# V6 Pedigree and Provenance ## Control Objective Identify point of origin and chain of custody in order to manage system risk if either point of origin or chain of custody is compromised. For internal package managers and repositories it is important to maintain pedigree and provenance data for imported components. ## Verification Requirements | # | Description | L1 | L2 | L3 | | :-----: | -------------------------------------------------------------------------------------------------- | :-: | :-: | :-: | | **6.1** | Point of origin is verifiable for source code and binary components | | ✓ | ✓ | | **6.2** | Chain of custody if auditable for source code and binary components | | | ✓ | | **6.3** | Provenance of modified components is known and documented | ✓ | ✓ | ✓ | | **6.4** | Pedigree of component modification is documented and verifiable | | ✓ | ✓ | | **6.5** | Modified components are uniquely identified and distinct from origin component | | ✓ | ✓ | | **6.6** | Modified components are analyzed with the same level of precision as unmodified components | ✓ | ✓ | ✓ | | **6.7** | Risk unique to modified components can be analyzed and associated specifically to modified variant | ✓ | ✓ | ✓ | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp-scvs.gitbook.io/scvs/v6-pedigree-and-provenance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.