@cyclonedx/cdxgen
Version:
Creates CycloneDX Software Bill of Materials (SBOM) from source or container image
192 lines • 174 kB
JSON
{
"metadata": {
"licenses": [
{
"license": {
"id": "CC-BY-SA-3.0",
"text": {
"contentType": "text/plain",
"encoding": "base64",
"content": "Q3JlYXRpdmUgQ29tbW9ucyBMZWdhbCBDb2RlCgpBdHRyaWJ1dGlvbi1TaGFyZUFsaWtlIDMuMCBVbnBvcnRlZAoKICAgIENSRUFUSVZFIENPTU1PTlMgQ09SUE9SQVRJT04gSVMgTk9UIEEgTEFXIEZJUk0gQU5EIERPRVMgTk9UIFBST1ZJREUKICAgIExFR0FMIFNFUlZJQ0VTLiBESVNUUklCVVRJT04gT0YgVEhJUyBMSUNFTlNFIERPRVMgTk9UIENSRUFURSBBTgogICAgQVRUT1JORVktQ0xJRU5UIFJFTEFUSU9OU0hJUC4gQ1JFQVRJVkUgQ09NTU9OUyBQUk9WSURFUyBUSElTCiAgICBJTkZPUk1BVElPTiBPTiBBTiAiQVMtSVMiIEJBU0lTLiBDUkVBVElWRSBDT01NT05TIE1BS0VTIE5PIFdBUlJBTlRJRVMKICAgIFJFR0FSRElORyBUSEUgSU5GT1JNQVRJT04gUFJPVklERUQsIEFORCBESVNDTEFJTVMgTElBQklMSVRZIEZPUgogICAgREFNQUdFUyBSRVNVTFRJTkcgRlJPTSBJVFMgVVNFLgoKTGljZW5zZQoKVEhFIFdPUksgKEFTIERFRklORUQgQkVMT1cpIElTIFBST1ZJREVEIFVOREVSIFRIRSBURVJNUyBPRiBUSElTIENSRUFUSVZFCkNPTU1PTlMgUFVCTElDIExJQ0VOU0UgKCJDQ1BMIiBPUiAiTElDRU5TRSIpLiBUSEUgV09SSyBJUyBQUk9URUNURUQgQlkKQ09QWVJJR0hUIEFORC9PUiBPVEhFUiBBUFBMSUNBQkxFIExBVy4gQU5ZIFVTRSBPRiBUSEUgV09SSyBPVEhFUiBUSEFOIEFTCkFVVEhPUklaRUQgVU5ERVIgVEhJUyBMSUNFTlNFIE9SIENPUFlSSUdIVCBMQVcgSVMgUFJPSElCSVRFRC4KCkJZIEVYRVJDSVNJTkcgQU5ZIFJJR0hUUyBUTyBUSEUgV09SSyBQUk9WSURFRCBIRVJFLCBZT1UgQUNDRVBUIEFORCBBR1JFRQpUTyBCRSBCT1VORCBCWSBUSEUgVEVSTVMgT0YgVEhJUyBMSUNFTlNFLiBUTyBUSEUgRVhURU5UIFRISVMgTElDRU5TRSBNQVkKQkUgQ09OU0lERVJFRCBUTyBCRSBBIENPTlRSQUNULCBUSEUgTElDRU5TT1IgR1JBTlRTIFlPVSBUSEUgUklHSFRTCkNPTlRBSU5FRCBIRVJFIElOIENPTlNJREVSQVRJT04gT0YgWU9VUiBBQ0NFUFRBTkNFIE9GIFNVQ0ggVEVSTVMgQU5ECkNPTkRJVElPTlMuCgoxLiBEZWZpbml0aW9ucwoKIGEuICJBZGFwdGF0aW9uIiBtZWFucyBhIHdvcmsgYmFzZWQgdXBvbiB0aGUgV29yaywgb3IgdXBvbiB0aGUgV29yayBhbmQKICAgIG90aGVyIHByZS1leGlzdGluZyB3b3Jrcywgc3VjaCBhcyBhIHRyYW5zbGF0aW9uLCBhZGFwdGF0aW9uLAogICAgZGVyaXZhdGl2ZSB3b3JrLCBhcnJhbmdlbWVudCBvZiBtdXNpYyBvciBvdGhlciBhbHRlcmF0aW9ucyBvZiBhCiAgICBsaXRlcmFyeSBvciBhcnRpc3RpYyB3b3JrLCBvciBwaG9ub2dyYW0gb3IgcGVyZm9ybWFuY2UgYW5kIGluY2x1ZGVzCiAgICBjaW5lbWF0b2dyYXBoaWMgYWRhcHRhdGlvbnMgb3IgYW55IG90aGVyIGZvcm0gaW4gd2hpY2ggdGhlIFdvcmsgbWF5IGJlCiAgICByZWNhc3QsIHRyYW5zZm9ybWVkLCBvciBhZGFwdGVkIGluY2x1ZGluZyBpbiBhbnkgZm9ybSByZWNvZ25pemFibHkKICAgIGRlcml2ZWQgZnJvbSB0aGUgb3JpZ2luYWwsIGV4Y2VwdCB0aGF0IGEgd29yayB0aGF0IGNvbnN0aXR1dGVzIGEKICAgIENvbGxlY3Rpb24gd2lsbCBub3QgYmUgY29uc2lkZXJlZCBhbiBBZGFwdGF0aW9uIGZvciB0aGUgcHVycG9zZSBvZgogICAgdGhpcyBMaWNlbnNlLiBGb3IgdGhlIGF2b2lkYW5jZSBvZiBkb3VidCwgd2hlcmUgdGhlIFdvcmsgaXMgYSBtdXNpY2FsCiAgICB3b3JrLCBwZXJmb3JtYW5jZSBvciBwaG9ub2dyYW0sIHRoZSBzeW5jaHJvbml6YXRpb24gb2YgdGhlIFdvcmsgaW4KICAgIHRpbWVkLXJlbGF0aW9uIHdpdGggYSBtb3ZpbmcgaW1hZ2UgKCJzeW5jaGluZyIpIHdpbGwgYmUgY29uc2lkZXJlZCBhbgogICAgQWRhcHRhdGlvbiBmb3IgdGhlIHB1cnBvc2Ugb2YgdGhpcyBMaWNlbnNlLgogYi4gIkNvbGxlY3Rpb24iIG1lYW5zIGEgY29sbGVjdGlvbiBvZiBsaXRlcmFyeSBvciBhcnRpc3RpYyB3b3Jrcywgc3VjaCBhcwogICAgZW5jeWNsb3BlZGlhcyBhbmQgYW50aG9sb2dpZXMsIG9yIHBlcmZvcm1hbmNlcywgcGhvbm9ncmFtcyBvcgogICAgYnJvYWRjYXN0cywgb3Igb3RoZXIgd29ya3Mgb3Igc3ViamVjdCBtYXR0ZXIgb3RoZXIgdGhhbiB3b3JrcyBsaXN0ZWQKICAgIGluIFNlY3Rpb24gMShmKSBiZWxvdywgd2hpY2gsIGJ5IHJlYXNvbiBvZiB0aGUgc2VsZWN0aW9uIGFuZAogICAgYXJyYW5nZW1lbnQgb2YgdGhlaXIgY29udGVudHMsIGNvbnN0aXR1dGUgaW50ZWxsZWN0dWFsIGNyZWF0aW9ucywgaW4KICAgIHdoaWNoIHRoZSBXb3JrIGlzIGluY2x1ZGVkIGluIGl0cyBlbnRpcmV0eSBpbiB1bm1vZGlmaWVkIGZvcm0gYWxvbmcKICAgIHdpdGggb25lIG9yIG1vcmUgb3RoZXIgY29udHJpYnV0aW9ucywgZWFjaCBjb25zdGl0dXRpbmcgc2VwYXJhdGUgYW5kCiAgICBpbmRlcGVuZGVudCB3b3JrcyBpbiB0aGVtc2VsdmVzLCB3aGljaCB0b2dldGhlciBhcmUgYXNzZW1ibGVkIGludG8gYQogICAgY29sbGVjdGl2ZSB3aG9sZS4gQSB3b3JrIHRoYXQgY29uc3RpdHV0ZXMgYSBDb2xsZWN0aW9uIHdpbGwgbm90IGJlCiAgICBjb25zaWRlcmVkIGFuIEFkYXB0YXRpb24gKGFzIGRlZmluZWQgYmVsb3cpIGZvciB0aGUgcHVycG9zZXMgb2YgdGhpcwogICAgTGljZW5zZS4KIGMuICJDcmVhdGl2ZSBDb21tb25zIENvbXBhdGlibGUgTGljZW5zZSIgbWVhbnMgYSBsaWNlbnNlIHRoYXQgaXMgbGlzdGVkCiAgICBhdCBodHRwczovL2NyZWF0aXZlY29tbW9ucy5vcmcvY29tcGF0aWJsZWxpY2Vuc2VzIHRoYXQgaGFzIGJlZW4KICAgIGFwcHJvdmVkIGJ5IENyZWF0aXZlIENvbW1vbnMgYXMgYmVpbmcgZXNzZW50aWFsbHkgZXF1aXZhbGVudCB0byB0aGlzCiAgICBMaWNlbnNlLCBpbmNsdWRpbmcsIGF0IGEgbWluaW11bSwgYmVjYXVzZSB0aGF0IGxpY2Vuc2U6IChpKSBjb250YWlucwogICAgdGVybXMgdGhhdCBoYXZlIHRoZSBzYW1lIHB1cnBvc2UsIG1lYW5pbmcgYW5kIGVmZmVjdCBhcyB0aGUgTGljZW5zZQogICAgRWxlbWVudHMgb2YgdGhpcyBMaWNlbnNlOyBhbmQsIChpaSkgZXhwbGljaXRseSBwZXJtaXRzIHRoZSByZWxpY2Vuc2luZwogICAgb2YgYWRhcHRhdGlvbnMgb2Ygd29ya3MgbWFkZSBhdmFpbGFibGUgdW5kZXIgdGhhdCBsaWNlbnNlIHVuZGVyIHRoaXMKICAgIExpY2Vuc2Ugb3IgYSBDcmVhdGl2ZSBDb21tb25zIGp1cmlzZGljdGlvbiBsaWNlbnNlIHdpdGggdGhlIHNhbWUKICAgIExpY2Vuc2UgRWxlbWVudHMgYXMgdGhpcyBMaWNlbnNlLgogZC4gIkRpc3RyaWJ1dGUiIG1lYW5zIHRvIG1ha2UgYXZhaWxhYmxlIHRvIHRoZSBwdWJsaWMgdGhlIG9yaWdpbmFsIGFuZAogICAgY29waWVzIG9mIHRoZSBXb3JrIG9yIEFkYXB0YXRpb24sIGFzIGFwcHJvcHJpYXRlLCB0aHJvdWdoIHNhbGUgb3IKICAgIG90aGVyIHRyYW5zZmVyIG9mIG93bmVyc2hpcC4KIGUuICJMaWNlbnNlIEVsZW1lbnRzIiBtZWFucyB0aGUgZm9sbG93aW5nIGhpZ2gtbGV2ZWwgbGljZW5zZSBhdHRyaWJ1dGVzCiAgICBhcyBzZWxlY3RlZCBieSBMaWNlbnNvciBhbmQgaW5kaWNhdGVkIGluIHRoZSB0aXRsZSBvZiB0aGlzIExpY2Vuc2U6CiAgICBBdHRyaWJ1dGlvbiwgU2hhcmVBbGlrZS4KIGYuICJMaWNlbnNvciIgbWVhbnMgdGhlIGluZGl2aWR1YWwsIGluZGl2aWR1YWxzLCBlbnRpdHkgb3IgZW50aXRpZXMgdGhhdAogICAgb2ZmZXIocykgdGhlIFdvcmsgdW5kZXIgdGhlIHRlcm1zIG9mIHRoaXMgTGljZW5zZS4KIGcuICJPcmlnaW5hbCBBdXRob3IiIG1lYW5zLCBpbiB0aGUgY2FzZSBvZiBhIGxpdGVyYXJ5IG9yIGFydGlzdGljIHdvcmssCiAgICB0aGUgaW5kaXZpZHVhbCwgaW5kaXZpZHVhbHMsIGVudGl0eSBvciBlbnRpdGllcyB3aG8gY3JlYXRlZCB0aGUgV29yawogICAgb3IgaWYgbm8gaW5kaXZpZHVhbCBvciBlbnRpdHkgY2FuIGJlIGlkZW50aWZpZWQsIHRoZSBwdWJsaXNoZXI7IGFuZCBpbgogICAgYWRkaXRpb24gKGkpIGluIHRoZSBjYXNlIG9mIGEgcGVyZm9ybWFuY2UgdGhlIGFjdG9ycywgc2luZ2VycywKICAgIG11c2ljaWFucywgZGFuY2VycywgYW5kIG90aGVyIHBlcnNvbnMgd2hvIGFjdCwgc2luZywgZGVsaXZlciwgZGVjbGFpbSwKICAgIHBsYXkgaW4sIGludGVycHJldCBvciBvdGhlcndpc2UgcGVyZm9ybSBsaXRlcmFyeSBvciBhcnRpc3RpYyB3b3JrcyBvcgogICAgZXhwcmVzc2lvbnMgb2YgZm9sa2xvcmU7IChpaSkgaW4gdGhlIGNhc2Ugb2YgYSBwaG9ub2dyYW0gdGhlIHByb2R1Y2VyCiAgICBiZWluZyB0aGUgcGVyc29uIG9yIGxlZ2FsIGVudGl0eSB3aG8gZmlyc3QgZml4ZXMgdGhlIHNvdW5kcyBvZiBhCiAgICBwZXJmb3JtYW5jZSBvciBvdGhlciBzb3VuZHM7IGFuZCwgKGlpaSkgaW4gdGhlIGNhc2Ugb2YgYnJvYWRjYXN0cywgdGhlCiAgICBvcmdhbml6YXRpb24gdGhhdCB0cmFuc21pdHMgdGhlIGJyb2FkY2FzdC4KIGguICJXb3JrIiBtZWFucyB0aGUgbGl0ZXJhcnkgYW5kL29yIGFydGlzdGljIHdvcmsgb2ZmZXJlZCB1bmRlciB0aGUgdGVybXMKICAgIG9mIHRoaXMgTGljZW5zZSBpbmNsdWRpbmcgd2l0aG91dCBsaW1pdGF0aW9uIGFueSBwcm9kdWN0aW9uIGluIHRoZQogICAgbGl0ZXJhcnksIHNjaWVudGlmaWMgYW5kIGFydGlzdGljIGRvbWFpbiwgd2hhdGV2ZXIgbWF5IGJlIHRoZSBtb2RlIG9yCiAgICBmb3JtIG9mIGl0cyBleHByZXNzaW9uIGluY2x1ZGluZyBkaWdpdGFsIGZvcm0sIHN1Y2ggYXMgYSBib29rLAogICAgcGFtcGhsZXQgYW5kIG90aGVyIHdyaXRpbmc7IGEgbGVjdHVyZSwgYWRkcmVzcywgc2VybW9uIG9yIG90aGVyIHdvcmsKICAgIG9mIHRoZSBzYW1lIG5hdHVyZTsgYSBkcmFtYXRpYyBvciBkcmFtYXRpY28tbXVzaWNhbCB3b3JrOyBhCiAgICBjaG9yZW9ncmFwaGljIHdvcmsgb3IgZW50ZXJ0YWlubWVudCBpbiBkdW1iIHNob3c7IGEgbXVzaWNhbAogICAgY29tcG9zaXRpb24gd2l0aCBvciB3aXRob3V0IHdvcmRzOyBhIGNpbmVtYXRvZ3JhcGhpYyB3b3JrIHRvIHdoaWNoIGFyZQogICAgYXNzaW1pbGF0ZWQgd29ya3MgZXhwcmVzc2VkIGJ5IGEgcHJvY2VzcyBhbmFsb2dvdXMgdG8gY2luZW1hdG9ncmFwaHk7CiAgICBhIHdvcmsgb2YgZHJhd2luZywgcGFpbnRpbmcsIGFyY2hpdGVjdHVyZSwgc2N1bHB0dXJlLCBlbmdyYXZpbmcgb3IKICAgIGxpdGhvZ3JhcGh5OyBhIHBob3RvZ3JhcGhpYyB3b3JrIHRvIHdoaWNoIGFyZSBhc3NpbWlsYXRlZCB3b3JrcwogICAgZXhwcmVzc2VkIGJ5IGEgcHJvY2VzcyBhbmFsb2dvdXMgdG8gcGhvdG9ncmFwaHk7IGEgd29yayBvZiBhcHBsaWVkCiAgICBhcnQ7IGFuIGlsbHVzdHJhdGlvbiwgbWFwLCBwbGFuLCBza2V0Y2ggb3IgdGhyZWUtZGltZW5zaW9uYWwgd29yawogICAgcmVsYXRpdmUgdG8gZ2VvZ3JhcGh5LCB0b3BvZ3JhcGh5LCBhcmNoaXRlY3R1cmUgb3Igc2NpZW5jZTsgYQogICAgcGVyZm9ybWFuY2U7IGEgYnJvYWRjYXN0OyBhIHBob25vZ3JhbTsgYSBjb21waWxhdGlvbiBvZiBkYXRhIHRvIHRoZQogICAgZXh0ZW50IGl0IGlzIHByb3RlY3RlZCBhcyBhIGNvcHlyaWdodGFibGUgd29yazsgb3IgYSB3b3JrIHBlcmZvcm1lZCBieQogICAgYSB2YXJpZXR5IG9yIGNpcmN1cyBwZXJmb3JtZXIgdG8gdGhlIGV4dGVudCBpdCBpcyBub3Qgb3RoZXJ3aXNlCiAgICBjb25zaWRlcmVkIGEgbGl0ZXJhcnkgb3IgYXJ0aXN0aWMgd29yay4KIGkuICJZb3UiIG1lYW5zIGFuIGluZGl2aWR1YWwgb3IgZW50aXR5IGV4ZXJjaXNpbmcgcmlnaHRzIHVuZGVyIHRoaXMKICAgIExpY2Vuc2Ugd2hvIGhhcyBub3QgcHJldmlvdXNseSB2aW9sYXRlZCB0aGUgdGVybXMgb2YgdGhpcyBMaWNlbnNlIHdpdGgKICAgIHJlc3BlY3QgdG8gdGhlIFdvcmssIG9yIHdobyBoYXMgcmVjZWl2ZWQgZXhwcmVzcyBwZXJtaXNzaW9uIGZyb20gdGhlCiAgICBMaWNlbnNvciB0byBleGVyY2lzZSByaWdodHMgdW5kZXIgdGhpcyBMaWNlbnNlIGRlc3BpdGUgYSBwcmV2aW91cwogICAgdmlvbGF0aW9uLgogai4gIlB1YmxpY2x5IFBlcmZvcm0iIG1lYW5zIHRvIHBlcmZvcm0gcHVibGljIHJlY2l0YXRpb25zIG9mIHRoZSBXb3JrIGFuZAogICAgdG8gY29tbXVuaWNhdGUgdG8gdGhlIHB1YmxpYyB0aG9zZSBwdWJsaWMgcmVjaXRhdGlvbnMsIGJ5IGFueSBtZWFucyBvcgogICAgcHJvY2VzcywgaW5jbHVkaW5nIGJ5IHdpcmUgb3Igd2lyZWxlc3MgbWVhbnMgb3IgcHVibGljIGRpZ2l0YWwKICAgIHBlcmZvcm1hbmNlczsgdG8gbWFrZSBhdmFpbGFibGUgdG8gdGhlIHB1YmxpYyBXb3JrcyBpbiBzdWNoIGEgd2F5IHRoYXQKICAgIG1lbWJlcnMgb2YgdGhlIHB1YmxpYyBtYXkgYWNjZXNzIHRoZXNlIFdvcmtzIGZyb20gYSBwbGFjZSBhbmQgYXQgYQogICAgcGxhY2UgaW5kaXZpZHVhbGx5IGNob3NlbiBieSB0aGVtOyB0byBwZXJmb3JtIHRoZSBXb3JrIHRvIHRoZSBwdWJsaWMKICAgIGJ5IGFueSBtZWFucyBvciBwcm9jZXNzIGFuZCB0aGUgY29tbXVuaWNhdGlvbiB0byB0aGUgcHVibGljIG9mIHRoZQogICAgcGVyZm9ybWFuY2VzIG9mIHRoZSBXb3JrLCBpbmNsdWRpbmcgYnkgcHVibGljIGRpZ2l0YWwgcGVyZm9ybWFuY2U7IHRvCiAgICBicm9hZGNhc3QgYW5kIHJlYnJvYWRjYXN0IHRoZSBXb3JrIGJ5IGFueSBtZWFucyBpbmNsdWRpbmcgc2lnbnMsCiAgICBzb3VuZHMgb3IgaW1hZ2VzLgogay4gIlJlcHJvZHVjZSIgbWVhbnMgdG8gbWFrZSBjb3BpZXMgb2YgdGhlIFdvcmsgYnkgYW55IG1lYW5zIGluY2x1ZGluZwogICAgd2l0aG91dCBsaW1pdGF0aW9uIGJ5IHNvdW5kIG9yIHZpc3VhbCByZWNvcmRpbmdzIGFuZCB0aGUgcmlnaHQgb2YKICAgIGZpeGF0aW9uIGFuZCByZXByb2R1Y2luZyBmaXhhdGlvbnMgb2YgdGhlIFdvcmssIGluY2x1ZGluZyBzdG9yYWdlIG9mIGEKICAgIHByb3RlY3RlZCBwZXJmb3JtYW5jZSBvciBwaG9ub2dyYW0gaW4gZGlnaXRhbCBmb3JtIG9yIG90aGVyIGVsZWN0cm9uaWMKICAgIG1lZGl1bS4KCjIuIEZhaXIgRGVhbGluZyBSaWdodHMuIE5vdGhpbmcgaW4gdGhpcyBMaWNlbnNlIGlzIGludGVuZGVkIHRvIHJlZHVjZSwKbGltaXQsIG9yIHJlc3RyaWN0IGFueSB1c2VzIGZyZWUgZnJvbSBjb3B5cmlnaHQgb3IgcmlnaHRzIGFyaXNpbmcgZnJvbQpsaW1pdGF0aW9ucyBvciBleGNlcHRpb25zIHRoYXQgYXJlIHByb3ZpZGVkIGZvciBpbiBjb25uZWN0aW9uIHdpdGggdGhlCmNvcHlyaWdodCBwcm90ZWN0aW9uIHVuZGVyIGNvcHlyaWdodCBsYXcgb3Igb3RoZXIgYXBwbGljYWJsZSBsYXdzLgoKMy4gTGljZW5zZSBHcmFudC4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdGhpcyBMaWNlbnNlLApMaWNlbnNvciBoZXJlYnkgZ3JhbnRzIFlvdSBhIHdvcmxkd2lkZSwgcm95YWx0eS1mcmVlLCBub24tZXhjbHVzaXZlLApwZXJwZXR1YWwgKGZvciB0aGUgZHVyYXRpb24gb2YgdGhlIGFwcGxpY2FibGUgY29weXJpZ2h0KSBsaWNlbnNlIHRvCmV4ZXJjaXNlIHRoZSByaWdodHMgaW4gdGhlIFdvcmsgYXMgc3RhdGVkIGJlbG93OgoKIGEuIHRvIFJlcHJvZHVjZSB0aGUgV29yaywgdG8gaW5jb3Jwb3JhdGUgdGhlIFdvcmsgaW50byBvbmUgb3IgbW9yZQogICAgQ29sbGVjdGlvbnMsIGFuZCB0byBSZXByb2R1Y2UgdGhlIFdvcmsgYXMgaW5jb3Jwb3JhdGVkIGluIHRoZQogICAgQ29sbGVjdGlvbnM7CiBiLiB0byBjcmVhdGUgYW5kIFJlcHJvZHVjZSBBZGFwdGF0aW9ucyBwcm92aWRlZCB0aGF0IGFueSBzdWNoIEFkYXB0YXRpb24sCiAgICBpbmNsdWRpbmcgYW55IHRyYW5zbGF0aW9uIGluIGFueSBtZWRpdW0sIHRha2VzIHJlYXNvbmFibGUgc3RlcHMgdG8KICAgIGNsZWFybHkgbGFiZWwsIGRlbWFyY2F0ZSBvciBvdGhlcndpc2UgaWRlbnRpZnkgdGhhdCBjaGFuZ2VzIHdlcmUgbWFkZQogICAgdG8gdGhlIG9yaWdpbmFsIFdvcmsuIEZvciBleGFtcGxlLCBhIHRyYW5zbGF0aW9uIGNvdWxkIGJlIG1hcmtlZCAiVGhlCiAgICBvcmlnaW5hbCB3b3JrIHdhcyB0cmFuc2xhdGVkIGZyb20gRW5nbGlzaCB0byBTcGFuaXNoLCIgb3IgYQogICAgbW9kaWZpY2F0aW9uIGNvdWxkIGluZGljYXRlICJUaGUgb3JpZ2luYWwgd29yayBoYXMgYmVlbiBtb2RpZmllZC4iOwogYy4gdG8gRGlzdHJpYnV0ZSBhbmQgUHVibGljbHkgUGVyZm9ybSB0aGUgV29yayBpbmNsdWRpbmcgYXMgaW5jb3Jwb3JhdGVkCiAgICBpbiBDb2xsZWN0aW9uczsgYW5kLAogZC4gdG8gRGlzdHJpYnV0ZSBhbmQgUHVibGljbHkgUGVyZm9ybSBBZGFwdGF0aW9ucy4KIGUuIEZvciB0aGUgYXZvaWRhbmNlIG9mIGRvdWJ0OgoKICAgICBpLiBOb24td2FpdmFibGUgQ29tcHVsc29yeSBMaWNlbnNlIFNjaGVtZXMuIEluIHRob3NlIGp1cmlzZGljdGlvbnMgaW4KICAgICAgICB3aGljaCB0aGUgcmlnaHQgdG8gY29sbGVjdCByb3lhbHRpZXMgdGhyb3VnaCBhbnkgc3RhdHV0b3J5IG9yCiAgICAgICAgY29tcHVsc29yeSBsaWNlbnNpbmcgc2NoZW1lIGNhbm5vdCBiZSB3YWl2ZWQsIHRoZSBMaWNlbnNvcgogICAgICAgIHJlc2VydmVzIHRoZSBleGNsdXNpdmUgcmlnaHQgdG8gY29sbGVjdCBzdWNoIHJveWFsdGllcyBmb3IgYW55CiAgICAgICAgZXhlcmNpc2UgYnkgWW91IG9mIHRoZSByaWdodHMgZ3JhbnRlZCB1bmRlciB0aGlzIExpY2Vuc2U7CiAgICBpaS4gV2FpdmFibGUgQ29tcHVsc29yeSBMaWNlbnNlIFNjaGVtZXMuIEluIHRob3NlIGp1cmlzZGljdGlvbnMgaW4KICAgICAgICB3aGljaCB0aGUgcmlnaHQgdG8gY29sbGVjdCByb3lhbHRpZXMgdGhyb3VnaCBhbnkgc3RhdHV0b3J5IG9yCiAgICAgICAgY29tcHVsc29yeSBsaWNlbnNpbmcgc2NoZW1lIGNhbiBiZSB3YWl2ZWQsIHRoZSBMaWNlbnNvciB3YWl2ZXMgdGhlCiAgICAgICAgZXhjbHVzaXZlIHJpZ2h0IHRvIGNvbGxlY3Qgc3VjaCByb3lhbHRpZXMgZm9yIGFueSBleGVyY2lzZSBieSBZb3UKICAgICAgICBvZiB0aGUgcmlnaHRzIGdyYW50ZWQgdW5kZXIgdGhpcyBMaWNlbnNlOyBhbmQsCiAgIGlpaS4gVm9sdW50YXJ5IExpY2Vuc2UgU2NoZW1lcy4gVGhlIExpY2Vuc29yIHdhaXZlcyB0aGUgcmlnaHQgdG8KICAgICAgICBjb2xsZWN0IHJveWFsdGllcywgd2hldGhlciBpbmRpdmlkdWFsbHkgb3IsIGluIHRoZSBldmVudCB0aGF0IHRoZQogICAgICAgIExpY2Vuc29yIGlzIGEgbWVtYmVyIG9mIGEgY29sbGVjdGluZyBzb2NpZXR5IHRoYXQgYWRtaW5pc3RlcnMKICAgICAgICB2b2x1bnRhcnkgbGljZW5zaW5nIHNjaGVtZXMsIHZpYSB0aGF0IHNvY2lldHksIGZyb20gYW55IGV4ZXJjaXNlCiAgICAgICAgYnkgWW91IG9mIHRoZSByaWdodHMgZ3JhbnRlZCB1bmRlciB0aGlzIExpY2Vuc2UuCgpUaGUgYWJvdmUgcmlnaHRzIG1heSBiZSBleGVyY2lzZWQgaW4gYWxsIG1lZGlhIGFuZCBmb3JtYXRzIHdoZXRoZXIgbm93Cmtub3duIG9yIGhlcmVhZnRlciBkZXZpc2VkLiBUaGUgYWJvdmUgcmlnaHRzIGluY2x1ZGUgdGhlIHJpZ2h0IHRvIG1ha2UKc3VjaCBtb2RpZmljYXRpb25zIGFzIGFyZSB0ZWNobmljYWxseSBuZWNlc3NhcnkgdG8gZXhlcmNpc2UgdGhlIHJpZ2h0cyBpbgpvdGhlciBtZWRpYSBhbmQgZm9ybWF0cy4gU3ViamVjdCB0byBTZWN0aW9uIDgoZiksIGFsbCByaWdodHMgbm90IGV4cHJlc3NseQpncmFudGVkIGJ5IExpY2Vuc29yIGFyZSBoZXJlYnkgcmVzZXJ2ZWQuCgo0LiBSZXN0cmljdGlvbnMuIFRoZSBsaWNlbnNlIGdyYW50ZWQgaW4gU2VjdGlvbiAzIGFib3ZlIGlzIGV4cHJlc3NseSBtYWRlCnN1YmplY3QgdG8gYW5kIGxpbWl0ZWQgYnkgdGhlIGZvbGxvd2luZyByZXN0cmljdGlvbnM6CgogYS4gWW91IG1heSBEaXN0cmlidXRlIG9yIFB1YmxpY2x5IFBlcmZvcm0gdGhlIFdvcmsgb25seSB1bmRlciB0aGUgdGVybXMKICAgIG9mIHRoaXMgTGljZW5zZS4gWW91IG11c3QgaW5jbHVkZSBhIGNvcHkgb2YsIG9yIHRoZSBVbmlmb3JtIFJlc291cmNlCiAgICBJZGVudGlmaWVyIChVUkkpIGZvciwgdGhpcyBMaWNlbnNlIHdpdGggZXZlcnkgY29weSBvZiB0aGUgV29yayBZb3UKICAgIERpc3RyaWJ1dGUgb3IgUHVibGljbHkgUGVyZm9ybS4gWW91IG1heSBub3Qgb2ZmZXIgb3IgaW1wb3NlIGFueSB0ZXJtcwogICAgb24gdGhlIFdvcmsgdGhhdCByZXN0cmljdCB0aGUgdGVybXMgb2YgdGhpcyBMaWNlbnNlIG9yIHRoZSBhYmlsaXR5IG9mCiAgICB0aGUgcmVjaXBpZW50IG9mIHRoZSBXb3JrIHRvIGV4ZXJjaXNlIHRoZSByaWdodHMgZ3JhbnRlZCB0byB0aGF0CiAgICByZWNpcGllbnQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBMaWNlbnNlLiBZb3UgbWF5IG5vdCBzdWJsaWNlbnNlIHRoZQogICAgV29yay4gWW91IG11c3Qga2VlcCBpbnRhY3QgYWxsIG5vdGljZXMgdGhhdCByZWZlciB0byB0aGlzIExpY2Vuc2UgYW5kCiAgICB0byB0aGUgZGlzY2xhaW1lciBvZiB3YXJyYW50aWVzIHdpdGggZXZlcnkgY29weSBvZiB0aGUgV29yayBZb3UKICAgIERpc3RyaWJ1dGUgb3IgUHVibGljbHkgUGVyZm9ybS4gV2hlbiBZb3UgRGlzdHJpYnV0ZSBvciBQdWJsaWNseQogICAgUGVyZm9ybSB0aGUgV29yaywgWW91IG1heSBub3QgaW1wb3NlIGFueSBlZmZlY3RpdmUgdGVjaG5vbG9naWNhbAogICAgbWVhc3VyZXMgb24gdGhlIFdvcmsgdGhhdCByZXN0cmljdCB0aGUgYWJpbGl0eSBvZiBhIHJlY2lwaWVudCBvZiB0aGUKICAgIFdvcmsgZnJvbSBZb3UgdG8gZXhlcmNpc2UgdGhlIHJpZ2h0cyBncmFudGVkIHRvIHRoYXQgcmVjaXBpZW50IHVuZGVyCiAgICB0aGUgdGVybXMgb2YgdGhlIExpY2Vuc2UuIFRoaXMgU2VjdGlvbiA0KGEpIGFwcGxpZXMgdG8gdGhlIFdvcmsgYXMKICAgIGluY29ycG9yYXRlZCBpbiBhIENvbGxlY3Rpb24sIGJ1dCB0aGlzIGRvZXMgbm90IHJlcXVpcmUgdGhlIENvbGxlY3Rpb24KICAgIGFwYXJ0IGZyb20gdGhlIFdvcmsgaXRzZWxmIHRvIGJlIG1hZGUgc3ViamVjdCB0byB0aGUgdGVybXMgb2YgdGhpcwogICAgTGljZW5zZS4gSWYgWW91IGNyZWF0ZSBhIENvbGxlY3Rpb24sIHVwb24gbm90aWNlIGZyb20gYW55IExpY2Vuc29yIFlvdQogICAgbXVzdCwgdG8gdGhlIGV4dGVudCBwcmFjdGljYWJsZSwgcmVtb3ZlIGZyb20gdGhlIENvbGxlY3Rpb24gYW55IGNyZWRpdAogICAgYXMgcmVxdWlyZWQgYnkgU2VjdGlvbiA0KGMpLCBhcyByZXF1ZXN0ZWQuIElmIFlvdSBjcmVhdGUgYW4KICAgIEFkYXB0YXRpb24sIHVwb24gbm90aWNlIGZyb20gYW55IExpY2Vuc29yIFlvdSBtdXN0LCB0byB0aGUgZXh0ZW50CiAgICBwcmFjdGljYWJsZSwgcmVtb3ZlIGZyb20gdGhlIEFkYXB0YXRpb24gYW55IGNyZWRpdCBhcyByZXF1aXJlZCBieQogICAgU2VjdGlvbiA0KGMpLCBhcyByZXF1ZXN0ZWQuCiBiLiBZb3UgbWF5IERpc3RyaWJ1dGUgb3IgUHVibGljbHkgUGVyZm9ybSBhbiBBZGFwdGF0aW9uIG9ubHkgdW5kZXIgdGhlCiAgICB0ZXJtcyBvZjogKGkpIHRoaXMgTGljZW5zZTsgKGlpKSBhIGxhdGVyIHZlcnNpb24gb2YgdGhpcyBMaWNlbnNlIHdpdGgKICAgIHRoZSBzYW1lIExpY2Vuc2UgRWxlbWVudHMgYXMgdGhpcyBMaWNlbnNlOyAoaWlpKSBhIENyZWF0aXZlIENvbW1vbnMKICAgIGp1cmlzZGljdGlvbiBsaWNlbnNlIChlaXRoZXIgdGhpcyBvciBhIGxhdGVyIGxpY2Vuc2UgdmVyc2lvbikgdGhhdAogICAgY29udGFpbnMgdGhlIHNhbWUgTGljZW5zZSBFbGVtZW50cyBhcyB0aGlzIExpY2Vuc2UgKGUuZy4sCiAgICBBdHRyaWJ1dGlvbi1TaGFyZUFsaWtlIDMuMCBVUykpOyAoaXYpIGEgQ3JlYXRpdmUgQ29tbW9ucyBDb21wYXRpYmxlCiAgICBMaWNlbnNlLiBJZiB5b3UgbGljZW5zZSB0aGUgQWRhcHRhdGlvbiB1bmRlciBvbmUgb2YgdGhlIGxpY2Vuc2VzCiAgICBtZW50aW9uZWQgaW4gKGl2KSwgeW91IG11c3QgY29tcGx5IHdpdGggdGhlIHRlcm1zIG9mIHRoYXQgbGljZW5zZS4gSWYKICAgIHlvdSBsaWNlbnNlIHRoZSBBZGFwdGF0aW9uIHVuZGVyIHRoZSB0ZXJtcyBvZiBhbnkgb2YgdGhlIGxpY2Vuc2VzCiAgICBtZW50aW9uZWQgaW4gKGkpLCAoaWkpIG9yIChpaWkpICh0aGUgIkFwcGxpY2FibGUgTGljZW5zZSIpLCB5b3UgbXVzdAogICAgY29tcGx5IHdpdGggdGhlIHRlcm1zIG9mIHRoZSBBcHBsaWNhYmxlIExpY2Vuc2UgZ2VuZXJhbGx5IGFuZCB0aGUKICAgIGZvbGxvd2luZyBwcm92aXNpb25zOiAoSSkgWW91IG11c3QgaW5jbHVkZSBhIGNvcHkgb2YsIG9yIHRoZSBVUkkgZm9yLAogICAgdGhlIEFwcGxpY2FibGUgTGljZW5zZSB3aXRoIGV2ZXJ5IGNvcHkgb2YgZWFjaCBBZGFwdGF0aW9uIFlvdQogICAgRGlzdHJpYnV0ZSBvciBQdWJsaWNseSBQZXJmb3JtOyAoSUkpIFlvdSBtYXkgbm90IG9mZmVyIG9yIGltcG9zZSBhbnkKICAgIHRlcm1zIG9uIHRoZSBBZGFwdGF0aW9uIHRoYXQgcmVzdHJpY3QgdGhlIHRlcm1zIG9mIHRoZSBBcHBsaWNhYmxlCiAgICBMaWNlbnNlIG9yIHRoZSBhYmlsaXR5IG9mIHRoZSByZWNpcGllbnQgb2YgdGhlIEFkYXB0YXRpb24gdG8gZXhlcmNpc2UKICAgIHRoZSByaWdodHMgZ3JhbnRlZCB0byB0aGF0IHJlY2lwaWVudCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEFwcGxpY2FibGUKICAgIExpY2Vuc2U7IChJSUkpIFlvdSBtdXN0IGtlZXAgaW50YWN0IGFsbCBub3RpY2VzIHRoYXQgcmVmZXIgdG8gdGhlCiAgICBBcHBsaWNhYmxlIExpY2Vuc2UgYW5kIHRvIHRoZSBkaXNjbGFpbWVyIG9mIHdhcnJhbnRpZXMgd2l0aCBldmVyeSBjb3B5CiAgICBvZiB0aGUgV29yayBhcyBpbmNsdWRlZCBpbiB0aGUgQWRhcHRhdGlvbiBZb3UgRGlzdHJpYnV0ZSBvciBQdWJsaWNseQogICAgUGVyZm9ybTsgKElWKSB3aGVuIFlvdSBEaXN0cmlidXRlIG9yIFB1YmxpY2x5IFBlcmZvcm0gdGhlIEFkYXB0YXRpb24sCiAgICBZb3UgbWF5IG5vdCBpbXBvc2UgYW55IGVmZmVjdGl2ZSB0ZWNobm9sb2dpY2FsIG1lYXN1cmVzIG9uIHRoZQogICAgQWRhcHRhdGlvbiB0aGF0IHJlc3RyaWN0IHRoZSBhYmlsaXR5IG9mIGEgcmVjaXBpZW50IG9mIHRoZSBBZGFwdGF0aW9uCiAgICBmcm9tIFlvdSB0byBleGVyY2lzZSB0aGUgcmlnaHRzIGdyYW50ZWQgdG8gdGhhdCByZWNpcGllbnQgdW5kZXIgdGhlCiAgICB0ZXJtcyBvZiB0aGUgQXBwbGljYWJsZSBMaWNlbnNlLiBUaGlzIFNlY3Rpb24gNChiKSBhcHBsaWVzIHRvIHRoZQogICAgQWRhcHRhdGlvbiBhcyBpbmNvcnBvcmF0ZWQgaW4gYSBDb2xsZWN0aW9uLCBidXQgdGhpcyBkb2VzIG5vdCByZXF1aXJlCiAgICB0aGUgQ29sbGVjdGlvbiBhcGFydCBmcm9tIHRoZSBBZGFwdGF0aW9uIGl0c2VsZiB0byBiZSBtYWRlIHN1YmplY3QgdG8KICAgIHRoZSB0ZXJtcyBvZiB0aGUgQXBwbGljYWJsZSBMaWNlbnNlLgogYy4gSWYgWW91IERpc3RyaWJ1dGUsIG9yIFB1YmxpY2x5IFBlcmZvcm0gdGhlIFdvcmsgb3IgYW55IEFkYXB0YXRpb25zIG9yCiAgICBDb2xsZWN0aW9ucywgWW91IG11c3QsIHVubGVzcyBhIHJlcXVlc3QgaGFzIGJlZW4gbWFkZSBwdXJzdWFudCB0bwogICAgU2VjdGlvbiA0KGEpLCBrZWVwIGludGFjdCBhbGwgY29weXJpZ2h0IG5vdGljZXMgZm9yIHRoZSBXb3JrIGFuZAogICAgcHJvdmlkZSwgcmVhc29uYWJsZSB0byB0aGUgbWVkaXVtIG9yIG1lYW5zIFlvdSBhcmUgdXRpbGl6aW5nOiAoaSkgdGhlCiAgICBuYW1lIG9mIHRoZSBPcmlnaW5hbCBBdXRob3IgKG9yIHBzZXVkb255bSwgaWYgYXBwbGljYWJsZSkgaWYgc3VwcGxpZWQsCiAgICBhbmQvb3IgaWYgdGhlIE9yaWdpbmFsIEF1dGhvciBhbmQvb3IgTGljZW5zb3IgZGVzaWduYXRlIGFub3RoZXIgcGFydHkKICAgIG9yIHBhcnRpZXMgKGUuZy4sIGEgc3BvbnNvciBpbnN0aXR1dGUsIHB1Ymxpc2hpbmcgZW50aXR5LCBqb3VybmFsKSBmb3IKICAgIGF0dHJpYnV0aW9uICgiQXR0cmlidXRpb24gUGFydGllcyIpIGluIExpY2Vuc29yJ3MgY29weXJpZ2h0IG5vdGljZSwKICAgIHRlcm1zIG9mIHNlcnZpY2Ugb3IgYnkgb3RoZXIgcmVhc29uYWJsZSBtZWFucywgdGhlIG5hbWUgb2Ygc3VjaCBwYXJ0eQogICAgb3IgcGFydGllczsgKGlpKSB0aGUgdGl0bGUgb2YgdGhlIFdvcmsgaWYgc3VwcGxpZWQ7IChpaWkpIHRvIHRoZQogICAgZXh0ZW50IHJlYXNvbmFibHkgcHJhY3RpY2FibGUsIHRoZSBVUkksIGlmIGFueSwgdGhhdCBMaWNlbnNvcgogICAgc3BlY2lmaWVzIHRvIGJlIGFzc29jaWF0ZWQgd2l0aCB0aGUgV29yaywgdW5sZXNzIHN1Y2ggVVJJIGRvZXMgbm90CiAgICByZWZlciB0byB0aGUgY29weXJpZ2h0IG5vdGljZSBvciBsaWNlbnNpbmcgaW5mb3JtYXRpb24gZm9yIHRoZSBXb3JrOwogICAgYW5kIChpdikgLCBjb25zaXN0ZW50IHdpdGggU3NlY3Rpb24gMyhiKSwgaW4gdGhlIGNhc2Ugb2YgYW4KICAgIEFkYXB0YXRpb24sIGEgY3JlZGl0IGlkZW50aWZ5aW5nIHRoZSB1c2Ugb2YgdGhlIFdvcmsgaW4gdGhlIEFkYXB0YXRpb24KICAgIChlLmcuLCAiRnJlbmNoIHRyYW5zbGF0aW9uIG9mIHRoZSBXb3JrIGJ5IE9yaWdpbmFsIEF1dGhvciwiIG9yCiAgICAiU2NyZWVucGxheSBiYXNlZCBvbiBvcmlnaW5hbCBXb3JrIGJ5IE9yaWdpbmFsIEF1dGhvciIpLiBUaGUgY3JlZGl0CiAgICByZXF1aXJlZCBieSB0aGlzIFNlY3Rpb24gNChjKSBtYXkgYmUgaW1wbGVtZW50ZWQgaW4gYW55IHJlYXNvbmFibGUKICAgIG1hbm5lcjsgcHJvdmlkZWQsIGhvd2V2ZXIsIHRoYXQgaW4gdGhlIGNhc2Ugb2YgYSBBZGFwdGF0aW9uIG9yCiAgICBDb2xsZWN0aW9uLCBhdCBhIG1pbmltdW0gc3VjaCBjcmVkaXQgd2lsbCBhcHBlYXIsIGlmIGEgY3JlZGl0IGZvciBhbGwKICAgIGNvbnRyaWJ1dGluZyBhdXRob3JzIG9mIHRoZSBBZGFwdGF0aW9uIG9yIENvbGxlY3Rpb24gYXBwZWFycywgdGhlbiBhcwogICAgcGFydCBvZiB0aGVzZSBjcmVkaXRzIGFuZCBpbiBhIG1hbm5lciBhdCBsZWFzdCBhcyBwcm9taW5lbnQgYXMgdGhlCiAgICBjcmVkaXRzIGZvciB0aGUgb3RoZXIgY29udHJpYnV0aW5nIGF1dGhvcnMuIEZvciB0aGUgYXZvaWRhbmNlIG9mCiAgICBkb3VidCwgWW91IG1heSBvbmx5IHVzZSB0aGUgY3JlZGl0IHJlcXVpcmVkIGJ5IHRoaXMgU2VjdGlvbiBmb3IgdGhlCiAgICBwdXJwb3NlIG9mIGF0dHJpYnV0aW9uIGluIHRoZSBtYW5uZXIgc2V0IG91dCBhYm92ZSBhbmQsIGJ5IGV4ZXJjaXNpbmcKICAgIFlvdXIgcmlnaHRzIHVuZGVyIHRoaXMgTGljZW5zZSwgWW91IG1heSBub3QgaW1wbGljaXRseSBvciBleHBsaWNpdGx5CiAgICBhc3NlcnQgb3IgaW1wbHkgYW55IGNvbm5lY3Rpb24gd2l0aCwgc3BvbnNvcnNoaXAgb3IgZW5kb3JzZW1lbnQgYnkgdGhlCiAgICBPcmlnaW5hbCBBdXRob3IsIExpY2Vuc29yIGFuZC9vciBBdHRyaWJ1dGlvbiBQYXJ0aWVzLCBhcyBhcHByb3ByaWF0ZSwKICAgIG9mIFlvdSBvciBZb3VyIHVzZSBvZiB0aGUgV29yaywgd2l0aG91dCB0aGUgc2VwYXJhdGUsIGV4cHJlc3MgcHJpb3IKICAgIHdyaXR0ZW4gcGVybWlzc2lvbiBvZiB0aGUgT3JpZ2luYWwgQXV0aG9yLCBMaWNlbnNvciBhbmQvb3IgQXR0cmlidXRpb24KICAgIFBhcnRpZXMuCiBkLiBFeGNlcHQgYXMgb3RoZXJ3aXNlIGFncmVlZCBpbiB3cml0aW5nIGJ5IHRoZSBMaWNlbnNvciBvciBhcyBtYXkgYmUKICAgIG90aGVyd2lzZSBwZXJtaXR0ZWQgYnkgYXBwbGljYWJsZSBsYXcsIGlmIFlvdSBSZXByb2R1Y2UsIERpc3RyaWJ1dGUgb3IKICAgIFB1YmxpY2x5IFBlcmZvcm0gdGhlIFdvcmsgZWl0aGVyIGJ5IGl0c2VsZiBvciBhcyBwYXJ0IG9mIGFueQogICAgQWRhcHRhdGlvbnMgb3IgQ29sbGVjdGlvbnMsIFlvdSBtdXN0IG5vdCBkaXN0b3J0LCBtdXRpbGF0ZSwgbW9kaWZ5IG9yCiAgICB0YWtlIG90aGVyIGRlcm9nYXRvcnkgYWN0aW9uIGluIHJlbGF0aW9uIHRvIHRoZSBXb3JrIHdoaWNoIHdvdWxkIGJlCiAgICBwcmVqdWRpY2lhbCB0byB0aGUgT3JpZ2luYWwgQXV0aG9yJ3MgaG9ub3Igb3IgcmVwdXRhdGlvbi4gTGljZW5zb3IKICAgIGFncmVlcyB0aGF0IGluIHRob3NlIGp1cmlzZGljdGlvbnMgKGUuZy4gSmFwYW4pLCBpbiB3aGljaCBhbnkgZXhlcmNpc2UKICAgIG9mIHRoZSByaWdodCBncmFudGVkIGluIFNlY3Rpb24gMyhiKSBvZiB0aGlzIExpY2Vuc2UgKHRoZSByaWdodCB0bwogICAgbWFrZSBBZGFwdGF0aW9ucykgd291bGQgYmUgZGVlbWVkIHRvIGJlIGEgZGlzdG9ydGlvbiwgbXV0aWxhdGlvbiwKICAgIG1vZGlmaWNhdGlvbiBvciBvdGhlciBkZXJvZ2F0b3J5IGFjdGlvbiBwcmVqdWRpY2lhbCB0byB0aGUgT3JpZ2luYWwKICAgIEF1dGhvcidzIGhvbm9yIGFuZCByZXB1dGF0aW9uLCB0aGUgTGljZW5zb3Igd2lsbCB3YWl2ZSBvciBub3QgYXNzZXJ0LAogICAgYXMgYXBwcm9wcmlhdGUsIHRoaXMgU2VjdGlvbiwgdG8gdGhlIGZ1bGxlc3QgZXh0ZW50IHBlcm1pdHRlZCBieSB0aGUKICAgIGFwcGxpY2FibGUgbmF0aW9uYWwgbGF3LCB0byBlbmFibGUgWW91IHRvIHJlYXNvbmFibHkgZXhlcmNpc2UgWW91cgogICAgcmlnaHQgdW5kZXIgU2VjdGlvbiAzKGIpIG9mIHRoaXMgTGljZW5zZSAocmlnaHQgdG8gbWFrZSBBZGFwdGF0aW9ucykKICAgIGJ1dCBub3Qgb3RoZXJ3aXNlLgoKNS4gUmVwcmVzZW50YXRpb25zLCBXYXJyYW50aWVzIGFuZCBEaXNjbGFpbWVyCgpVTkxFU1MgT1RIRVJXSVNFIE1VVFVBTExZIEFHUkVFRCBUTyBCWSBUSEUgUEFSVElFUyBJTiBXUklUSU5HLCBMSUNFTlNPUgpPRkZFUlMgVEhFIFdPUksgQVMtSVMgQU5EIE1BS0VTIE5PIFJFUFJFU0VOVEFUSU9OUyBPUiBXQVJSQU5USUVTIE9GIEFOWQpLSU5EIENPTkNFUk5JTkcgVEhFIFdPUkssIEVYUFJFU1MsIElNUExJRUQsIFNUQVRVVE9SWSBPUiBPVEhFUldJU0UsCklOQ0xVRElORywgV0lUSE9VVCBMSU1JVEFUSU9OLCBXQVJSQU5USUVTIE9GIFRJVExFLCBNRVJDSEFOVElCSUxJVFksCkZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLCBOT05JTkZSSU5HRU1FTlQsIE9SIFRIRSBBQlNFTkNFIE9GCkxBVEVOVCBPUiBPVEhFUiBERUZFQ1RTLCBBQ0NVUkFDWSwgT1IgVEhFIFBSRVNFTkNFIE9GIEFCU0VOQ0UgT0YgRVJST1JTLApXSEVUSEVSIE9SIE5PVCBESVNDT1ZFUkFCTEUuIFNPTUUgSlVSSVNESUNUSU9OUyBETyBOT1QgQUxMT1cgVEhFIEVYQ0xVU0lPTgpPRiBJTVBMSUVEIFdBUlJBTlRJRVMsIFNPIFNVQ0ggRVhDTFVTSU9OIE1BWSBOT1QgQVBQTFkgVE8gWU9VLgoKNi4gTGltaXRhdGlvbiBvbiBMaWFiaWxpdHkuIEVYQ0VQVCBUTyBUSEUgRVhURU5UIFJFUVVJUkVEIEJZIEFQUExJQ0FCTEUKTEFXLCBJTiBOTyBFVkVOVCBXSUxMIExJQ0VOU09SIEJFIExJQUJMRSBUTyBZT1UgT04gQU5ZIExFR0FMIFRIRU9SWSBGT1IKQU5ZIFNQRUNJQUwsIElOQ0lERU5UQUwsIENPTlNFUVVFTlRJQUwsIFBVTklUSVZFIE9SIEVYRU1QTEFSWSBEQU1BR0VTCkFSSVNJTkcgT1VUIE9GIFRISVMgTElDRU5TRSBPUiBUSEUgVVNFIE9GIFRIRSBXT1JLLCBFVkVOIElGIExJQ0VOU09SIEhBUwpCRUVOIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNVQ0ggREFNQUdFUy4KCjcuIFRlcm1pbmF0aW9uCgogYS4gVGhpcyBMaWNlbnNlIGFuZCB0aGUgcmlnaHRzIGdyYW50ZWQgaGVyZXVuZGVyIHdpbGwgdGVybWluYXRlCiAgICBhdXRvbWF0aWNhbGx5IHVwb24gYW55IGJyZWFjaCBieSBZb3Ugb2YgdGhlIHRlcm1zIG9mIHRoaXMgTGljZW5zZS4KICAgIEluZGl2aWR1YWxzIG9yIGVudGl0aWVzIHdobyBoYXZlIHJlY2VpdmVkIEFkYXB0YXRpb25zIG9yIENvbGxlY3Rpb25zCiAgICBmcm9tIFlvdSB1bmRlciB0aGlzIExpY2Vuc2UsIGhvd2V2ZXIsIHdpbGwgbm90IGhhdmUgdGhlaXIgbGljZW5zZXMKICAgIHRlcm1pbmF0ZWQgcHJvdmlkZWQgc3VjaCBpbmRpdmlkdWFscyBvciBlbnRpdGllcyByZW1haW4gaW4gZnVsbAogICAgY29tcGxpYW5jZSB3aXRoIHRob3NlIGxpY2Vuc2VzLiBTZWN0aW9ucyAxLCAyLCA1LCA2LCA3LCBhbmQgOCB3aWxsCiAgICBzdXJ2aXZlIGFueSB0ZXJtaW5hdGlvbiBvZiB0aGlzIExpY2Vuc2UuCiBiLiBTdWJqZWN0IHRvIHRoZSBhYm92ZSB0ZXJtcyBhbmQgY29uZGl0aW9ucywgdGhlIGxpY2Vuc2UgZ3JhbnRlZCBoZXJlIGlzCiAgICBwZXJwZXR1YWwgKGZvciB0aGUgZHVyYXRpb24gb2YgdGhlIGFwcGxpY2FibGUgY29weXJpZ2h0IGluIHRoZSBXb3JrKS4KICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIExpY2Vuc29yIHJlc2VydmVzIHRoZSByaWdodCB0byByZWxlYXNlIHRoZQogICAgV29yayB1bmRlciBkaWZmZXJlbnQgbGljZW5zZSB0ZXJtcyBvciB0byBzdG9wIGRpc3RyaWJ1dGluZyB0aGUgV29yayBhdAogICAgYW55IHRpbWU7IHByb3ZpZGVkLCBob3dldmVyIHRoYXQgYW55IHN1Y2ggZWxlY3Rpb24gd2lsbCBub3Qgc2VydmUgdG8KICAgIHdpdGhkcmF3IHRoaXMgTGljZW5zZSAob3IgYW55IG90aGVyIGxpY2Vuc2UgdGhhdCBoYXMgYmVlbiwgb3IgaXMKICAgIHJlcXVpcmVkIHRvIGJlLCBncmFudGVkIHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2UpLCBhbmQgdGhpcwogICAgTGljZW5zZSB3aWxsIGNvbnRpbnVlIGluIGZ1bGwgZm9yY2UgYW5kIGVmZmVjdCB1bmxlc3MgdGVybWluYXRlZCBhcwogICAgc3RhdGVkIGFib3ZlLgoKOC4gTWlzY2VsbGFuZW91cwoKIGEuIEVhY2ggdGltZSBZb3UgRGlzdHJpYnV0ZSBvciBQdWJsaWNseSBQZXJmb3JtIHRoZSBXb3JrIG9yIGEgQ29sbGVjdGlvbiwKICAgIHRoZSBMaWNlbnNvciBvZmZlcnMgdG8gdGhlIHJlY2lwaWVudCBhIGxpY2Vuc2UgdG8gdGhlIFdvcmsgb24gdGhlIHNhbWUKICAgIHRlcm1zIGFuZCBjb25kaXRpb25zIGFzIHRoZSBsaWNlbnNlIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZS4KIGIuIEVhY2ggdGltZSBZb3UgRGlzdHJpYnV0ZSBvciBQdWJsaWNseSBQZXJmb3JtIGFuIEFkYXB0YXRpb24sIExpY2Vuc29yCiAgICBvZmZlcnMgdG8gdGhlIHJlY2lwaWVudCBhIGxpY2Vuc2UgdG8gdGhlIG9yaWdpbmFsIFdvcmsgb24gdGhlIHNhbWUKICAgIHRlcm1zIGFuZCBjb25kaXRpb25zIGFzIHRoZSBsaWNlbnNlIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZS4KIGMuIElmIGFueSBwcm92aXNpb24gb2YgdGhpcyBMaWNlbnNlIGlzIGludmFsaWQgb3IgdW5lbmZvcmNlYWJsZSB1bmRlcgogICAgYXBwbGljYWJsZSBsYXcsIGl0IHNoYWxsIG5vdCBhZmZlY3QgdGhlIHZhbGlkaXR5IG9yIGVuZm9yY2VhYmlsaXR5IG9mCiAgICB0aGUgcmVtYWluZGVyIG9mIHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2UsIGFuZCB3aXRob3V0IGZ1cnRoZXIgYWN0aW9uCiAgICBieSB0aGUgcGFydGllcyB0byB0aGlzIGFncmVlbWVudCwgc3VjaCBwcm92aXNpb24gc2hhbGwgYmUgcmVmb3JtZWQgdG8KICAgIHRoZSBtaW5pbXVtIGV4dGVudCBuZWNlc3NhcnkgdG8gbWFrZSBzdWNoIHByb3Zpc2lvbiB2YWxpZCBhbmQKICAgIGVuZm9yY2VhYmxlLgogZC4gTm8gdGVybSBvciBwcm92aXNpb24gb2YgdGhpcyBMaWNlbnNlIHNoYWxsIGJlIGRlZW1lZCB3YWl2ZWQgYW5kIG5vCiAgICBicmVhY2ggY29uc2VudGVkIHRvIHVubGVzcyBzdWNoIHdhaXZlciBvciBjb25zZW50IHNoYWxsIGJlIGluIHdyaXRpbmcKICAgIGFuZCBzaWduZWQgYnkgdGhlIHBhcnR5IHRvIGJlIGNoYXJnZWQgd2l0aCBzdWNoIHdhaXZlciBvciBjb25zZW50LgogZS4gVGhpcyBMaWNlbnNlIGNvbnN0aXR1dGVzIHRoZSBlbnRpcmUgYWdyZWVtZW50IGJldHdlZW4gdGhlIHBhcnRpZXMgd2l0aAogICAgcmVzcGVjdCB0byB0aGUgV29yayBsaWNlbnNlZCBoZXJlLiBUaGVyZSBhcmUgbm8gdW5kZXJzdGFuZGluZ3MsCiAgICBhZ3JlZW1lbnRzIG9yIHJlcHJlc2VudGF0aW9ucyB3aXRoIHJlc3BlY3QgdG8gdGhlIFdvcmsgbm90IHNwZWNpZmllZAogICAgaGVyZS4gTGljZW5zb3Igc2hhbGwgbm90IGJlIGJvdW5kIGJ5IGFueSBhZGRpdGlvbmFsIHByb3Zpc2lvbnMgdGhhdAogICAgbWF5IGFwcGVhciBpbiBhbnkgY29tbXVuaWNhdGlvbiBmcm9tIFlvdS4gVGhpcyBMaWNlbnNlIG1heSBub3QgYmUKICAgIG1vZGlmaWVkIHdpdGhvdXQgdGhlIG11dHVhbCB3cml0dGVuIGFncmVlbWVudCBvZiB0aGUgTGljZW5zb3IgYW5kIFlvdS4KIGYuIFRoZSByaWdodHMgZ3JhbnRlZCB1bmRlciwgYW5kIHRoZSBzdWJqZWN0IG1hdHRlciByZWZlcmVuY2VkLCBpbiB0aGlzCiAgICBMaWNlbnNlIHdlcmUgZHJhZnRlZCB1dGlsaXppbmcgdGhlIHRlcm1pbm9sb2d5IG9mIHRoZSBCZXJuZSBDb252ZW50aW9uCiAgICBmb3IgdGhlIFByb3RlY3Rpb24gb2YgTGl0ZXJhcnkgYW5kIEFydGlzdGljIFdvcmtzIChhcyBhbWVuZGVkIG9uCiAgICBTZXB0ZW1iZXIgMjgsIDE5NzkpLCB0aGUgUm9tZSBDb252ZW50aW9uIG9mIDE5NjEsIHRoZSBXSVBPIENvcHlyaWdodAogICAgVHJlYXR5IG9mIDE5OTYsIHRoZSBXSVBPIFBlcmZvcm1hbmNlcyBhbmQgUGhvbm9ncmFtcyBUcmVhdHkgb2YgMTk5NgogICAgYW5kIHRoZSBVbml2ZXJzYWwgQ29weXJpZ2h0IENvbnZlbnRpb24gKGFzIHJldmlzZWQgb24gSnVseSAyNCwgMTk3MSkuCiAgICBUaGVzZSByaWdodHMgYW5kIHN1YmplY3QgbWF0dGVyIHRha2UgZWZmZWN0IGluIHRoZSByZWxldmFudAogICAganVyaXNkaWN0aW9uIGluIHdoaWNoIHRoZSBMaWNlbnNlIHRlcm1zIGFyZSBzb3VnaHQgdG8gYmUgZW5mb3JjZWQKICAgIGFjY29yZGluZyB0byB0aGUgY29ycmVzcG9uZGluZyBwcm92aXNpb25zIG9mIHRoZSBpbXBsZW1lbnRhdGlvbiBvZgogICAgdGhvc2UgdHJlYXR5IHByb3Zpc2lvbnMgaW4gdGhlIGFwcGxpY2FibGUgbmF0aW9uYWwgbGF3LiBJZiB0aGUKICAgIHN0YW5kYXJkIHN1aXRlIG9mIHJpZ2h0cyBncmFudGVkIHVuZGVyIGFwcGxpY2FibGUgY29weXJpZ2h0IGxhdwogICAgaW5jbHVkZXMgYWRkaXRpb25hbCByaWdodHMgbm90IGdyYW50ZWQgdW5kZXIgdGhpcyBMaWNlbnNlLCBzdWNoCiAgICBhZGRpdGlvbmFsIHJpZ2h0cyBhcmUgZGVlbWVkIHRvIGJlIGluY2x1ZGVkIGluIHRoZSBMaWNlbnNlOyB0aGlzCiAgICBMaWNlbnNlIGlzIG5vdCBpbnRlbmRlZCB0byByZXN0cmljdCB0aGUgbGljZW5zZSBvZiBhbnkgcmlnaHRzIHVuZGVyCiAgICBhcHBsaWNhYmxlIGxhdy4KCgpDcmVhdGl2ZSBDb21tb25zIE5vdGljZQoKICAgIENyZWF0aXZlIENvbW1vbnMgaXMgbm90IGEgcGFydHkgdG8gdGhpcyBMaWNlbnNlLCBhbmQgbWFrZXMgbm8gd2FycmFudHkKICAgIHdoYXRzb2V2ZXIgaW4gY29ubmVjdGlvbiB3aXRoIHRoZSBXb3JrLiBDcmVhdGl2ZSBDb21tb25zIHdpbGwgbm90IGJlCiAgICBsaWFibGUgdG8gWW91IG9yIGFueSBwYXJ0eSBvbiBhbnkgbGVnYWwgdGhlb3J5IGZvciBhbnkgZGFtYWdlcwogICAgd2hhdHNvZXZlciwgaW5jbHVkaW5nIHdpdGhvdXQgbGltaXRhdGlvbiBhbnkgZ2VuZXJhbCwgc3BlY2lhbCwKICAgIGluY2lkZW50YWwgb3IgY29uc2VxdWVudGlhbCBkYW1hZ2VzIGFyaXNpbmcgaW4gY29ubmVjdGlvbiB0byB0aGlzCiAgICBsaWNlbnNlLiBOb3R3aXRoc3RhbmRpbmcgdGhlIGZvcmVnb2luZyB0d28gKDIpIHNlbnRlbmNlcywgaWYgQ3JlYXRpdmUKICAgIENvbW1vbnMgaGFzIGV4cHJlc3NseSBpZGVudGlmaWVkIGl0c2VsZiBhcyB0aGUgTGljZW5zb3IgaGVyZXVuZGVyLCBpdAogICAgc2hhbGwgaGF2ZSBhbGwgcmlnaHRzIGFuZCBvYmxpZ2F0aW9ucyBvZiBMaWNlbnNvci4KCiAgICBFeGNlcHQgZm9yIHRoZSBsaW1pdGVkIHB1cnBvc2Ugb2YgaW5kaWNhdGluZyB0byB0aGUgcHVibGljIHRoYXQgdGhlCiAgICBXb3JrIGlzIGxpY2Vuc2VkIHVuZGVyIHRoZSBDQ1BMLCBDcmVhdGl2ZSBDb21tb25zIGRvZXMgbm90IGF1dGhvcml6ZQogICAgdGhlIHVzZSBieSBlaXRoZXIgcGFydHkgb2YgdGhlIHRyYWRlbWFyayAiQ3JlYXRpdmUgQ29tbW9ucyIgb3IgYW55CiAgICByZWxhdGVkIHRyYWRlbWFyayBvciBsb2dvIG9mIENyZWF0aXZlIENvbW1vbnMgd2l0aG91dCB0aGUgcHJpb3IKICAgIHdyaXR0ZW4gY29uc2VudCBvZiBDcmVhdGl2ZSBDb21tb25zLiBBbnkgcGVybWl0dGVkIHVzZSB3aWxsIGJlIGluCiAgICBjb21wbGlhbmNlIHdpdGggQ3JlYXRpdmUgQ29tbW9ucycgdGhlbi1jdXJyZW50IHRyYWRlbWFyayB1c2FnZQogICAgZ3VpZGVsaW5lcywgYXMgbWF5IGJlIHB1Ymxpc2hlZCBvbiBpdHMgd2Vic2l0ZSBvciBvdGhlcndpc2UgbWFkZQogICAgYXZhaWxhYmxlIHVwb24gcmVxdWVzdCBmcm9tIHRpbWUgdG8gdGltZS4gRm9yIHRoZSBhdm9pZGFuY2Ugb2YgZG91YnQsCiAgICB0aGlzIHRyYWRlbWFyayByZXN0cmljdGlvbiBkb2VzIG5vdCBmb3JtIHBhcnQgb2YgdGhlIExpY2Vuc2UuCgogICAgQ3JlYXRpdmUgQ29tbW9ucyBtYXkgYmUgY29udGFjdGVkIGF0IGh0dHBzOi8vY3JlYXRpdmVjb21tb25zLm9yZy8u"
},
"url": "https://creativecommons.org/licenses/by-sa/3.0/legalcode"
}
}
]
},
"definitions": {
"standards": [
{
"bom-ref": "bsimm-v13",
"name": "Build Security In Maturity Model (BSIMM)",
"description": "The BSIMM activities are the individual controls used to construct or improve an SSI. They range through people, process, technology, and culture. You can use this information to choose which controls to apply within your initiative, then align your implementation strategy and metrics with your desired outcomes.",
"version": "13",
"owner": "Synopsys, Inc.",
"requirements": [
{
"bom-ref": "governance",
"title": "Governance",
"text": "Practices that help organize, manage, and measure a software security initiative. Staff development is also a central governance practice."
},
{
"bom-ref": "intelligence",
"title": "Intelligence",
"text": "Practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization. Collections include both proactive security guidance and organizational threat modeling."
},
{
"bom-ref": "ssdl-touchpoints",
"title": "SSDL Touchpoints",
"text": "Practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices."
},
{
"bom-ref": "deployment",
"title": "Deployment",
"text": "Practices that interface with traditional network security and software maintenance organizations. Software configuration, maintenance, and other environment issues have direct impact on software security."
