OSAR and the attestation feature design

[harimohanr]

Design discussion for attestation and verification of OSAR (Open Source Assessment Report)

• The OSAR for each OSS project will be maintained inside the "project > version > osar" directory within besecure-assessment-datastore repository.
• OSAR schema should have a criteria defined for the completion status. This flag is required to initiate the attestation of the OSAR file.
  "completionCriteria":[
  {"sbom":true},
  {"licenseCompliance":true},
  {"criticalityScore":true},
  {"scorecard":true},
  {"sast":true}
  ],
  "completionStatus":true
• Each assessment playbook checks the criteria and update the boolean flags and completionStatus accordingly.
• Attestation should be triggered using a CI pipeline once the value of completionStatus is set to true during the PR merge. (Technical feasibility to be validated)

[sudhirverma]

can we create second point JSON to

"completionCriteria":{
"sbom":true,
"licenseCompliance":true,
"criticalityScore":true,
"scorecard":true,
"sast":true
},
"completionStatus":true

[harimohanr]

@sudhirverma This looks okay to me. @panickervinod Could you please take a look at this approach?

[asa1997]

Process to trigger OSAR attestation

The process is designed to ensure a structured approach to conducting assessments through a series of predefined steps (playbooks). Upon completion of these steps, an attestation is triggered to certify the completion and accuracy of the assessments.

Process Steps

1. Creation of an Overarching Playbook:

The analyst initiates the process by creating an overarching playbook. This playbook serves as a master guide that outlines the sequence of assessment steps to be executed.

2. Selection and Execution of Individual Playbooks:

• The overarching playbook comprises several individual playbooks, each corresponding to a specific assessment step.
• The analyst has the discretion to select which playbooks to execute. For instance, if there are four available playbooks, the analyst may choose to execute only three based on the project's requirements.
• The execution of the selected playbooks constitutes the completion criteria for the assessment process.

3. Steps in the Overarching Playbook:

Step 1: Execute the first selected playbook.
Step 2: Execute the second selected playbook.
...
Step 4: Mark the attestation as complete. This involves setting the completion status flag in the OSAR (Operational Security Assessment Report) to true, indicating that the assessment has been successfully completed.
Step 5: Trigger the attestation process using a besman command.

4. Attestation Command:

The attestation is triggered through a specific command (besman command), designed to formalize the completion of the assessment process.

5. Documentation and Pull Request:

Upon completion of the attestation, the analyst is responsible for documenting the executed playbooks and the attestation information.
This documentation is then submitted through a pull request (PR) for review and integration into the project's repository.

6. Post-Execution Information

Following the completion of the playbooks and the attestation process, the project information within the BeSLighthouse dashboard will be updated to include details of the executed playbooks and the attestation information.

7. Additional Considerations

• Multiple Submissions: Different analysts may submit various OSARs and attestation reports for the same project. This allows the lab consumers to choose the most appropriate report based on their criteria.
• Accessibility: The consumers can access the OSARs and attestation reports through the Lighthouse system, enabling informed decision-making.

[asa1997]

@panickervinod @harimohanr @anilsingla Please let me know your thoughts.