Resolve TT-CONSTRUCTION Feedback (#23)

* Moving changes from json to inc_nlohmann_json

* Added checklist and evidence for TA-RELEASES

* Worked through TA-Iterations checklist and evidence

* added checklist and evidence for TA-TESTS

* fix smaller details

* Update TSF/trustable/assertions/TA-ITERATIONS_CONTEXT.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* Update TSF/trustable/assertions/TA-ITERATIONS_CONTEXT.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* Update TSF/trustable/assertions/TA-RELEASES_CONTEXT.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* resolved "binary" checklist points

* Added JLS-52

* added references for newly created JLS-52

* Update TSF/trustable/statements/JLS-52.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* added verbose file reference to JLS-51

* Update TSF/trustable/statements/JLS-51.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* deleted AOU-08 checklist references

* added JLS-51 link to TA-ITERATIONS, removed link to TA-RELEASES

* deleted JLS-21 including its links

* deleted JLS-21

* removed link TA-ITERATIONS -> JLS-51

* filled in JLS-53

* comments

* added TA-Releases checklist answer

* changed target to target_seconds

* Update TSF/trustable/assertions/TA-RELEASES_CONTEXT.md

Signed-off-by: Luca Füger <luca.fueger@d-fine.com>

* fixes for JLS-16

* adapted JLS-53 formulation

* fix for JLS-16

* Added item reference to JLS-53

* Update TA-RELEASES_CONTEXT.md

Signed-off-by: halnasri <hatem.alnasri@d-fine.com>

* created further statements

* Update TSF/trustable/statements/JLS-61.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* Update TSF/trustable/statements/JLS-61.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* Update TSF/trustable/statements/JLS-61.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* Update TSF/trustable/statements/JLS-61.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* added link from JLS-53 to JLS-14 and restructured JLS-52

* Provided evidence for JLS-63

* changed JLS-52, JLS-64 and JLS-65 formulation

* smaller changes

* Added references to JLS-65

* changed JLS-63 reference types

* ...

* completed JLS-64

* adding response time validator to JLS-64

* specifying remaining TODOs

* Specify remaining work #2

* deleted JLS-66

* reworked JLS-62 and deleted 46 and 66

* adapted TA-TESTS_CONTEXT

* fixed JLS-62

* Update TSF/trustable/assertions/TA-RELEASES_CONTEXT.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* Update TSF/trustable/assertions/TA-RELEASES_CONTEXT.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* Update TSF/trustable/statements/JLS-16.md

Co-authored-by: Erik Hu <erik.hu@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>

* added non_reproducible_tests and its reference to JLS-62

---------

Signed-off-by: Luca Füger <luca.fueger@d-fine.com>
Signed-off-by: halnasri <hatem.alnasri@d-fine.com>
Signed-off-by: LucaFue <luca.fueger@d-fine.de>
Co-authored-by: LucaFgr <luca.fueger@d-fine.com>
Co-authored-by: halnasri <hatem.alnasri@d-fine.com>
Co-authored-by: LucaFue <luca.fueger@d-fine.de>

