证据
收集证据是 DevSecOps 参考体系结构的重要方面之一。 合规性证据将创建审计人员在合规性审计期间查找的审计跟踪。 DevSecOps 的目标之一是自动生成证据并将其存储在可审计的证据锁定器中。
DevSecOps 管道处理证据 (文件格式和锁定程序结构) 的方式包括两个不同的版本:
- v2 证据 (基于资产的证据)
- v1 证据 (旧版)
证据创建
证据与管道阶段步骤 (例如单元测试结果或 XML 或 JSON 文件) 创建的工件不同。 每个任务都必须向多个处理证据 (例如,创建,格式化和存储证据) 的工具报告。
通过使用下图中显示的 DevSecOps 工具或管道中的步骤,任何通用测试,检查或扫描都可以在管道阶段中生成证据。 DevSecOps 工具必须能够接收任务的结果,创建证据,然后将其存储在证据锁定程序中。
证据格式包含任务的结果 (传递或失败),指向已创建工件的链接以及指向基于任务结果创建的任何突发事件问题的链接。
这些工具仅关注证据收集,不会更改构建过程的行为。 由于任务结果失败,DevSecOps 引用管道不会中断。 如果存在检查和失败的证据,团队收到通知,在部署期间创建的变更请求显示这些问题的证据,并且手动核准变更请求,那么可以使用失败的测试和漏洞来构建和部署映像。
证据流
下图显示了如何处理证据以及证据如何流经持续集成和持续部署阶段。
在 DevOps 体系结构的各个阶段中收集的每个证据都存储在可审计的证据锁定程序中。 在部署期间,将收集此证据以创建在部署运行结束时保存到证据锁定程序的证据摘要。
证据摘要将附加到发布到变更请求存储库的变更请求。 在手动变更请求核准期间,核准人了解构建期间发现的任何问题。 此外,还会将摘要提交到 Security and Compliance Center。
v2 证据 (当前格式)
v2 证据锁定程序
相对于 v1 版本,证据存储在平面层次结构中,其中每个证据都由其自己的 SHA256 散列标识,这提供了一层完整性保护 (即,可以检测到对证据内容的任何修改)。 由于每个证据都与一个或多个资产相关,因此证据摘要算法会发现基于资产的相关证据 (而不是 v1 证据锁定程序中的管道运行标识)。
唯一的层次结构是类型区分和一些类似于 Git 散列对象结构的散列分组。
示例
.
└── raw/
├── assets/
│ └── xx/
│ └── abcdef123456789/
│ ├── evidences/
│ │ ├── 00abcdef123456789
│ │ └── 01abcdef123456789
│ └── index.json
├── attachments/
│ ├── aa/
│ │ └── abcdef123456789/
│ │ └── content
│ └── ab/
│ └── abcdef123456789/
│ └── content
├── cd/
│ ├── c9b77749-fd59-4d32-bbdb-18e55db1615d/
│ └── summary.json
| └── evdience-checks.json
├── cc/
│ ├── absd7749-fd59-4d32-bbdb-18e55db1615d/
│ └── summary.json
| └── evdience-checks.json
└── evidences/
├── 00/
│ └── abcdef123456789/
│ └── index.json
└── 01 /
└── abcdef123456789/
└── index.json
v2 证据收集
v2 证据必须尽可能靠近为证据创建结果的过程进行收集。 在每次扫描运行之后,例如在每次测试之后。
对于收集证据,可以在 DevSecOps 管道中使用 collect-evidence 脚本。
v2 证据格式
一个证据表示扫描,测试等结果。 证据始终至少连接到单个资产。 允许多个资产,例如可能一起测试多个资产的单个端到端测试套件。
资产表示可以测试,扫描等的内容,例如存储库中的 Git commit,Docker image 或具有 URI 的任何 generic 资产。
Evidence 和 Asset 类型表示 v2 锁定程序元素 (证据和资产) 的模式。 虽然模式使用 typescript 语法,但您可以将其转换为使用 JSON 模式。
type SHA1 = string; // 40 character string representing a SHA-1 hash in hexadecimal format
type SHA256 = string; // 64 character string representing a SHA256 hash in hexadecimal format
type IssueURL = string; // Link to issues on a git service provide like GitHub or GitLab
type RepositoryURL = string; // Link to a git repository
type AssetURI = string; // URI of an Asset, like an image or a repository link and git hash
type FileName = string; // file basename of the attachment
interface Evidence {
version: 2;
id: SHA256;
date: string;
evidence_type_id: string;
evidence_type_version: string;
origin: {
// scope defines a contextual set for multiple evidence, usually a SHA256 identifier or a CI/CD run ID
scope: SHA256;
// any further IDs can be used to determine evidence origin, see example
[index: string]: string;
},
details: {
result: 'success' | 'failure' | 'pending';
tool: string;
// field "details" can have any arbitrary key-value pairs to provide metadata
[index: string]: string;
}
attachments: Record<string, string> | EvidenceAssetAttachment[];
assets: string[] | EvidenceAssetAttachment[];
issues: IssueURL[],
findings?: IncidentFinding[];
}
export interface IncidentFinding {
id: string;
url: string;
due_date: string;
first_found?: string;
severity: ("high", "medium", "low", "critical, "informational");
has_exempt: boolean;
found_status: ("new", "existing", "autoclosed", "readonly");
}
export interface EvidenceAssetAttachment {
url: string; // hash of the asset or attachment
hash: string; // complete url of the asset or attachment
uri?: string; // name of the asset
}
interface Asset {
version: 1;
id: SHA256;
uri: AssetURI;
date: string;
