Commit a13359d7 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Removed freely-usable scanner from the requirements

Closes #163
parent 10e06986
Loading
Loading
Loading
Loading
+7 −6
Original line number Diff line number Diff line
@@ -108,15 +108,16 @@ If the deliverable contains or requires an operating system the operating system
Depending on the chosen delivery method, the maintenance of the operating system can be provided by the customer of the product.
Note that a container has always an operating system.

If automateable and freely-usable vulnerability scanners are available the product shall satisfy the following with respect to the most comprehensive of such scanners.
If automateable vulnerability scanners are available the product shall satisfy the following with respect to the most comprehensive of such scanners.

- **[REQ-EXPLOIT-0a]** The product shall have no vulnerabilities discovered by scans.
- **[REQ-EXPLOIT-0b]** The product shall have only discoverable vulnerabilities whose age is consistent with how long vulnerabilities may go unfixed after public disclosure.
- **[REQ-EXPLOIT-0c]** For each detected exploitable vulnerability, the product shall have the risk mitigated.
- **[REQ-EXPLOIT-0d]** The used vulnerability scanner shall be fit for the purpose in detail, method and depth.

Recognising that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by the system user.
<mark>[REQ-EXPLOIT-0d] assesment: document the type, version, etc. in the assesment. Let the MSA decide. Tangled with the SBOM immaturity.</mark>

<mark>Turn this into product specific requirement without the docs</mark>
Recognising that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by the system user.

-   **[REQ-EXPLOIT-1a]** The product shall be securely updated.
-   **[REQ-EXPLOIT-1b]** The product shall be securely updated as part of first use.