Author: 4 people

.dotstop.dot

@@ -53,7 +53,6 @@ digraph G {
 "JLS-18" [sha="58788ef0ea0b9fba710e806de3f255da6c12fbbd12fa7edad07e65c2dbdedf94"];
 "JLS-19" [sha=ac20a2570ed1ca6c0d93ad40f6d93cbac24648b73c144fcb7c92e65ebd2ef411];
 "JLS-20" [sha="33dc0295a6524876c9b641b6ce685c1ddc90f01d780fb76d449c01b51fdc042a"];
-"JLS-21" [sha="742c39b2ba811494cd8cb40199c9a8a0c22c2b29650d6b2e546c21f7bce50ceb"];
 "JLS-22" [sha="252e58151a45b158bae379ceb08aadb6e587e505aac67f2ecc18e43040a1d1de"];
 "JLS-23" [sha=cfd7cb4aa93fbb758807ffe106f96e7b82327ab4d758e69e1f62196c3bc86bd2];
 "JLS-24" [sha=b16224d3ab676c00b313ae91760072d92aed9f20da99b363621effa3e033e012];
@@ -70,11 +69,20 @@ digraph G {
 "JLS-35" [sha="b11006d1d5708c3aba84d4f06834ad965d6aebde8619306389a4f8fa655b2dcf"];
 "JLS-36" [sha="1a9abf2ab101af32cc6490d9ed5218df96a06b31cc2aeaff07f769ebf4ba98bb"];
 "JLS-37" [sha="fb19166fd1d71acbe8a852fd1bfced3874efdc687cbf95b03f3201a722fdef8f"];
+"JLS-38" [sha="a7ab6cc546e4c9c02c6dc479b8fff29ef6f5be5459185daac4ad1117b2845115"];
 "JLS-40" [sha="8a6c2a7c6888f0c13fc4045535125d90a4866858e40ac11910f05eace9ff179a"];
 "JLS-41" [sha="f7cc07fd06ed4605d4207a5f59d60f8b7da48152c76b94132e4ad80a4512975a"];
 "JLS-42" [sha="d90e0a0d85a952868a794945a7ecfb0217202752ccb97bc0a6e4724700fd20b8"];
 "JLS-43" [sha="ab3f0247c96f064628d255d44c63be9a50cbee11ca64432b5f0181e55347e5a2"];
 "JLS-44" [sha="3cc7206ec555271d1f369cb1c7ebf3753d32e9fc9be2d0aead5bb5e0e5472375"];
+"JLS-51" [sha="190e17d59795c9ed3b25a0a8bf57497de1e0d06ab90b3f6ba47b543c95edea43"];
+"JLS-52" [sha="8539f924c31974a2722615d2410a25336a5d6a9f399f16dc485be83f7f87a5ff"];
+"JLS-53" [sha="d9f7e732e34b0ec79305dde4c5b3d60906559ef1d90bc3ce2906e28a90293844"];
+"JLS-61" [sha="151f1cda2384ae4935d29d300c3424bca710378fa3689bbcff69b06dc86bb692"];
+"JLS-62" [sha="60848232c2989d0282b64792d7da7a57c04ff368d2ac9deae09c3743251dfc79"];
+"JLS-63" [sha="2b50e79c3b43c6815b5dc15c7909ce5fb513e98fadb28ddfa40938f20f5d0427"];
+"JLS-64" [sha="40f1382c156e308ee543c30df4dc7eb457ac14d472909c30eb6caae9a3bc1d68"];
+"JLS-65" [sha="e413de6c831c1c019c67c3e3477b9dc9302cc79433ec894beaee0c95e053b545"];
 "NJF-01" [sha="548dc86014e093974f68660942daa231271496a471885bbed092a375b3079bd8"];
