CycloneDX
Add audit schema extension
The ability to optionally supplement the BOM with results of human analysis and opinion is required for moderate to high assurance use cases.
Examples include:
- Analysis of the accuracy of each components data as well as the accuracy of the BOM in its entirety.
- Analysis of the completeness of each components data as well as the completeness of the BOM in its entirety.
- Analysis and determination of the completeness and accuracy of each components inclusions, dependencies, provenance and pedigree. Assertions, known unknowns, etc.
- Analysis of the tools and methods used to create the BOM.
Each analysis should attribute decisions to the people, processes, or machines that made them, timestamps, and signatures, forming an audit trail.
The proposed namespace (for XML) is: http://cyclonedx.org/schema/ext/audit/1.0
Note to self: This prototype snippet may be useful when defining the spec.
<evidenceCollection>
<evidence type="research types of digital evidence" confidence="0...10">
<name></name>
<value></value>
<raw encoding="base64"></raw>
<auditors>
<auditor></auditor> <!-- reuse existing organizationalEntity and/or organizationalPerson support. Auditors are optional -->
</auditors>
<tools>
<tool></tool> <!-- reuse existing tool(s) support. Tools are optional -->
</tools>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
</evidence>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
</evidenceCollection>
I think a confidence score will be either hard to define or purely subjective.
And is the purpose solely for auditing the BOM itself vs the software? That's how this issue reads to me.
The purpose is both. Audit the metadata that describes the software (everything in the BOM), the methods in which that metadata was obtained, and the BOM as a whole.
I'd like to remove as much of the subjectivity as possible. It may be impossible to avoid all together, but eliminating as much as possible should be the goal.