Open stevespringett opened 4 years ago
The proposed namespace (for XML) is: http://cyclonedx.org/schema/ext/audit/1.0
Note to self: This prototype snippet may be useful when defining the spec.
<evidenceCollection>
<evidence type="research types of digital evidence" confidence="0...10">
<name></name>
<value></value>
<raw encoding="base64"></raw>
<auditors>
<auditor></auditor> <!-- reuse existing organizationalEntity and/or organizationalPerson support. Auditors are optional -->
</auditors>
<tools>
<tool></tool> <!-- reuse existing tool(s) support. Tools are optional -->
</tools>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
</evidence>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
</evidenceCollection>
I think a confidence score will be either hard to define or purely subjective.
And is the purpose solely for auditing the BOM itself vs the software? That's how this issue reads to me.
The purpose is both. Audit the metadata that describes the software (everything in the BOM), the methods in which that metadata was obtained, and the BOM as a whole.
I'd like to remove as much of the subjectivity as possible. It may be impossible to avoid all together, but eliminating as much as possible should be the goal.
The ability to optionally supplement the BOM with results of human analysis and opinion is required for moderate to high assurance use cases.
Examples include:
Each analysis should attribute decisions to the people, processes, or machines that made them, timestamps, and signatures, forming an audit trail.