1616# Hyphens in key names are allowed (e.g. "vulnerability-reporting").
1717#
1818# si_condition: how to evaluate the value at si_path:
19- # "true" - boolean field equals true
20- # "false" - boolean field equals false
21- # " present" - field exists with a non-nil/non-empty value
22- # " equals" - string field equals si_value
23- # "in" - string field value is listed in si_values
24- # " has_tool_type" - security.tools[] contains type == si_value
25- # " has_tool_type_in_ci" - security.tools[] contains type == si_value
19+ # is_true - boolean field equals true
20+ # is_false - boolean field equals false
21+ # present - field exists with a non-nil/non-empty value
22+ # equals - string field equals si_value
23+ # in - string field value is listed in si_values
24+ # has_tool_type - security.tools[] contains type == si_value
25+ # has_tool_type_in_ci - security.tools[] contains type == si_value
2626# AND integration.ci == true
27- # " has_attestation_predicate" - release.attestations[] has predicate-uri
27+ # has_attestation_predicate - release.attestations[] has predicate-uri
2828# containing si_value as a substring
2929#
3030# si_value: string value for equals / has_* conditions
@@ -147,7 +147,7 @@ mappings:
147147 # URL of the project's coordinated vulnerability disclosure (CVD) policy.
148148
149149 - si_path : project.vulnerability-reporting.policy
150- si_condition : " present"
150+ si_condition : present
151151 target_criterion : vulnerability_report_process
152152 # Target:
153153 # description: "The project MUST publish the process for reporting
@@ -164,7 +164,7 @@ mappings:
164164 confidence : 2
165165
166166 - si_path : project.vulnerability-reporting.policy
167- si_condition : " present"
167+ si_condition : present
168168 target_criterion : osps_vm_01_01
169169 # Target:
170170 # description: "While active, the project documentation MUST include a
@@ -183,7 +183,7 @@ mappings:
183183 # PGP key (or fingerprint/URL) for encrypted vulnerability report submission.
184184
185185 - si_path : project.vulnerability-reporting.pgp-key
186- si_condition : " present"
186+ si_condition : present
187187 target_criterion : vulnerability_report_private
188188 # Target:
189189 # description: "If private vulnerability reports are supported, the
@@ -205,7 +205,7 @@ mappings:
205205 # URL of a guide explaining how to contribute to the project.
206206
207207 - si_path : repository.documentation.contributing-guide
208- si_condition : " present"
208+ si_condition : present
209209 target_criterion : contribution
210210 # Target:
211211 # description: "The information on how to contribute MUST explain the
@@ -218,7 +218,7 @@ mappings:
218218 confidence : 2
219219
220220 - si_path : repository.documentation.contributing-guide
221- si_condition : " present"
221+ si_condition : present
222222 target_criterion : osps_gv_03_01
223223 # Target:
224224 # description: "While active, the project documentation MUST include an
@@ -234,7 +234,7 @@ mappings:
234234 # URL of the project's security policy document (e.g. SECURITY.md).
235235
236236 - si_path : repository.documentation.security-policy
237- si_condition : " present"
237+ si_condition : present
238238 target_criterion : osps_vm_01_01
239239 # Target:
240240 # description: "While active, the project documentation MUST include a
@@ -249,7 +249,7 @@ mappings:
249249 confidence : 2
250250
251251 - si_path : repository.documentation.security-policy
252- si_condition : " present"
252+ si_condition : present
253253 target_criterion : osps_vm_02_01
254254 # Target:
255255 # description: "While active, the project documentation MUST contain
@@ -271,7 +271,7 @@ mappings:
271271 # URL of a governance document describing project roles and responsibilities.
272272
273273 - si_path : repository.documentation.governance
274- si_condition : " present"
274+ si_condition : present
275275 target_criterion : osps_gv_01_01
276276 # Target:
277277 # description: "While active, the project documentation MUST include a
@@ -285,7 +285,7 @@ mappings:
285285 confidence : 1
286286
287287 - si_path : repository.documentation.governance
288- si_condition : " present"
288+ si_condition : present
289289 target_criterion : osps_gv_01_02
290290 # Target:
291291 # description: "While active, the project documentation MUST include
@@ -302,7 +302,7 @@ mappings:
302302 # URL of a documented code review policy for the repository.
303303
304304 - si_path : repository.documentation.review-policy
305- si_condition : " present"
305+ si_condition : present
306306 target_criterion : osps_qa_07_01
307307 # Target:
308308 # description: "When a commit is made to the primary branch, the
@@ -323,7 +323,7 @@ mappings:
323323 # URL of a policy describing how dependencies are selected, obtained, and tracked.
324324
325325 - si_path : repository.documentation.dependency-management-policy
326- si_condition : " present"
326+ si_condition : present
327327 target_criterion : osps_do_06_01
328328 # Target:
329329 # description: "When the project has made a release, the project
@@ -337,7 +337,7 @@ mappings:
337337 confidence : 2
338338
339339 - si_path : repository.documentation.dependency-management-policy
340- si_condition : " present"
340+ si_condition : present
341341 target_criterion : osps_vm_05_01
342342 # Target:
343343 # description: "While active, the project documentation MUST include a
@@ -355,7 +355,7 @@ mappings:
355355 # URL of the project's code of conduct document.
356356
357357 - si_path : repository.documentation.code-of-conduct
358- si_condition : " present"
358+ si_condition : present
359359 target_criterion : code_of_conduct
360360 # Target:
361361 # description: "The project MUST adopt a code of conduct and post it in a
0 commit comments