Skip to content

docs: Baseline assessment results in OCSF Compliance Findings #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: Baseline assessment results in OCSF Compliance Findings #17

wants to merge 1 commit into from

Conversation

trumant
Copy link
Contributor

@trumant trumant commented Apr 29, 2025
edited
Loading

The purpose of this PR is to document a means by which Baseline assessment evidence can use the OCSF schema for interchange purposes between tools.

Desired feedback from reviewers

  1. Does OCSF seem like a useful schema for this purpose?
  2. Which optional and recommended fields provide the most value to someone consuming the results of a baseline assessment?
  3. Are there OCSF-compatible tools that would get value from assessment data in this format?

@trumant
docs: Baseline assessment results in OCSF Compliance Findings
0be2b59 
Signed-off-by: Travis Truman <trumant@gmail.com>
@trumant
Copy link
Contributor Author

trumant commented Apr 29, 2025

This is a companion to https://docs.google.com/document/d/16zwe3eNwExvnaXLDUrkGNineZzB0r8arKE3G-cvNU0E/edit?tab=t.0

@funnelfiasco
Copy link
Collaborator

Admittedly, I've not given the Google doc more than a quick glance, but it's not clear to me what the purpose of this PR is or why it belongs here and not in the Baseline repo (perhaps the former answers the latter).

@trumant
Copy link
Contributor Author

trumant commented Apr 29, 2025

Admittedly, I've not given the Google doc more than a quick glance, but it's not clear to me what the purpose of this PR is or why it belongs here and not in the Baseline repo (perhaps the former answers the latter).

I raised the PR here as the topic of data interchange is core to the WG, but the particular material I'm commenting on didn't seem like it fit neatly as a contribution to ossf/security-baseline and had broader applicability to the WG as a whole, rather than to a single project.

@funnelfiasco
Copy link
Collaborator

So is the intent to define this as the mechanism for data interchange or to note is as one possibility?

Since there's no docs/ directory yet (or other organization for the WG repo), it's not entirely clear what the intent is here.

@funnelfiasco funnelfiasco mentioned this pull request Apr 29, 2025
Closed
@trumant
Copy link
Contributor Author

trumant commented Apr 29, 2025

So is the intent to define this as the mechanism for data interchange or to note is as one possibility?

Since there's no docs/ directory yet (or other organization for the WG repo), it's not entirely clear what the intent is here.

I'm noting the possibility and looking for feedback on utility/suitability of this being one such expression of the results of a baseline assessment.

trumant added a commit to trumant/go-ocsf that referenced this pull request Apr 30, 2025
@trumant
Add ComplianceFinding and related types
1bbcf74 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
@trumant trumant mentioned this pull request Apr 30, 2025
Closed
trumant added a commit to trumant/go-ocsf that referenced this pull request May 1, 2025
@trumant
Add ComplianceFinding and related types
bb796c9 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
trumant added a commit to trumant/go-ocsf that referenced this pull request May 1, 2025
@trumant
Add ComplianceFinding and related types
2148bae 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
trumant added a commit to trumant/go-ocsf that referenced this pull request May 1, 2025
@trumant
Add ComplianceFinding and related types
c8ef7dd 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
trumant added a commit to trumant/go-ocsf that referenced this pull request May 2, 2025
@trumant
Add ComplianceFinding and related types
0396f47 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
trumant added a commit to trumant/go-ocsf that referenced this pull request May 2, 2025
@trumant
Add ComplianceFinding and related types
5f87955 
These types are useful for folks doing compliance activities
and storing the results of their compliance assessments as OCSF

This work is related to the work being done in
ossf/wg-orbit#17
eddie-knight
eddie-knight requested changes May 3, 2025
View reviewed changes
Copy link
Collaborator

@eddie-knight eddie-knight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's talk through this on the WG call — putting an X on it so it doesn't get merged early

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eddie-knight eddie-knight eddie-knight requested changes

@SecurityCRob SecurityCRob SecurityCRob approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@trumant @funnelfiasco @eddie-knight @SecurityCRob