type: 'commit' | 'image' | 'generic';
origin: {
// any IDs can be used to determine asset origin, see example
[index: string]: string;
},
details: Record<string, string>,
// Assets can relate to each other, for example
// an Image Asset can relate to the Git Commit Asset
// it was built from on code level
related: SHA256[];
}
示例
示例 v2 资产
{
"version": "1",
"id": "cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb",
"uri": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git#8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"origin": {
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/40111714589c4f7099032529b26a7a63:fd3f2bf6-00f1-417f-b1a2-7df894223115::",
"pipeline_run_id": "a5e89ecc-a413-4dcb-b129-ff870ef3be85",
"pipeline_id": "66b583d9-3d1b-4b34-9e3a-cb807bf0c5ab"
},
"details": {
"sha": "8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"repository": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git"
},
"date": "2022-04-20T09:26:46.226Z",
"type": "commit",
"related": [
"26a0f02126461e6505d5001d50ac71e585c280479a01cc70e36397a784440bf8"
]
}
示例 v2 证据
{
"version": "2",
"id": "3fd209270fbaf46137ec3966affac2a431a835e750301c7c44d583e0e426e29e",
"date": "2022-04-20T09:33:43.782Z",
"evidence_type_id": "com.ibm.code_vulnerability_scan",
"evidence_type_version": "1.0.0",
"details": {
"result": "failure",
"tool": "cra"
},
"origin": {
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/779c0808c946b9e15cc2e63013fded8c:68213c68-4794-4d5e-ab50-f33d0d6190e4::",
"pipeline_id": "c17f18a6-24dd-4949-abb7-2b374f4691b6",
"pipeline_run_id": "d7a88836-72a1-402b-bb28-701439a543ae",
"pipeline_run_url": "https://cloud.ibm.com/devops/pipelines/tekton/c17f18a6-24dd-4949-abb7-2b374f4691b6/runs/d7a88836-72a1-402b-bb28-701439a543ae/code-compliance-checks/run-stage/?env_id=ibm:yp:us-south",
"scope": "117458e26512b0308d93cf6852958e5e875294a982d2b4ea2e9f463b4551a846"
},
"assets": [
{
"hash": "cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb",
"uri": "https://github.ibm.com/cocoa-test/e2e-hello-compliance-app-20220412084808399.git#8c2a65373cb4fd27bccff646e8bdf63d02cae856",
"url": "https://s3.private.us-south.cloud-object-storage.appdomain.cloud/test/assets/cdd3ee20188d2f5bfb7f14bdb9c7fa99b22184ca195d9fa0a953dfbe9b1769cb/index.json"
}
],
"issues": [
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/1",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/2",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/3",
],
"findings": [
{
"id": "CVE-2022-42011",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/3",
"found_status": "new",
"has_exempt": true
},
{
"id": "CVE-2022-42010",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/1",
"found_status": "existing",
"has_exempt": false
},
{
"id": "CVE-2023-34969",
"due_date": "2024-04-20",
"severity": "medium",
"first_found": "2024-03-06",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220412084808401/issues/2",
"found_status": "existing",
"has_exempt": true
}
],
"attachments": [
{
"hash": "9a841ef856a5de813dbe440b102b9bff3ca1831630292cff7323c557704f386b",
"url": "https://s3.private.us-south.cloud-object-storage.appdomain.cloud/test/assets/9a841ef856a5de813dbe440b102b9bff3ca1831630292cff7323c557704f386b/index.json"
}
]
}
v2 证据摘要
DevSecOps 管道将创建证据摘要文档。 此文档包含在部署映像的每个持续集成构建期间创建的所有最新证据,以及在部署本身期间创建的证据。 将为部署任何阶段所需的变更请求创建摘要。 Security and Compliance Center 集成尚不支持此证据格式。
interface Summary {
version: '2.0'; // schema version
date: string; // ISO-8601, UTC, ie. YYYY-MM-DDThh:mm:ssZ
toolchain_crn: string; // CRN of the toolchain that generated the summary