 "NJF-02" [sha="6ea015646d696e3f014390ff41612eab66ac940f20cf27ce933cbadf8482d526"];
 "NJF-03" [sha="4bd1f8210b7bba9a248055a437f377d9da0b7576c5e3ed053606cf8b5b2febe3"];
@@ -280,6 +288,10 @@ digraph G {
 "JLS-24" -> "TIJ-04" [sha="13e8b6b8802b2caccdf3ce89dbb6fbb645688888e886eea3937643e7b0479a24"];
 "JLS-24" -> "TIJ-05" [sha="75980155c182dcaa3298cf2fd6cd8d328d31ae081c78e300cc75a51b0136ceff"];
 "JLS-24" -> "TIJ-06" [sha="9a1ac607f2051801a39ddab325cb6bbcbc178abebfa8e1e6397c12cec99d531b"];
+"JLS-52" -> "JLS-63" [sha="401dd468ee10f09243ca6ffea285cbc081f90c1fed07538e5c1751fd907d5642"];
+"JLS-52" -> "JLS-64" [sha="320157c79743b91d80a467bee3eaf7727f224a2d18443778f07c5b2e02f6e4e6"];
+"JLS-52" -> "JLS-65" [sha="3e2689fb2c8227a097d218eb36d593d05e3262a7e9249bf1e37a58d543cbf4cc"];
+"JLS-53" -> "JLS-14" [sha="5413119c3a940215ef3ea606df4e0d56340c4ae8c4753b4b681584c3eca871b3"];
 "NJF-05" -> "NJF-05.1" [sha="05348afa175a4660f04bc0ac52fb14753af07acc3f62bb6a5309bbf9114a2110"];
 "NJF-05" -> "NJF-05.2" [sha="a78527f08dba706b3ac22d9721f746f687ad81dfc9df5a7700625c7ff964b0f1"];
 "NJF-05" -> "NJF-05.3" [sha="79b6420d97afeaf3838359a84be73b6c9d21f1e8c78ef9ef2cc6619d35e198f3"];
@@ -383,10 +395,10 @@ digraph G {
 "TA-BEHAVIOURS" -> "JLEX-01" [sha="8cd931ef61b7012140344adf54469e943bfc690ee54f12db12777464880061db"];
 "TA-BEHAVIOURS" -> "JLEX-02" [sha=cb26451e31a56b1eb51a4d45283ba4a7c6e898efbd045b59cba10d3c6aa093de];
 "TA-BEHAVIOURS" -> "JLS-03" [sha=cf9211c07452914cb2d0b455f859b26cb2724423eae5187e8cbfdff06d1b5ba3];
+"TA-BEHAVIOURS" -> "JLS-27" [sha="880ec996ed026258b58299c356aab7d02652ae55cbf1f98494e2a7770fd96275"];
 "TA-CONFIDENCE" -> "JLS-08" [sha="506164051180023c8533ea1f6dedf1bad894c3ee6020ff16b002e33b109c2791"];
 "TA-CONFIDENCE" -> "JLS-09" [sha="80bbde95fc14f89acf3dad10b3831bc751943fe4a1d79d5cbf4702416c27530f"];
 "TA-CONFIDENCE" -> "JLS-20" [sha="1bfd214ab8186a3c095262ae503451b8d71ada8db5b13ecc7b906739a05bc102"];
-"TA-BEHAVIOURS" -> "JLS-27" [sha="880ec996ed026258b58299c356aab7d02652ae55cbf1f98494e2a7770fd96275"];
 "TA-CONFIDENCE" -> "JLS-37" [sha="b8294c05b686be5c608685b6077af39aabebda04acc465720695595582dcc041"];
 "TA-CONSTRAINTS" -> "AOU-04" [sha="9466008edc5257d5d6ad6cae05eadbd7e6c63ed10f45f9bbe9166dc5af5db294"];
 "TA-CONSTRAINTS" -> "AOU-05" [sha="ead38077bd84ce52bc7ce9ab1be36ef6d1b62aa7bd30b2a5d5eea3aedfe9da3c"];
@@ -427,6 +439,7 @@ digraph G {
 "TA-INPUTS" -> "JLS-04" [sha="262db6d430e99ef3a23645c93a1cc5bda1270ceba90b4d8cccb40b1eb85e9860"];
 "TA-ITERATIONS" -> "JLS-10" [sha="6e77b132d4159d65e261e90466537dbf44edc643b44c0671b8c40b994ef08590"];
 "TA-ITERATIONS" -> "JLS-19" [sha="9bc13b823f8b49d742b92a8aaf18b8aeb2bb9b0749f4b6dead241af85aea876c"];
+"TA-ITERATIONS" -> "JLS-52" [sha="dfaf17f274e79e1653479ac2e7663c2bf45fbe56ba43fd71fa435b2d6c004790"];
 "TA-METHODOLOGIES" -> "JLS-13" [sha="4e2fb7871a608c98d11b10f4ca4391d69b360419c6a9e1baf7cb40b980fc9e94"];
 "TA-METHODOLOGIES" -> "JLS-36" [sha="bb56d3a2aa32b55d9158cd606172b8c4a5b7605acc703f5aca1ecdd37fc6a65a"];
 "TA-METHODOLOGIES" -> "JLS-40" [sha="af896a265a2ef24e341ff11d722aaf863ccc7c789bf90ebeb9a4e33ddabfd727"];
@@ -439,9 +452,12 @@ digraph G {
 "TA-MISBEHAVIOURS" -> "JLS-25" [sha="56ba396580f90e5a10fd5adfe33864921537d47e21b215a8faf531855af40ecd"];
 "TA-MISBEHAVIOURS" -> "JLS-31" [sha="ff3352e20146a81904da6d8d94b003b4e0acbc2a8a63a73ea017ea0535e45e79"];
 "TA-RELEASES" -> "JLS-14" [sha="1202b9934353436fba927de6762cf62a8fc23ab0815a3c06f9d0a77b55830720"];
-"TA-RELEASES" -> "JLS-21" [sha="5d57d2b547a841bb31f29034b785d9bec1ffb0e495d80e0e356a54391aa22e1b"];
+"TA-RELEASES" -> "JLS-38" [sha="ed0d250c8c191ac4fc03712a321bf399d26e932edabb13067fbcffae1640cb90"];
+"TA-RELEASES" -> "JLS-10" [sha="33c316a9040c7d27c830ca453e39d3bb423acf42e14d1d561c952291ba66078b"];
+"TA-RELEASES" -> "JLS-19" [sha="8a27c1bc1f723c0973236c41a6fe6067791477919375be09c64df77808e3af97"];
 "TA-SUPPLY_CHAIN" -> "JLS-23" [sha=fe2b810e22c4da9911266183bc8679a56d8dd2d5a76624cd1f3ee329d9b93a08];
 "TA-TESTS" -> "JLS-16" [sha=a4143b13d9ae2553534457603bdca9beb6cca0ee5b8b9bae50cefa97d2519702];
+"TA-TESTS" -> "JLS-02" [sha="e99cf5b009b3cdc149edc81b3454dddfaf69ab10f80e70ce698bcfb823b5fbd1"];
 "TA-UPDATES" -> "JLS-06" [sha="7386ba4dfdca14a2b0c73b6b759ddeee66e0196f164322d552c2867e5c7a4b96"];
 "TA-UPDATES" -> "JLS-07" [sha="9256bec79e828b44dd12d4298483bbab7ab24a1eb542c133ee5392ee5829cb7f"];
 "TA-UPDATES" -> "JLS-12" [sha="45b7cf8eebee7a35ba39b3f990cefe3cbfd79c5f74415c5321026d64d89f5703"];