},
{
"bom-ref": "governance-sm",
"title": "Governance: Strategy & Metrics",
"text": "The Strategy & Metrics practice encompasses planning, assigning roles and responsibilities, identifying software security goals, determining budgets, and identifying metrics and software release conditions.",
"parent": "governance"
},
{
"bom-ref": "governance-cp",
"title": "Governance: Compliance & Policy",
"text": "The Compliance & Policy practice is focused on identifying controls for compliance regimens such as PCI DSS and GDPR, developing contractual controls such as SLAs to help manage COTS software risk, setting organizational software security policy, and auditing against that policy.",
"parent": "governance"
},
{
"bom-ref": "governance-t",
"title": "Governance: Training",
"text": "Training has always played a critical role in software security because organizational stakeholders across GRC, legal, engineering, operations, and other groups often start with little security knowledge.",
"parent": "governance"
},
{
"bom-ref": "intelligence-am",
"title": "Intelligence: Attack Models",
"text": "Attack Models capture information used to think like an attacker, including threat modeling inputs, abuse cases, data classification, and technology-specific attack patterns.",
"parent": "intelligence"
},
{
"bom-ref": "intelligence-sfd",
"title": "Intelligence: Security Features & Design",
"text": "The Security Features & Design practice is charged with creating usable security patterns for major security controls (meeting the standards defined in the Standards & Requirements practice), building components and services for those controls, and establishing collaboration during security design efforts.",
"parent": "intelligence"
},
{
"bom-ref": "intelligence-sfd",
"title": "Intelligence: Standards & Requirements",
"text": "The Standards & Requirements practice involves eliciting explicit software security requirements from the organization, determining which COTS tools to recommend, building standards for major security controls (such as authentication, input validation, and so on), creating security standards for technologies in use, and creating a standards review process.",
"parent": "intelligence"
},
{
"bom-ref": "ssdl-touchpoints-aa",
"title": "SSDL Touchpoints: Architecture Analysis",
"text": "Architecture analysis encompasses capturing software architecture in concise diagrams, applying lists of risks and threats, adopting a process for review (such as Microsoft Threat Modeling [STRIDE] or Architecture Risk Analysis [ARA]), building an assessment and remediation plan for the organization, and using a risk methodology to rank applications.",
"parent": "ssdl-touchpoints"
},
{
"bom-ref": "ssdl-touchpoints-cr",
"title": "SSDL Touchpoints: Code Review",
"text": "The Code Review practice includes use of code review tools (e.g., static analysis), development of tailored rules, customized profiles for tool use by different roles (for example, developers vs. auditors), manual analysis, and tracking and measuring results.",
"parent": "ssdl-touchpoints"
},
{
"bom-ref": "ssdl-touchpoints-st",
"title": "SSDL Touchpoints: Security Testing",
"text": "The Security Testing practice is concerned with prerelease defect discovery, including integrating security into standard QA processes. The practice includes the use of opaque-box application security testing (AST) tools (including fuzz testing) as a smoke test in QA, risk- driven crystal-box test suites, application of the attack model, and code coverage analysis. Security testing focuses on vulnerabilities in construction.",
"parent": "ssdl-touchpoints"
},
{
"bom-ref": "deployment-pt",
"title": "Deployment: Penetration Testing",
"text": "The Penetration Testing practice involves standard outside-in testing of the sort carried out by security specialists. Penetration testing focuses on vulnerabilities in preproduction and production code, providing direct feeds to defect management and mitigation.",
"parent": "deployment"
},
{
"bom-ref": "deployment-se",
"title": "Deployment: Software Environment",
"text": "The Software Environment practice deals with OS and platform patching (including in the cloud), WAFs (web application firewalls), installation and configuration documentation, containerization, orchestration, application monitoring, change management, and code signing.",
"parent": "deployment"
},
{
"bom-ref": "deployment-cmvm",
"title": "Deployment: Configuration Management & Vulnerability Management",
"text": "The Configuration Management & Vulnerability Management practice concerns itself with operations processes, patching and updating applications, version control, defect tracking and remediation, and incident handling.",
"parent": "deployment"
},
{
"bom-ref": "SM1.1",
"identifier": "SM1.1",
"title": "Publish process and evolve as necessary.",
"text": "The process for addressing software security is defined, published internally, and broadcast to all stakeholders so that everyone knows the plan. Goals, roles, responsibilities, and activities are explicitly defined. Most organizations examine existing methodologies, such as the NIST SSDF, Microsoft SDL, or Synopsys Touchpoints, then tailor them to meet their needs. Security activities will be adapted to software lifecycle processes (e.g., waterfall, Agile, CI/CD, DevOps), so activities will evolve with both the organization and the security landscape. The process doesn't need to be publicly promoted outside the firm to have the desired impact (see [SM3.2]). In addition to publishing the written process, some firms also automate parts (e.g., a testing strategy) as governance-as-code (see [SM3.4]).",
"parent": "governance-sm"
},
{
"bom-ref": "SM1.3",
"identifier": "SM1.3",
"title": "Educate executives on software security.",
"text": "Executives are regularly shown the ways malicious actors attack software and the negative business impacts those attacks can have on the organization. Go beyond reporting of open and closed defects to educate executives on the business risks, including risks of adopting emerging engineering technologies and methodologies without security oversight. Demonstrate a worst-case scenario in a controlled environment with the permission of all involved (e.g., by showing attacks and their business impact). Presentation to the Board can help garner resources for new or ongoing SSI efforts. Demonstrating the need for new skill-building training in evolving areas, such as DevOps groups using cloud-native technologies, can help convince leadership to accept SSG recommendations when they might otherwise be ignored in favor of faster release dates or other priorities. Bring in an outside expert when necessary to bolster executive attention.",
"parent": "governance-sm"
},
{
"bom-ref": "SM1.4",
"identifier": "SM1.4",
"title": "Implement security checkpoints and associated governance.",
"text": "The software security process includes checkpoints (such as gates, release conditions, guardrails, milestones, etc.) at one or more points in a software lifecycle. The first two steps toward establishing security-specific checkpoint conditions are to identify process locations that are compatible with existing development practices and to then begin gathering the information necessary to make a go/no-go decision, such as risk-ranking thresholds or defect data. Importantly, the conditions need not be enforced at this stage--for example, the SSG can collect security testing results for each project prior to release, then provide their informed opinion on what constitutes sufficient testing or acceptable test results without trying to stop a project from moving forward (see [SM2.2]). Shorter release cycles might require creative approaches to collecting the right evidence and rely heavily on automation. Socializing the conditions and then enforcing them once most project teams already know how to succeed is a gradual approach that motivates good behavior without introducing unnecessary friction.",
"parent": "governance-sm"
},
{
"bom-ref": "SM2.1",
"identifier": "SM2.1",
"title": "Publish data about software security internally and use it",
"text": "to drive change. To facilitate improvement, data is published internally about the state of software security within the organization. Produce security or development dashboards with metrics for executives and software development management. Dashboards can be part of pipeline toolchains to enable developer self-improvement. Sometimes, this published data won't be shared with everyone in the firm but only with the stakeholders who are tasked to drive change. In other cases, open book management and data published to all stakeholders helps everyone know what's going on. If the organization's culture promotes internal competition between groups, use this information to add a security dimension. Integrate automated security telemetry to gather measurements quickly and accurately to increase timeliness of security data in areas such as speed (e.g., time to fix) and quality (e.g., defect density). Publishing data about new technologies (e.g., security and risk in cloud-native architectures) is important for identifying needed improvements.",
"parent": "governance-sm"
},
{
"bom-ref": "SM2.2",
"identifier": "SM2.2",
"title": "Enforce security checkpoints and track exceptions.",
"text": "Enforce security release conditions at each checkpoint (gate, guardrail, milestone, etc.) for every project, so that each project must either meet an established measure or follow a defined process for obtaining an exception to move forward. Use internal policies and standards, regulations, contractual agreements, and other obligations to define release conditions, then track all exceptions. Verifying conditions yields data that informs the KRIs and any other metrics used to govern the process. Automatically giving software a passing grade or granting exceptions without due consideration defeats the purpose of verifying conditions. Even seemingly innocuous software projects (e.g., small code changes, infrastructure access control changes, deployment blueprints) must successfully satisfy the prescribed security conditions as they progress through the software lifecycle. Similarly, APIs, frameworks, libraries, bespoke code, microservices, container configurations, and so on are all software that must satisfy security release conditions. It's possible, and often very useful, to have verified the conditions both before and after the development process itself. In modern development environments, the verification process will increasingly become automated (see [SM3.4]).",
"parent": "governance-sm"
},
{
"bom-ref": "SM2.3",
"identifier": "SM2.3",
"title": "Create or grow a satellite (security champions).",
"text": "Form a collection of people scattered across the organization--a satellite--who show an above-average level of security interest or skill and who contribute software security expertise to development, QA, and operations teams. Forming this social network of advocates, sometimes referred to as champions, is a good step toward scaling security into software engineering. One way to build the initial group is to track the people who stand out during introductory training courses (see [T3.6]). Another way is to ask for volunteers. In a more top-down approach, initial satellite membership is assigned to ensure good coverage of development groups, but ongoing membership is based on actual performance. The satellite can act as a sounding board for new projects and, in new or fast-moving technology areas, help combine software security skills with domain knowledge that might be under-represented in the SSG or engineering teams. Agile coaches, scrum masters, and DevOps engineers can make particularly useful satellite members, especially for detecting and removing process friction. In some environments, satellite-led efforts are being delivered via automation.",
"parent": "governance-sm"
},
{
"bom-ref": "SM2.6",
"identifier": "SM2.6",
"title": "Require security sign-off prior to software release.",
"text": "The organization has an initiative-wide process for documenting accountability and accepting security risk by having a risk owner sign off on the state of all software prior to release based on SSG- approved criteria. The sign-off policy might, for example, also require the accountable person to acknowledge critical vulnerabilities that have not been mitigated or SSDL steps that have been skipped. Informal or uninformed risk acceptance alone isn't a security sign-off because the act of accepting risk is more effective when it's formalized (e.g., with a signature, a form submission, or something similar) and captured for future reference. Similarly, simply stating that certain projects don't need sign-off at all won't achieve the desired risk management results. In some cases, however, the risk owner can provide the sign-off on a particular set of software project acceptance criteria, which are then implemented in automation to provide governance-as-code (see [SM3.4]), but there must be an ongoing verification that the criteria remain accurate, and the automation is working.",
"parent": "governance-sm"
},
{
"bom-ref": "SM2.7",
"identifier": "SM2.7",
"title": "Create evangelism role and perform internal marketing.",
"text": "Build support for software security throughout the organization via ongoing evangelism. This internal marketing function, often performed by a variety of stakeholder roles, keeps executives and others up to date on the magnitude of the software security problem and the elements of its solution. A scrum master familiar with security, for example, could help teams adopt better software security practices as they transform to Agile and DevOps methods. Similarly, a cloud expert could demonstrate the changes needed in security architecture and testing for serverless applications. Evangelists can increase understanding and build credibility by giving talks to internal groups (including executives), publishing roadmaps, authoring technical papers for internal consumption, or creating a collection of papers, books, and other resources on an internal website (see [SR1.2]) and promoting its use. In turn, organizational feedback becomes a useful source of improvement ideas.",
"parent": "governance-sm"
},
{
"bom-ref": "SM3.1",
"identifier": "SM3.1",
"title": "Use a software asset tracking application with portfolio",
"text": "view. The SSG uses centralized tracking automation to chart the progress of every piece of software and deployable artifact from creation to decommissioning, regardless of development methodology. The automation records the security activities scheduled, in progress, and completed, incorporating results from SSDL activities even when they happen in a tight loop or during deployment. The combined inventory and security posture view enables timely decision-making. The SSG uses the automation to generate portfolio reports for multiple metrics and, in many cases, publishes this data at least among executives. As an initiative matures and activities become more distributed, the SSG uses the centralized reporting system to keep track of all the moving parts.",
"parent": "governance-sm"
},
{
"bom-ref": "SM3.2",
"identifier": "SM3.2",
"title": "Make SSI efforts part of external marketing.",
"text": "To build external awareness, the SSG helps market the SSI beyond internal teams. In this way, software security can grow its risk reduction exercises into a competitive advantage or market differentiator. The SSG might publish papers or books about its software security capabilities or have a public blog. It might provide details at external conferences or trade shows. In some cases, a complete SSDL methodology can be published and promoted outside the firm, and governance-as-code concepts can make interesting case studies. Regardless of method, the process of sharing details externally and inviting critique is used to bring new perspectives into the firm.",
"parent": "governance-sm"
},
{
"bom-ref": "SM3.3",
"identifier": "SM3.3",
"title": "Identify metrics and use them to drive resourcing.",
"text": "The SSG and its management identify metrics that define and measure SSI progress in quantitative terms. These metrics are reviewed on a regular basis and drive the initiative's budgeting and resource allocations, so simple counts and out-of-context measurements won't suffice here. On the technical side, one such metric could be