diff --git a/docs/baseline-requirements.md b/docs/baseline-requirements.md index 3f9c557c..adf20a73 100644 --- a/docs/baseline-requirements.md +++ b/docs/baseline-requirements.md @@ -32,9 +32,7 @@ SPDX-License-Identifier: Apache-2.0 # Preamble / Scope -This document lays out the requirements for open-source products that should become part of openDesk (called "component" in the following). - -As this is a comprehensive set of requirements, most new components will not adhere to all of them. +This document lays out the requirements for all components of the openDesk (called "component" in the following). This document can be used to assess the status and possible gaps for a component, which might itself be the basis for a decision if the component should be integrated into openDesk by working on closing the identified gaps. @@ -47,16 +45,17 @@ This document can be used to assess the status and possible gaps for a component > NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and > "OPTIONAL" in this document are to be interpreted as described in > [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119). +> - MUST(NOT): These requirements are hard requirements and must be fulfilled. If technically possible they can be considered hard-blocking qualitygates that could prevent a new components artifact/container from being deployed. +> - SHOULD(NOT): These requirements don't need to be fulfilled but might be the future. Any given MUST-Requirement was a SHOULD-Requirement for at minimum 90 days and can only be bumped as an openDesk RFC. # Software bill of materials (SBOMs) +openDesk pĆ¼rovides in-depth SBOM for container images. Those SBOMs are Scoped on a per-container basis. SBOMs SHOULD contain all software components present in the final image, even when obfuscated through static linking. False-Positive-Components are expected. -[ToDo: align this with ironDesk requirements] +Components MUST provide artifact and source code SBOMs in a standardized manner, ideally in the current [CycloneDX](https://cyclonedx.org/tool-center/) format ( 1.7 at time of writing ). This is explicitly supported by openCode's [DevGuard](https://devguard.opencode.de/) toolchain. -openDesk is looking into options for in-depth SBOM creation first for container images and later for source code. Components MUST provide artifact and source code SBOMs in a standardized manner, ideally in the openCode preferred [SPDX 2.2.1](https://spdx.org/rdf/ontology/spdx-2-2-1/) format. -**Reference:** https://gitlab.opencode.de/bmi/opendesk/deployment/SBOM/-/tree/main/sboms/0.5.74 ## Artifact SBOMs