-LE-02.01
 565    applicability:
 566    - Maturity Level 1
 567    - Maturity Level 2
 568    - Maturity Level 3
 569    steps:
 570    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
 571    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.goodLicense
 572    description: While active, the license for the source code MUST meet the OSI Open
 573      Source Definition or the FSF Free Software Definition.
 574    result: Needs Review
 575    message: All license found are OSI or FSF approved
 576    steps-executed: 2
 577    start: 2025-08-22T16:02:00.000000000Z
 578    end: 2025-08-22T16:02:00.269504834Z
 579  control:
 580    reference-id: OSPS-B
 581    entry-id: OSPS-LE-02
 582  result: Needs Review
 583  message: All license found are OSI or FSF approved
 584- name: ''
 585  assessment-logs:
 586  - requirement:
 587      entry-id: OSPS-LE-03.01
 588    applicability:
 589    - Maturity Level 1
 590    - Maturity Level 2
 591    - Maturity Level 3
 592    steps:
 593    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
 594    description: While active, the license for the source code MUST be maintained
 595      in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory.
 596    result: Passed
 597    message: License was found in a well known location via the GitHub API
 598    steps-executed: 1
 599    start: 2025-08-22T16:02:00.000000000Z
 600    end: 2025-08-22T16:02:00.000000875Z
 601  - requirement:
 602      entry-id: OSPS-LE-03.02
 603    applicability:
 604    - Maturity Level 1
 605    - Maturity Level 2
 606    - Maturity Level 3
 607    steps:
 608    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.releasesLicensed
 609    description: While active, the license for the released software assets MUST be
 610      included in the released source code, or in a LICENSE file, COPYING file, or
 611      LICENSE/ directory alongside the corresponding release assets.
 612    result: Passed
 613    message: GitHub releases include the license(s) in the released source code.
 614    steps-executed: 1
 615    start: 2025-08-22T16:02:00.000000000Z
 616    end: 2025-08-22T16:02:00.000000375Z
 617  control:
 618    reference-id: OSPS-B
 619    entry-id: OSPS-LE-03
 620  result: Passed
 621  message: GitHub releases include the license(s) in the released source code.
 622- name: ''
 623  assessment-logs:
 624  - requirement:
 625      entry-id: OSPS-QA-01.01
 626    applicability:
 627    - Maturity Level 1
 628    - Maturity Level 2
 629    - Maturity Level 3
 630    steps:
 631    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.repoIsPublic
 632    description: While active, the project's source code repository MUST be publicly
 633      readable at a static URL.
 634    result: Passed
 635    message: Repository is public
 636    steps-executed: 1
 637    start: 2025-08-22T16:02:00.000000000Z
 638    end: 2025-08-22T16:02:00.000000958Z
 639  - requirement:
 640      entry-id: OSPS-QA-01.02
 641    applicability:
 642    - Maturity Level 1
 643    - Maturity Level 2
 644    - Maturity Level 3
 645    steps:
 646    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
 647    description: The version control system MUST contain a publicly readable record
 648      of all changes made, who made the changes, and when the changes were made.
 649    result: Passed
 650    message: This control is enforced by GitHub for all projects
 651    steps-executed: 1
 652    start: 2025-08-22T16:02:00.000000000Z
 653    end: 2025-08-22T16:02:00.000000375Z
 654  control:
 655    reference-id: OSPS-B
 656    entry-id: OSPS-QA-01
 657  result: Passed
 658  message: This control is enforced by GitHub for all projects
 659- name: ''
 660  assessment-logs:
 661  - requirement:
 662      entry-id: OSPS-QA-02.01
 663    applicability:
 664    - Maturity Level 1
 665    - Maturity Level 2
 666    - Maturity Level 3
 667    steps:
 668    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.verifyDependencyManagement
 669    description: When the package management system supports it, the source code repository
 670      MUST contain a dependency list that accounts for the direct language dependencies.
 671    result: Passed
 672    message: Found 8 dependency manifests from GitHub API
 673    steps-executed: 1
 674    start: 2025-08-22T16:02:00.000000000Z
 675    end: 2025-08-22T16:02:00.000002667Z
 676  - requirement:
 677      entry-id: OSPS-QA-02.02
 678    applicability:
 679    - Maturity Level 3
 680    steps:
 681    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 682    description: When the project has made a release, all compiled released software
 683      assets MUST be delivered with a software bill of materials.
