Inventory: Ambiguity in 3rd party vs open source components

Question

Inventory: Ambiguity in 3rd party vs open source components

Closed this issue 4 years ago · 2 comments

The inventory section leaves ambiguity in the definitions of 3rd party and open source components. In the preamble, it lists:

"all first-party, third-party, and open source components"

implying that open source is not third party.

In controls 1.2 and 1.3, it lists only third party, but not open source:

"An accurate inventory of all third-party components is available in a machine-readable format"

This implies that you do not need an accurate inventory of all open source components, I think the preamble should be changed, but I'm leaving that open for discussion here.

stevespringett commented 4 years ago

Resolved

Answer 1 · 2020-05-14T14:28:20.000Z

Agree. We will use 'third-party' and when we define it (or mention it for the first time), we will state that third-party includes open source.