TSF/docs/non_reproducible_tests.md

@@ -0,0 +1,120 @@
+# Non-Reproducible Tests in nlohmann/json
+
+## Overview
+
+The nlohmann/json test suite includes 8 CMake integration tests (comprising 10 individual test executions) that are labeled as `not_reproducible`. These tests verify different methods of consuming the library in CMake-based projects but create build artifacts with timestamps and cached state that prevent bit-for-bit reproducible builds.
+
+The non-reproducibility of all these tests is reasonable and justified.
+
+These can be identified and found by searching for "LABELS not_reproducible" in the project.
+
+## The 8 Non-Reproducible CMake Integration Tests
+
+### 1. cmake_import (2 tests)
+
+**Location:** `tests/cmake_import/`
+
+**Test Names:**
+- `cmake_import_configure`
+- `cmake_import_build`
+
+**What it tests:**
+Verifies that the library can be found and used via CMake's `find_package(nlohmann_json)` mechanism after installation. This simulates how end users would consume an installed version of the library.
+
+**Why non-reproducible:**
+- Requires `JSON_Install=ON` to generate CMake config files (`nlohmann_jsonConfig.cmake`)
+- Uses `find_package()` which searches for and reads installed CMake configuration files
+- Generates CMakeCache.txt with absolute paths and timestamps in the test build directory
+- Creates compiled executables (`with_namespace_target`, `without_namespace_target`) with timestamps
+- Multiple runs produce different timestamps on all generated artifacts
+
+---
+
+### 2. cmake_import_minver (2 tests)
+
+**Location:** `tests/cmake_import_minver/`
+
+**Test Names:**
+- `cmake_import_minver_configure`
+- `cmake_import_minver_build`
+
+**What it tests:**
+Similar to `cmake_import`, but specifically tests that CMake's version constraint mechanism works correctly with `find_package(nlohmann_json 3.2.0 REQUIRED)`. Ensures the library properly declares its version in the CMake config files.
+
+**Why non-reproducible:**
+- Same reasons as `cmake_import`
+- Additionally verifies version metadata in generated config files
+- Creates timestamped build artifacts and CMake cache files
+
+---
+
+### 3. cmake_add_subdirectory (2 tests)
+
+**Location:** `tests/cmake_add_subdirectory/`
+
+**Test Names:**
+- `cmake_add_subdirectory_configure`
+- `cmake_add_subdirectory_build`
+
+**What it tests:**
+Verifies that the library can be embedded directly into a CMake project using `add_subdirectory()`. This is the most common integration method for projects that vendor their dependencies.
+
+**Why non-reproducible:**
+- Runs a nested CMake configuration in an isolated test directory
+- Generates CMakeCache.txt with absolute source/binary paths and timestamps
+- Builds multiple executables (`with_namespace_target`, `without_namespace_target`, `without_exceptions`)
+- Each build creates object files, executables with embedded timestamps
+- Subsequent runs create new artifacts with different timestamps
+- CMake's incremental build cache persists between runs, causing different behavior
+
+---
+
+### 4. cmake_target_include_directories (2 tests)
+
+**Location:** `tests/cmake_target_include_directories/`
+
+**Test Names:**
+- `cmake_target_include_directories_configure`
+- `cmake_target_include_directories_build`
+
+**What it tests:**
+Verifies that the library headers can be used via direct `target_include_directories()` calls with both `PRIVATE` and `SYSTEM` variants. Also tests a specific regression from [discussion #2281](https://github.com/nlohmann/json/discussions/2281) regarding transitive include directories.
+
+**Why non-reproducible:**
+- Creates a full CMake build with libraries (Foo, Bar) and executables
+- Generates CMakeCache.txt with absolute paths to source includes
+- All compiled artifacts have timestamps
+- Static libraries and executables accumulate with different modification times on each run
+
+---
+
+## Assertions and Reproducibility
+
+Additionally, the nlohmann/json README notes that **assertions must be disabled** for fully reproducible builds (see [discussion #4494](https://github.com/nlohmann/json/discussions/4494)). This is because:
+
+- Assertions often use `__FILE__` which embeds absolute source paths
+- Different build machines have different paths
+- This embeds environment-specific information into binaries
+
+To ensure reproducible builds, compile with:
+```bash
+cmake -DCMAKE_BUILD_TYPE=Release  # Typically defines NDEBUG
+# or explicitly:
+cmake -DCMAKE_CXX_FLAGS="-DNDEBUG"
+```
+
+## Running Reproducible Tests Only
+
+To run only reproducible tests:
+```bash
+# Exclude non-reproducible tests
+ctest -LE not_reproducible
+
+# Exclude both non-reproducible and git-required tests
+ctest -LE "not_reproducible|git_required"
+```
+
+The project has a dedicated CI target that automatically excludes these tests:
+```bash
+cmake --build build --target ci_reproducible_tests
+```

TSF/trustable/assertions/TA-ITERATIONS_CONTEXT.md

@@ -35,21 +35,21 @@ For releases, additional documentation should summarise all changes across the i
 
 - list of components with source
   - source code
-    - **Answer**: 
+    - **Answer**: Provided by JLS-10.
   - build instructions
-    - **Answer**: 
+    - **Answer**: Provided by JLS-10.
   - test code
-    - **Answer**: 
+    - **Answer**: Provided by JLS-10.
   - test results summary
-    - **Answer**: 
+    - **Answer**: Provided by JLS-10.
   - attestations
-    - **Answer**: 
+    - **Answer**: Provided by JLS-52.
 
 - list of components where source code is not available
   - risk analysis
-    - **Answer**: 
+    - **Answer**: There are no components without source code within this project.
   - attestations
-    - **Answer**: 
+    - **Answer**: There are no components without source code within this project.
 
 **Confidence scoring**
 
@@ -63,16 +63,16 @@ Confidence scoring for TA-ITERATIONS based on
 
 - How much of the software is provided as binary only, expressed as a
   fraction of the BoM list?
-  - **Answer**: 
+  - **Answer**: 0% is provided as binary only. The entire library consists of source code in the form of a single C++ header file.
 - How much is binary, expressed as a fraction of the total storage footprint?
-  - **Answer**: 
+  - **Answer**: 0% is provided as binary. The entire library consists of source code in the form of a single C++ header file.
 - For binaries, what claims are being made and how confident are we in the
   people/organisations making the claims?
-  - **Answer**: 
+  - **Answer**: 0% is provided as binary. The entire library consists of source code in the form of a single C++ header file.
 - For third-party source code, what claims are we making, and how confident
   are we about these claims?
-  - **Answer**: 
+  - **Answer**: The nlohmann/json library has no external dependencies/accesses to third party source code, as stated in JLS-34.
 - For software developed by us, what claims are we making, and how confident
   are we about these claims?
-  - **Answer**:
+  - **Answer**: There is no software developed by us, as we just use the original nlohmann/json library within eclipse_score/inc_nlohmann_json. For the code developed in nlohmann/json, all claims and confidence are provided in the statements. See e.g., all the no-json-faults (NJF) items.
 

TSF/trustable/assertions/TA-RELEASES_CONTEXT.md

@@ -39,16 +39,16 @@ to TT-RESULTS analysis.
 **Evidence**
 
 - list of reproducible SHAs
-  - **Answer**: 
+  - **Answer**: JLS-14 ensures that the SHA value of the nlohmann/json library used within eclipse-score/inc_nlohmann_json coincides with the SHA value provided by Niels Lohmann (for the same version).
 - list of non-reproducible elements with:
   - explanation and justification
-    - **Answer**: 
+    - **Answer**: The only elements which are not reproducible are 8 CMake integration tests. The list of these, together with explanation and justification, is provided in TSF/docs/non_reproducible_tests.md.
   - details of what is not reproducible
-    - **Answer**: 
+    - **Answer**: The only elements which are not reproducible are 8 CMake integration tests. The list of these, together with explanation and justification, is provided in TSF/docs/non_reproducible_tests.md.
 - evidence of configuration management for build instructions and infrastructure
-  - **Answer**: 
+  - **Answer**: Provided by JLS-10 and JLS-19.
 - evidence of repeatable builds
-  - **Answer**: 
+  - **Answer**: Provided by JLS-53.
 
 **Confidence scoring**
 
@@ -67,15 +67,17 @@ R / (R + N + B + M / (M + X))
 
 - How confident are we that all components are taken from within our
   controlled environment?
-  - **Answer**: 
+  - **Answer**: We are very confident that all components are taken from within our controlled environment, as there are currently no external components used within the nlohmann/json library (as documented in JLS-34).
 - How confident are we that all of the tools we are using are also under our
   control?
-  - **Answer**: 
+  - **Answer**: All tools used by nlohmann/json are mirrored within our controlled environment eclipse-score/inc_nlohmann_json. Therefore, these tools are under full control of the Eclipse S-Core organisation.
 - Are our builds repeatable on a different server, or in a different context?
-  - **Answer**: 
+  - **Answer**: Since there is no "build" of the header-only library, yes.
 - How sure are we that our builds don't access the internet?
-  - **Answer**: 
+  - **Answer**: We are confident that our builds don't access the internet, since there is no "build" of the header-only library.
 - How many of our components are non-reproducible?
-  - **Answer**: 
+  - **Answer**:  All of our components are reproducible, since we only use a single component, the nlohmann/json library.
 - How confident are we that our reproducibility check is correct?
-  - **Answer**: 
+  - **Answer**: We are very confident that our reproducibility check is correct.
+ 
+    