 684    result: Not Run
 685    message: '""'
 686    steps-executed: 0
 687    start: 2025-08-22T16:02:00.000000000Z
 688  control:
 689    reference-id: OSPS-B
 690    entry-id: OSPS-QA-02
 691  result: Passed
 692  message: Found 8 dependency manifests from GitHub API
 693- name: ''
 694  assessment-logs:
 695  - requirement:
 696      entry-id: OSPS-QA-03.01
 697    applicability:
 698    - Maturity Level 2
 699    - Maturity Level 3
 700    steps:
 701    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByRulesets
 702    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByBranchProtection
 703    description: When a commit is made to the primary branch, any automated status
 704      checks for commits MUST pass or be manually bypassed.
 705    result: Not Run
 706    message: '""'
 707    steps-executed: 0
 708    start: 2025-08-22T16:02:00.000000000Z
 709  control:
 710    reference-id: OSPS-B
 711    entry-id: OSPS-QA-03
 712  result: Not Run
 713  message: '""'
 714- name: ''
 715  assessment-logs:
 716  - requirement:
 717      entry-id: OSPS-QA-04.01
 718    applicability:
 719    - Maturity Level 1
 720    - Maturity Level 2
 721    - Maturity Level 3
 722    steps:
 723    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 724    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
 725    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
 726    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.insightsListsRepositories
 727    description: While active, the project documentation MUST contain a list of any
 728      codebases that are considered subprojects or additional repositories.
 729    result: Failed
 730    message: Insights does NOT contains a list of repositories
 731    steps-executed: 4
 732    start: 2025-08-22T16:02:00.000000000Z
 733  control:
 734    reference-id: OSPS-B
 735    entry-id: OSPS-QA-04
 736  result: Failed
 737  message: Insights does NOT contains a list of repositories
 738- name: ''
 739  assessment-logs:
 740  - requirement:
 741      entry-id: OSPS-QA-05.01
 742    applicability:
 743    - Maturity Level 1
 744    - Maturity Level 2
 745    - Maturity Level 3
 746    steps:
 747    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.noBinariesInRepo
 748    description: While active, the version control system MUST NOT contain generated
 749      executable artifacts.
 750    result: Passed
 751    message: No common binary file extensions were found in the repository
 752    steps-executed: 1
 753    start: 2025-08-22T16:02:00.000000000Z
 754    end: 2025-08-22T16:02:00.729000709Z
 755  control:
 756    reference-id: OSPS-B
 757    entry-id: OSPS-QA-05
 758  result: Passed
 759  message: No common binary file extensions were found in the repository
 760- name: ''
 761  assessment-logs:
 762  - requirement:
 763      entry-id: OSPS-QA-06.01
 764    applicability:
 765    - Maturity Level 2
 766    - Maturity Level 3
 767    steps:
 768    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 769    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.hasOneOrMoreStatusChecks
 770    description: Prior to a commit being accepted, the project's CI/CD pipelines MUST
 771      run at least one automated test suite to ensure the changes meet expectations.
 772    result: Not Run
 773    message: '""'
 774    steps-executed: 0
 775    start: 2025-08-22T16:02:00.000000000Z
 776  - requirement:
 777      entry-id: OSPS-QA-06.02
 778    applicability:
 779    - Maturity Level 3
 780    steps:
 781    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestExecution
 782    description: While active, project's documentation MUST clearly document when
 783      and how tests are run.
 784    result: Not Run
 785    message: '""'
 786    steps-executed: 0
 787    start: 2025-08-22T16:02:00.000000000Z
 788  - requirement:
 789      entry-id: OSPS-QA-06.03
 790    applicability:
 791    - Maturity Level 3
 792    steps:
 793    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 794    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestMaintenancePolicy
 795    description: While active, the project's documentation MUST include a policy that
 796      all major changes to the software produced by the project should add or update
 797      tests of the functionality in an automated test suite.
 798    result: Not Run
 799    message: '""'
 800    steps-executed: 0
 801    start: 2025-08-22T16:02:00.000000000Z
 802  control:
 803    reference-id: OSPS-B
 804    entry-id: OSPS-QA-06
 805  result: Not Run
 806  message: '""'
 807- name: ''
 808  assessment-logs:
 809  - requirement:
 810      entry-id: OSPS-QA-07.01
 811    applicability:
 812    - Maturity Level 3
 813    steps:
 814    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.requiresNonAuthorApproval
 815    description: When a commit is made to the primary branch, the project's version
 816      control system MUST require at least one non-author approval of the changes
 817      before merging.