pipeline_id: string; // ID of the pipeline that generated the summary
pipeline_run_id: string; // ID of the pipeline run that generated the summary
evidences: Evidence[];
}
此摘要不会执行任何结果聚集。 这是收集的 v2 证据的原始数据,因为找到了与变更请求相关的资产的这些证据。
v1 证据 (旧格式)
v1 证据锁定程序
证据和相关工件 (例如日志和测试结果) 存储在证据锁定器中。 由于可以轻松删除管道运行,因此认为管道是非持久的。 要创建保留时间策略和审计日志,与合规性相关的证据数据将存储在锁定程序中。
Git Repos and Issue Tracking
虽然它不包含 Cloud Object Storage的数据保留功能,但 Git 是证据锁定程序的简单实现。
Git 证据锁定程序的文件夹和文件结构类似于 Cloud Object Storage 实现:
/raw
├── ci
| └── _PIPELINE_RUN_ID_A1
| └── _PIPELINE_RUN_ID_A2
| └── ..
| └── _PIPELINE_RUN_ID_An
| ├── artifacts
| └── evidences
│── cd
| └── _PIPELINE_RUN_ID_B1
| └── _PIPELINE_RUN_ID_B2
| └── ..
| └── _PIPELINE_RUN_ID_Bn
| ├── artifacts
| └── evidences
IBM Cloud Object Storage
有关 Object Storage 存储区的更多信息,请参阅 IBM Cloud Object Storage 存储区作为证据锁定程序。
v1 证据收集
v1 证据集合是旧证据集合。 要选择退出 v1 证据收集,请参阅 关闭旧 v1 证据收集。
根据 DevOps 生命周期,可将持续集成和持续部署流分为三个阶段: 代码,构建和部署。
DevOps 体系结构通过区分预生产和生产部署,将这些流分为四个阶段。 DevSecOps 参考体系结构当前包含同一阶段中的预生产和生产部署。
将从每个阶段 collect-evidence 脚本中的步骤收集证据。 下图显示了生成证据的参考管道中的当前步骤。
代码阶段
在“代码”阶段,将收集以下步骤的证据:
- 检测私钥
- 单元测试结果
- 通过代码风险分析器进行代码漏洞扫描,CIS 检查和物料清单检查
构建阶段
在“构建”阶段中,将收集以下步骤的证据:
- Vulnerability Advisor 扫描
- 映像签名
部署阶段
在 Deploy 阶段,将收集以下步骤的证据:
- 创建变更请求
- 核准变更请求
- 特定于服务的测试
- 验收测试
- 关闭变更请求
v1 证据格式
Evidence 类型表示证据的模式。 虽然模式使用 typescript 语法,但您可以将其转换为使用 JSON 模式。
interface Evidence {
evidence_type_id: string; // name of the evidence
evidence_type_version: string; // version of the evidence schema
date: string; // ISO-8601, UTC
toolchain_crn: string;
pipeline_id: string;
pipeline_run_id: string;
result: 'success' | 'failure';
issues: string[]; // list of issues that were opened to track 'failed' state
log: Artifact[]; // logs related to the evidence
subject: string; // asset url for the evidence
subjects: string[]; // a piece of evidence can be relevant for multiple asset in v2
artifacts: Artifact[]; // additional artifacts related to the evidence
tool: string; | undefined // the tool related to the evidence (optional)
[origin]: {
url: string; // origin of the evidence, e.g. path github where the task resides;
version: string; // version of the task, e.g. git commit representing the code level used for that task
}
[key: string]: any; // additional fields, described by `evidence_type_id` and `evidence_type_version`
}
interface Artifact {
url: string;
hash: string;
}
模式中的某些字段特定于工具链和 Tekton 管道:
toolchain_crn: string;
pipeline_id: string;
pipeline_run_id: string;
这些字段标识生成证据的特定持续集成或持续部署作业。 它们还可以包含来自任何持续集成或持续部署作业的信息 (如果它们具有相同的用途)。 这些字段按以下顺序标识从最宽到最窄的作用域大小: toolchain_crn-> pipeline_id-> pipeline_run_id。
此模式将使用 JSON 格式保存到证据锁定程序。 在不同管道阶段收集的证据格式没有差别。 目前,它们保存的路径指示管道阶段,例如持续集成或持续部署。
示例
{
"evidence_type_id": "com.ibm.dynamic_scan",
"evidence_type_version": "1.0.0",
"date": "2022-04-01T09:00:59.703Z",
"result": "failure",
"pipeline_id": "f9ab90d6-31a8-4b02-99b7-d2055ef0ee3c",
"pipeline_run_id": "9f93b02d-dbb3-4249-96e3-0739c6201779",
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/40111714589c4f7099032529b26a7a63:2618d2b8-0531-4778-9b13-9ef1a40afe29::",
"log": [
{
"hash": null,
"url": "https://cloud.ibm.com/devops/pipelines/tekton/f9ab90d6-31a8-4b02-99b7-d2055ef0ee3c/runs/9f93b02d-dbb3-4249-96e3-0739c6201779?env_id=ibm:yp:us-south"
}
],
"subject": "docker://us.icr.io/cocoa-e2e/hello-compliance-app-test:20220401083914-master-76c13d7e9fe67379f04319c8e8095b1cc623acae@sha256:090ab641c5371e48cf263119162140e3c925b8041e0220f1397528da2828a30d",
"subjects": [