TSF/trustable/assertions/TA-TESTS_CONTEXT.md

@@ -26,13 +26,13 @@ TA-ITERATIONS.
 **Evidence**
 
 - Test build environment reproducibility
-  - **Answer**: 
+  - **Answer**: Provided by JLS-62.
 - Test build configuration
-  - **Answer**: 
+  - **Answer**: Provided by JLS-16.
 - Test build reproducibility
-  - **Answer**: 
+  - **Answer**: Provided by JLS-62.
 - Test environment configuration
-  - **Answer**: 
+  - **Answer**: Provided by JLS-16.
 
 **Confidence scoring**
 
@@ -42,13 +42,14 @@ tooling and their build environments are repeatable and reproducible.
 **CHECKLIST**
 
 - How confident are we that our test tooling and environment setups used for tests, fault inductions, and analyses are reproducible?
+  - **Answer**:  The test can be reproduced any time on any machine running the versions of the operating systems and compilers as provided, as described in AOU-14.
   - Are any exceptions identified, documented and justified?
-    - **Answer**: 
+    - **Answer**: To the best of our knowledge, there are no exceptions identified.
 - How confident are we that all test components are taken from within our controlled environment?
-  - **Answer**: 
+  - **Answer**: All tests are either self-contained or download test data from [within Eclipse S-CORE](https://github.com/eclipse-score/inc_nlohmann_json/tree/json_test_data_version_3_1_0_mirror).
 - How confident are we that all of the test environments we are using are also under our control?
-  - **Answer**: 
+  - **Answer**: Very confident, as the environments are standard docker images of ubuntu and standard versions of compilers that are executed in our CI pipeline.
 - Do we record all test environment components, including hardware and infrastructure used for exercising tests and processing input/output data?
-  - **Answer**: 
+  - **Answer**: No, since the tests are independent from hardware, there is no record of hardware or infrastructure.
 - How confident are we that all tests scenarios are repeatable?
-  - **Answer**: 
+  - **Answer**: All test scenarios are repeated daily in the CI pipeline.

TSF/trustable/statements/JLS-02.md

@@ -25,4 +25,4 @@ score:
     Erikhu1: 1.0
 ---
 
-Fuzz testing is used in the original nlohmann/json repository (https://github.com/nlohmann/json) to uncover edge cases and failure modes throughout development. (https://github.com/nlohmann/json/blob/develop/tests/fuzzing.md)
+Fuzz testing is used in the nlohmann/json repository to uncover edge cases and failure modes throughout development.

TSF/trustable/statements/JLS-10.md

@@ -1,6 +1,11 @@
 ---
 level: 1.1
 normative: true
+references:
+        - type: project_website
+          url: "https://github.com/nlohmann/json/releases"
+          description: "List of nlohmann/json releases consisting of source code, build instructions, test code and test result summaries."
+
 ---
 
-Every release of nlohmann/json includes source code, build instructions, tests and attestations. (TODO: Test result summary)
+Every release of the nlohmann/json library includes source code, build instructions, test code and test results summaries.

TSF/trustable/statements/JLS-16.md

@@ -1,16 +1,24 @@
 ---
+level: 1.1
+normative: true
 references:
     - type: verbose_file
       path: "./TSF/docs/list_of_test_environments.md"
       comment: "The list of all test-cases together with their execution environments"
+    - type: website
+      url: "https://github.com/eclipse-score/inc_nlohmann_json/actions"
+      description: "Github actions page showing that eclipse-score/inc_nlohmann_json is using Github host environment."
 evidence:
     type: check_list_of_tests
     configuration: 
         sources:
             - "./tests/src"
             - "./TSF/tests"
-level: 1.1
-normative: true
+    type: https_response_time
+    configuration:
+        target_seconds: 2.0
+        urls:
+            - https://github.com/eclipse-score/inc_nlohmann_json/actions
 ---
 
 A list of tests, which is extracted from the test execution, is provided, along with a list of test environments.