{ "$schema": "https://json-schema.org/draft-07/schema#", "title": "Black Duck Security Policy", "description": "Default security policy for Black Duck SCA scanning", "version": "1.0.0", "vulnerability_thresholds": { "description": "Maximum allowed vulnerabilities by severity", "critical": { "max_count": 0, "action": "fail", "description": "No critical vulnerabilities allowed" }, "high": { "max_count": 0, "action": "fail", "description": "No high severity vulnerabilities allowed" }, "medium": { "max_count": 10, "action": "warn", "description": "Up to 10 medium severity vulnerabilities allowed with warning" }, "low": { "max_count": 50, "action": "info", "description": "Up to 50 low severity vulnerabilities allowed" } }, "cvss_thresholds": { "description": "CVSS score-based policy", "max_cvss_score": 7.0, "fail_on_exploitable": true, "require_exploit_available": false }, "license_policy": { "description": "License compliance rules", "blocklist": [ { "license": "GPL-2.0", "reason": "Strong copyleft incompatible with commercial software", "action": "fail" }, { "license": "GPL-3.0", "reason": "Strong copyleft incompatible with commercial software", "action": "fail" }, { "license": "AGPL-3.0", "reason": "Network copyleft triggers on SaaS usage", "action": "fail" } ], "warning_list": [ { "license": "LGPL-2.1", "reason": "Weak copyleft - verify dynamic linking", "action": "warn" }, { "license": "LGPL-3.0", "reason": "Weak copyleft - verify dynamic linking", "action": "warn" }, { "license": "MPL-2.0", "reason": "File-level copyleft - verify separation", "action": "warn" } ], "approved_list": [ "MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "0BSD", "CC0-1.0", "Unlicense" ], "require_approval_for_new_licenses": true, "fail_on_unknown_license": true }, "component_policy": { "description": "Component usage and quality rules", "blocklist": [ { "name": "event-stream", "version": "3.3.6", "reason": "Known malicious version with cryptocurrency stealer", "action": "fail" } ], "quality_requirements": { "min_github_stars": 10, "min_contributors": 2, "max_age_days": 1095, "require_active_maintenance": true, "max_days_since_update": 730, "fail_on_deprecated": true, "fail_on_unmaintained": false } }, "operational_risk": { "description": "Supply chain and operational risk policies", "fail_on_unmaintained": false, "max_days_inactive": 730, "require_repository_url": true, "warn_on_single_maintainer": true, "fail_on_no_repository": false }, "sbom_requirements": { "description": "Software Bill of Materials requirements", "require_sbom_generation": true, "sbom_format": "CycloneDX", "sbom_version": "1.4", "include_transitive_dependencies": true, "include_license_info": true }, "compliance_requirements": { "description": "Regulatory compliance mappings", "frameworks": [ "SOC2", "PCI-DSS", "GDPR", "HIPAA" ], "require_vulnerability_tracking": true, "require_remediation_timeline": true, "max_remediation_days": { "critical": 7, "high": 30, "medium": 90, "low": 180 } }, "exclusions": { "description": "Global exclusions and exceptions", "paths": [ "test/**", "tests/**", "**/test/**", "**/__tests__/**", "**/*.test.js", "**/*.spec.js", "node_modules/**/.bin/**" ], "dev_dependencies": { "exclude_from_production_scan": true, "apply_relaxed_policy": true } }, "notification_settings": { "description": "Alert and notification configuration", "notify_on_new_vulnerabilities": true, "notify_on_policy_violation": true, "notify_on_license_violation": true, "notification_channels": [ "email", "slack", "jira" ] }, "remediation_guidance": { "description": "Remediation policy and guidance", "auto_create_tickets": true, "ticket_system": "jira", "assign_to_component_owner": true, "require_risk_acceptance_approval": true, "max_risk_acceptance_duration_days": 90 } }