"docker://us.icr.io/cocoa-e2e/hello-compliance-app-test:20220401083914-master-76c13d7e9fe67379f04319c8e8095b1cc623acae@sha256:090ab641c5371e48cf263119162140e3c925b8041e0220f1397528da2828a30d"
],
"artifacts": [
{
"hash": "4e2cf12ffdf5438666be334106302f3e40cd0152ee1f26002cbc8bbcb5470796",
"url": "https://github.ibm.com/cocoa-test/e2e-compliance-evidence-locker-20220331113709516/blob/master/raw/attachments/4e/2cf12ffdf5438666be334106302f3e40cd0152ee1f26002cbc8bbcb5470796/content"
}
],
"issues": [
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/6",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/7",
"https://github.ibm.com/cocoa-test/e2e-compliance-incident-issues-20220331113709516/issues/8"
],
"tool": "owasp-zap-ui"
}
其中 事实-集合主题 是存储库扫描的 repository_url 和图像扫描的 artifactory_url。
v1 证据摘要
DevSecOps 管道将创建证据摘要文档。 此文档基于在部署映像的每个持续集成构建期间创建的证据,以及在部署本身期间创建的证据。 将为部署任何阶段所需的变更请求创建摘要; 此摘要也由 Security and Compliance Center 集成使用。
使用 typescript 语法指定证据摘要文档的格式和字段:
interface Summary {
version: '1.0'; // schema version
date: string; // ISO-8601, UTC, ie. YYYY-MM-DDThh:mm:ssZ
toolchain_crn: string; // CRN of the toolchain that generated the summary
pipeline_id: string; // ID of the pipeline that generated the summary
pipeline_run_id: string; // ID of the pipeline run that generated the summary
evidences: Evidence[];
}
示例
{
"date": "23-43-2020 UTC",
"version": "1.0",
"pipeline_run_id": 12345, // this is the id of the CD pipeline that deploys in prod, not all data below may come from this pipeline
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
// In each subsection result and evidence_type_id are MANDATORY
"evidences": [{
// com.ibm is needed to identify evidence collected with IBM code and not by someone else;
// Partial: CM-3(6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT
// The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards]
// are under configuration management.
// Control result is "passed" if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled
// if the status is not the expected one, then it's a FAIL no matter what. Later on, lack of issues may prevent CR approval though.
"evidence_type_id": "com.ibm.detect_secret",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"repository_url": "https://git.acme.org/acme-repo",
"repository_revision": "asz33dkejkkjdkkl34",
"repository_branch": master,"
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // there could be multiple repos
"evidence_type_id": "com.ibm.detect_secret",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// SA-11(4) DEVELOPER SECURITY TESTING AND EVALUATION | MANUAL CODE REVIEWS
// The organization requires the developer of the information system, system component, or information system service to perform a
// manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].
// Partial: CM-3(b) Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration
// for security impact analyses;
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.code_review",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issue": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.code_review",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
//The organization establishes the following restrictions on the use of open source software:
// [Assignment: organization-defined restrictions].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened and there are no issues expired AND prod CR approved manually
"evidence_type_id": "com.ibm.ossc_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.ossc_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system
// before implementing the changes on the operational system.