 818    result: Not Run
 819    message: '""'
 820    steps-executed: 0
 821    start: 2025-08-22T16:02:00.000000000Z
 822  control:
 823    reference-id: OSPS-B
 824    entry-id: OSPS-QA-07
 825  result: Not Run
 826  message: '""'
 827- name: ''
 828  assessment-logs:
 829  - requirement:
 830      entry-id: OSPS-SA-01.01
 831    applicability:
 832    - Maturity Level 2
 833    - Maturity Level 3
 834    steps:
 835    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 836    description: When the project has made a release, the project documentation MUST
 837      include design documentation demonstrating all actions and actors within the
 838      system.
 839    result: Not Run
 840    message: '""'
 841    steps-executed: 0
 842    start: 2025-08-22T16:02:00.000000000Z
 843  control:
 844    reference-id: OSPS-B
 845    entry-id: OSPS-SA-01
 846  result: Not Run
 847  message: '""'
 848- name: ''
 849  assessment-logs:
 850  - requirement:
 851      entry-id: OSPS-SA-02.01
 852    applicability:
 853    - Maturity Level 2
 854    - Maturity Level 3
 855    steps:
 856    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 857    description: When the project has made a release, the project documentation MUST
 858      include descriptions of all external software interfaces of the released software
 859      assets.
 860    result: Not Run
 861    message: '""'
 862    steps-executed: 0
 863    start: 2025-08-22T16:02:00.000000000Z
 864  control:
 865    reference-id: OSPS-B
 866    entry-id: OSPS-SA-02
 867  result: Not Run
 868  message: '""'
 869- name: ''
 870  assessment-logs:
 871  - requirement:
 872      entry-id: OSPS-SA-03.01
 873    applicability:
 874    - Maturity Level 2
 875    - Maturity Level 3
 876    steps:
 877    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 878    description: When the project has made a release, the project MUST perform a security
 879      assessment to understand the most likely and impactful potential security problems
 880      that could occur within the software.
 881    result: Not Run
 882    message: '""'
 883    steps-executed: 0
 884    start: 2025-08-22T16:02:00.000000000Z
 885  - requirement:
 886      entry-id: OSPS-SA-03.02
 887    applicability:
 888    - Maturity Level 3
 889    steps:
 890    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 891    description: When the project has made a release, the project MUST perform a threat
 892      modeling and attack surface analysis to understand and protect against attacks
 893      on critical code paths, functions, and interactions within the system.
 894    result: Not Run
 895    message: '""'
 896    steps-executed: 0
 897    start: 2025-08-22T16:02:00.000000000Z
 898  control:
 899    reference-id: OSPS-B
 900    entry-id: OSPS-SA-03
 901  result: Not Run
 902  message: '""'
 903- name: ''
 904  assessment-logs:
 905  - requirement:
 906      entry-id: OSPS-VM-01.01
 907    applicability:
 908    - Maturity Level 2
 909    - Maturity Level 3
 910    steps:
 911    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 912    description: While active, the project documentation MUST include a policy for
 913      coordinated vulnerability reporting, with a clear timeframe for response.
 914    result: Not Run
 915    message: '""'
 916    steps-executed: 0
 917    start: 2025-08-22T16:02:00.000000000Z
 918  control:
 919    reference-id: OSPS-B
 920    entry-id: OSPS-VM-01
 921  result: Not Run
 922  message: '""'
 923- name: ''
 924  assessment-logs:
 925  - requirement:
 926      entry-id: OSPS-VM-02.01
 927    applicability:
 928    - Maturity Level 1
 929    steps:
 930    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
 931    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.hasSecContact
 932    description: While active, the project documentation MUST contain security contacts.
 933    result: Failed
 934    message: Security contacts were not specified in Security Insights data
 935    steps-executed: 2
 936    start: 2025-08-22T16:02:00.000000000Z
 937  control:
 938    reference-id: OSPS-B
 939    entry-id: OSPS-VM-02
 940  result: Failed
 941  message: Security contacts were not specified in Security Insights data
 942- name: ''
 943  assessment-logs:
 944  - requirement:
 945      entry-id: OSPS-VM-03.01
 946    applicability:
 947    - Maturity Level 2
 948    - Maturity Level 3
 949    steps:
 950    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 951    description: While active, the project documentation MUST provide a means for
 952      reporting security vulnerabilities privately to the security contacts within
 953      the project.
