assessedElement to target SoftwareArtifact instead of Element

Question

assessedElement to target SoftwareArtifact instead of Element

Closed this issue a month ago · 5 comments

ilans commented 2 months ago

From /Security/assessedElement:
"Specifies subpackages, files or snippets ..."

If it's limited to only packages, files and snippets then why its target is Element and not SoftwareArtifact?

Package, File and Snippet are the only subclasses of SoftwareArtifact.

Answer 1 · 2024-11-14T17:46:48.000Z

I think the target should be /Core/Artifact.

Since in the future we might have security info for other, non-software artifacts.

Answer 2 · 2024-11-14T19:42:54.000Z

Note - that if we make this more restrictive, it will be a breaking change, so this will have to be in either 3.0.1 or 4.0.

Answer 3 · 2024-11-14T19:44:43.000Z

Having it as Element is going to provide more flexibility for future profiles. Ok to discuss further but at this point it's going to 4.0 related change.

For instance, we could have an assessedElement on a Role or Relationship type which are not artifacts.

Answer 4 · 2024-11-14T19:46:20.000Z

Removing the milestone until this is discussed.

Answer 5 · 2024-12-03T17:55:28.000Z

Discussed on tech call 2024-12-03:

We want to allow the future relationship to hardware - propose Artifact rather than SoftwareArtifact
Going from more restrictive to less restrictive would not be a breaking change, so we could restrict to SoftwareArtifact today and add HardwareArtifact in 3.1 without it being a breaking change
Requirement don't block the hardware profile
Requirement that we don't block functional safety
In general, don't block any other future profiles
Propose: Go with more restrictive now, relax the restrictions with the new profiles - this won't be breaking changes, so we meet the requirements
Specific change is to change range from "Element" to "SoftwareArtifact"