Add properties required by FDA certification #104
Comments
|
Is this not covered already? |
|
No, it's required to provide the level of support and justification both for level of support and the end of support date. Probably, we can extend cdx:lifecycle instead of declaring new fda:lifecycle like cdx:lifecycle:suportLevel |
|
Is there a definition of support level? See also: Common Lifecycle Enumeration. |
|
No, there is no formal definition or additional guidance from the FDA on this. That's why including a justification field alongside the support level is beneficial. It allows vendors to apply their own criteria (for example, using the OSSF Scorecard's 'Maintained' score). The Common Lifecycle Enumeration currently covers different use-cases and is not well-suited for describing the support levels of dependencies, especially OSS one. |
FDA requires (https://www.fda.gov/media/119933/download) suppliers to provide two additional attributes:
"
software component manufacturer (e.g., the software is actively maintained, no longer
maintained, abandoned); and
"
It would be beneficial to create taxonomy containing 4 additional attributes to meet this requirement:
fda:lifecycle:suport_level
fda:lifecycle:suport_level_comment
fda:lifecycle:end_of_support
fda:lifecycle:end_of_support_comment
The comment attributes are required to provide the justification for the provided attributes or the conducted effort description if those attributes were not detected
The text was updated successfully, but these errors were encountered: