Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/appsec/sca-blackduck/assets/policy_templates/security_policy.json
+++ b/skills/appsec/sca-blackduck/assets/policy_templates/security_policy.json
@@ -0,0 +1,182 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "Black Duck Security Policy",
+  "description": "Default security policy for Black Duck SCA scanning",
+  "version": "1.0.0",
+
+  "vulnerability_thresholds": {
+    "description": "Maximum allowed vulnerabilities by severity",
+    "critical": {
+      "max_count": 0,
+      "action": "fail",
+      "description": "No critical vulnerabilities allowed"
+    },
+    "high": {
+      "max_count": 0,
+      "action": "fail",
+      "description": "No high severity vulnerabilities allowed"
+    },
+    "medium": {
+      "max_count": 10,
+      "action": "warn",
+      "description": "Up to 10 medium severity vulnerabilities allowed with warning"
+    },
+    "low": {
+      "max_count": 50,
+      "action": "info",
+      "description": "Up to 50 low severity vulnerabilities allowed"
+    }
+  },
+
+  "cvss_thresholds": {
+    "description": "CVSS score-based policy",
+    "max_cvss_score": 7.0,
+    "fail_on_exploitable": true,
+    "require_exploit_available": false
+  },
+
+  "license_policy": {
+    "description": "License compliance rules",
+    "blocklist": [
+      {
+        "license": "GPL-2.0",
+        "reason": "Strong copyleft incompatible with commercial software",
+        "action": "fail"
+      },
+      {
+        "license": "GPL-3.0",
+        "reason": "Strong copyleft incompatible with commercial software",
+        "action": "fail"
+      },
+      {
+        "license": "AGPL-3.0",
+        "reason": "Network copyleft triggers on SaaS usage",
+        "action": "fail"
+      }
+    ],
+    "warning_list": [
+      {
+        "license": "LGPL-2.1",
+        "reason": "Weak copyleft - verify dynamic linking",
+        "action": "warn"
+      },
+      {
+        "license": "LGPL-3.0",
+        "reason": "Weak copyleft - verify dynamic linking",
+        "action": "warn"
+      },
+      {
+        "license": "MPL-2.0",
+        "reason": "File-level copyleft - verify separation",
+        "action": "warn"
+      }
+    ],
+    "approved_list": [
+      "MIT",
+      "Apache-2.0",
+      "BSD-2-Clause",
+      "BSD-3-Clause",
+      "ISC",
+      "0BSD",
+      "CC0-1.0",
+      "Unlicense"
+    ],
+    "require_approval_for_new_licenses": true,
+    "fail_on_unknown_license": true
+  },
+
+  "component_policy": {
+    "description": "Component usage and quality rules",
+    "blocklist": [
+      {
+        "name": "event-stream",
+        "version": "3.3.6",
+        "reason": "Known malicious version with cryptocurrency stealer",
+        "action": "fail"
+      }
+    ],
+    "quality_requirements": {
+      "min_github_stars": 10,
+      "min_contributors": 2,
+      "max_age_days": 1095,
+      "require_active_maintenance": true,
+      "max_days_since_update": 730,
+      "fail_on_deprecated": true,
+      "fail_on_unmaintained": false
+    }
+  },
+
+  "operational_risk": {
+    "description": "Supply chain and operational risk policies",
+    "fail_on_unmaintained": false,
+    "max_days_inactive": 730,
+    "require_repository_url": true,
+    "warn_on_single_maintainer": true,
+    "fail_on_no_repository": false
+  },
+
+  "sbom_requirements": {
+    "description": "Software Bill of Materials requirements",
+    "require_sbom_generation": true,
+    "sbom_format": "CycloneDX",
+    "sbom_version": "1.4",
+    "include_transitive_dependencies": true,
+    "include_license_info": true
+  },
+
+  "compliance_requirements": {
+    "description": "Regulatory compliance mappings",
+    "frameworks": [
+      "SOC2",
+      "PCI-DSS",
+      "GDPR",
+      "HIPAA"
+    ],
+    "require_vulnerability_tracking": true,
+    "require_remediation_timeline": true,
+    "max_remediation_days": {
+      "critical": 7,
+      "high": 30,
+      "medium": 90,
+      "low": 180
+    }
+  },
+
+  "exclusions": {
+    "description": "Global exclusions and exceptions",
+    "paths": [
+      "test/**",
+      "tests/**",
+      "**/test/**",
+      "**/__tests__/**",
+      "**/*.test.js",
+      "**/*.spec.js",
+      "node_modules/**/.bin/**"
+    ],
+    "dev_dependencies": {
+      "exclude_from_production_scan": true,
+      "apply_relaxed_policy": true
+    }
+  },
+
+  "notification_settings": {
+    "description": "Alert and notification configuration",
+    "notify_on_new_vulnerabilities": true,
+    "notify_on_policy_violation": true,
+    "notify_on_license_violation": true,
+    "notification_channels": [
+      "email",
+      "slack",
+      "jira"
+    ]
+  },
+
+  "remediation_guidance": {
+    "description": "Remediation policy and guidance",
+    "auto_create_tickets": true,
+    "ticket_system": "jira",
+    "assign_to_component_owner": true,
+    "require_risk_acceptance_approval": true,
+    "max_risk_acceptance_duration_days": 90
+  }
+}