// Partial: SA-11(b). Perform [Selection (one or more): unit; integration; system; regression]
// testing/evaluation at [Assignment: organization-defined depth and coverage];
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is enabled OR
// 3- the status is disabled AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.unit_test_config",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}nce
"script_control_hash": "jhfkdusd", // this is the hash of the script used to run the control
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, { // multiple repos
"evidence_type_id": "com.ibm.unit_test_config",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed" | "failed"], // status of the check
"status": ["enabled"|"disabled"], // status of the configuration
"issues": [ // link(s) to the issue(s) created to fix the github configuration (should be populated only if result is failed)
"https://acme.org/foo/123",
"https://acme.org/foo/124",
"https://acme.org/foo/125",
],
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system
// before implementing the changes on the operational system.
// Partial: SA-11(b). Perform [Selection (one or more): unit; integration; system; regression]
// testing/evaluation at [Assignment: organization-defined depth and coverage];
// SI-7(9) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS
// The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.unit_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.unit_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [334,152,542], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.functional_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.functional_test",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.integration_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.integration_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.acceptance_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342],// link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.acceptance_tests",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"], // the result of the test
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"issues": [134,132,342],// link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the test failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
// The organization establishes the following restrictions on the use of open source software:
// [Assignment: organization-defined restrictions].
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened and there are no issues expired AND prod CR approved manually
"evidence_type_id": "com.ibm.ossc",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.ossc",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// SA-11(1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS
// The organization requires the developer of the information system, system component, or information system service to employ static code
// analysis tools to identify common flaws and document the results of the analysis.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.static_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.static_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial CM-4(1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS
// The organization analyzes changes to the information system in a separate test environment before implementation in an operational
// environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// SA-11 DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS
// The organization requires the developer of the information system, system component, or information system service to employ dynamic code
// analysis tools to identify common flaws and document the results of the analysis.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.dynamic",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.dynamic",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"last_scan_date": "24-03-2020 UTC", // the last time the scan was run
"result": ["passed"|"failed"], // the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.vulnerability_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"],/ the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.vulnerability_scan",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"result": ["passed"|"failed"],/ the result of the scan
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"expired_issues": [134,132,342], // link(s) to the issues for which the grace period expired
"issues": [234,343,342], // link(s) to the issue(s) created to track the bugs found during the test run. Should be populated only if the scan failed
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// build input
// Partial: SI-7(12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
// The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior
// to execution.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the checksum is verified OR
// 3- the cheksum is not verified AND issues have been opened AND prod CR approved manually)
// Partial: RA-5(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined
// frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting
// the system/applications are identified and reported;
// Partial: RA-5(b). Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts
// of the vulnerability management process by using standards for:..*
// Partial: SI-7(12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
// The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior
// to execution.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the status is passed OR
// 3- the status is failed AND issues have been opened AND there are no expired issues AND prod CR approved manually
"evidence_type_id": "com.ibm.container_images",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mybaseimage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342 ], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": [ "yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.container_images",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of the scan
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mybaseimage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342 ], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": [ "yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.packages",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mydependentpackage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": ["yes"|"no"]// yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.packages",
"version": "1.0.0",
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"artifact_name": "mydependentpackage", //name of the dependent artifact
"checksum": "324334", // checksum or digital isgnature
"verified": ["yes"|"no"], // checksum verified or not
"scan_status": ["passed"|"failed"], // the scan of the status
"log": {
"url": "https://acme.org/log.txt", // the link to where the actual log of the test is
"hash": "abc123", // the hash of the log file
},
"checksum_issues": [134, 132, 342], // link(s) to the issues representing missing or not matching checksums
"scan_issues": [123, 342, 453], // link(s) to the issues found by the scan (X-Ray)
"expired_issues": [134, 132, 342], // link(s) to the issues for which the grace period expired
"required": ["yes"|"no"]// yes: this is an auditable step; no: this is a non auditable step
// there could be other artifacts that serve as build input
}, {
// build output: images or config files, calico policies...
// Partial: CM-5(3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
// The information system prevents the installation of [Assignment: organization-defined software and firmware components]
// without verification that the component has been digitally signed using a certificate that is recognized and approved by
// the organization.