 954    result: Not Run
 955    message: '""'
 956    steps-executed: 0
 957    start: 2025-08-22T16:02:00.000000000Z
 958  control:
 959    reference-id: OSPS-B
 960    entry-id: OSPS-VM-03
 961  result: Not Run
 962  message: '""'
 963- name: ''
 964  assessment-logs:
 965  - requirement:
 966      entry-id: OSPS-VM-04.01
 967    applicability:
 968    - Maturity Level 2
 969    - Maturity Level 3
 970    steps:
 971    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 972    description: While active, the project documentation MUST publicly publish data
 973      about discovered vulnerabilities.
 974    result: Not Run
 975    message: '""'
 976    steps-executed: 0
 977    start: 2025-08-22T16:02:00.000000000Z
 978  - requirement:
 979      entry-id: OSPS-VM-04.02
 980    applicability:
 981    - Maturity Level 3
 982    steps:
 983    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
 984    description: While active, any vulnerabilities in the software components not
 985      affecting the project MUST be accounted for in a VEX document, augmenting the
 986      vulnerability report with non-exploitability details.
 987    result: Not Run
 988    message: '""'
 989    steps-executed: 0
 990    start: 2025-08-22T16:02:00.000000000Z
 991  control:
 992    reference-id: OSPS-B
 993    entry-id: OSPS-VM-04
 994  result: Not Run
 995  message: '""'
 996- name: ''
 997  assessment-logs:
 998  - requirement:
 999      entry-id: OSPS-VM-05.01
1000    applicability:
1001    - Maturity Level 3
1002    steps:
1003    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1004    description: While active, the project documentation MUST include a policy that
1005      defines a threshold for remediation of SCA findings related to vulnerabilities
1006      and licenses.
1007    result: Not Run
1008    message: '""'
1009    steps-executed: 0
1010    start: 2025-08-22T16:02:00.000000000Z
1011  - requirement:
1012      entry-id: OSPS-VM-05.02
1013    applicability:
1014    - Maturity Level 3
1015    steps:
1016    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1017    description: While active, the project documentation MUST include a policy to
1018      address SCA violations prior to any release.
1019    result: Not Run
1020    message: '""'
1021    steps-executed: 0
1022    start: 2025-08-22T16:02:00.000000000Z
1023  - requirement:
1024      entry-id: OSPS-VM-05.03
1025    applicability:
1026    - Maturity Level 3
1027    steps:
1028    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1029    description: While active, all changes to the project's codebase MUST be automatically
1030      evaluated against a documented policy for malicious dependencies and known vulnerabilities
1031      in dependencies, then blocked in the event of violations, except when declared
1032      and suppressed as non-exploitable.
1033    result: Not Run
1034    message: '""'
1035    steps-executed: 0
1036    start: 2025-08-22T16:02:00.000000000Z
1037  control:
1038    reference-id: OSPS-B
1039    entry-id: OSPS-VM-05
1040  result: Not Run
1041  message: '""'
1042- name: ''
1043  assessment-logs:
1044  - requirement:
1045      entry-id: OSPS-VM-06.01
1046    applicability:
1047    - Maturity Level 3
1048    steps:
1049    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasDependencyManagementPolicy
1050    description: While active, the project documentation MUST include a policy that
1051      defines a threshold for remediation of SAST findings.
1052    result: Not Run
1053    message: '""'
1054    steps-executed: 0
1055    start: 2025-08-22T16:02:00.000000000Z
1056  - requirement:
1057      entry-id: OSPS-VM-06.02
1058    applicability:
1059    - Maturity Level 3
1060    steps:
1061    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
1062    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
1063    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.sastToolDefined
1064    description: While active, all changes to the project's codebase MUST be automatically
1065      evaluated against a documented policy for security weaknesses and blocked in
1066      the event of violations except when declared and suppressed as non-exploitable.
1067    result: Not Run
1068    message: '""'
1069    steps-executed: 0
1070    start: 2025-08-22T16:02:00.000000000Z
1071  control:
1072    reference-id: OSPS-B
1073    entry-id: OSPS-VM-06
1074  result: Not Run
1075  message: '""'