// Partial: SI-7(6) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION
// The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
// Partial: SI-7(15) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
// The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
// Control passed if:
// 1- the script is one of the blessed ones AND
// 2- the signature is verified OR
// 3- the signatures are not verified AND issues have been opened AND prod CR approved manually
"evidence_type_id": "com.ibm.images_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the image
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.images_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the image
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.files_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the file
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
"evidence_type_id": "com.ibm.files_signature",
"version": "1.0.0",
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"name": "dhksd", // the name of the image
"checksum": "2342342", // the digital signature of the file
"verified": ["yes"|"no"], // checksum verified or not
"issues": [134, 132, 343], // link(s) to the issues representing missing or not matching checksums
"required": ["yes"|"no"] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-2(1)(c) BASELINE CONFIGURATION | REVIEWS AND UPDATES
// As an integral part of information system component installations and upgrades.
// Partial: CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
// The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline
// configuration of the information system.
// CM-2(6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
// The organization maintains a baseline configuration for information system development and test environments that is managed
// separately from the operational baseline configuration.
// CM-3(1)(a) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document proposed changes to the information system;
// CM-3(1)(e) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document all changes to the information system;
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains a link to the to-be-baseline
// CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system before implementing the changes on
// the operational system.
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains test results and issues opened while testing
"evidence_type_id": "com.ibm.preprod_change_request",
"version": "1.0.0",
"result": ["passed" | "failed"], // passed auto-approved or approved, failed otherwise.
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"id": "https://change_tool/1213", // link to the preproduction change request on the same baseline of the production one
"status": ["auto-approved", "approved", "rejected"], // status of the change request
"approvers": ["name1","name2", ..., "nameN"], // name of the approvers
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}, {
// Partial: CM-2(1)(c) BASELINE CONFIGURATION | REVIEWS AND UPDATES
// As an integral part of information system component installations and upgrades.
// Partial: CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
// The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline
// configuration of the information system.
// CM-2(6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
// The organization maintains a baseline configuration for information system development and test environments that is managed
// separately from the operational baseline configuration.
// CM-3(1)(a) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document proposed changes to the information system;
// CM-3(1)(e) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
// The organization employs automated mechanisms to: Document all changes to the information system;
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains a link to the to-be-baseline
// CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
// The organization tests, validates, and documents changes to the information system before implementing the changes on
// the operational system.
// Control passed if:
// 1- CR contains baselines changes in the change log
// 2- contains test results and issues opened while testing
// CM-3(b) b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves
// CM-3(c) Documents configuration change decisions associated with the information system;
// such changes with explicit consideration for security impact analyses;
// CM-3(d) d. Implements approved configuration-controlled changes to the information system;
// CM-3 (1)(d) Prohibit changes to the information system until designated approvals are received;
// Control passed if:
// 1- CR contains links to the approval records
// CM-3(1)(c) Highlight proposed changes to the information system that have not been approved or disapproved by [
// Assignment: organization-defined time period];
// Control passed if:
// 1- If rejected, CR contains links to the denial records
// CM-3(4) CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE
// The organization requires an information security representative to be a member of the [Assignment: organization-defined
// configuration change control element].
// Control passed if:
// 1- One of the security scan failed AND
// 2- manual approval has been requested AND
// 3- there are at least two approvers AND
// 4- One of the approvers is the security focal
// CM-3 (1)(d) Prohibit changes to the information system until designated approvals are received;
"evidence_type_id": "com.ibm.prod_change_request",
"version": "1.0.0",
"result": ["passed" | "failed"], // passed auto-approved or approved, failed otherwise.
"date": "2020-05-06T12:00:00Z", // date of task run
"origin": {
"url":"https://us-south.git.cloud.ibm.com/open-toolchain/compliance-pipelines/-/blob/master/definitions/mytask.yaml", // where the task is taken from
"version": "423792" // commit id representing the task version used to produce the evidence
}
"toolchain_crn": "crn:v1:bluemix:public:toolchain:us-south:a/190e0b4ce4cd013159917665213ddc51:7467a214-f404-4e23-acab-2e57e935d138::" // CRN of the toolchain
"pipeline_id": "b1cfb6a4-813d-4fec-bbf7-ce662e8ce4e0", // the id of the pipeline that generated this piece of evidence
"pipeline_run_id": 12345, // this is the id of the pipeline run that generated this piece of evidence
"id": "https://change_tool/1213", // link to the production change request
"status": ["auto-approved", "approved", "rejected"], // status of the change request
"approvers": ["name1","name2", ..., "nameN"], // name of the approvers
"required": [ "yes" | "no" ] // yes: this is an auditable step; no: this is a non auditable step
}]
}