[design] Create a mechanism for correlated evidence handling #232
Description
Objective
Currently, the compliance-to-policy-go focuses on transforming OSCAL to policies and policy results back to OSCAL Assessment Results. The current process involves collecting results from policy engines, which is a crucial step. However, there is no standardized or centralized mechanism within C2P for handling evidence related to these results. This can lead to a fragmented approach where different policy engine plugins or pipeline implementations might handle evidence in an ad-hoc manner, making it difficult to:
- Trace the original source of an assessment result.
- Store supplementary evidence (e.g. logs) that supports the verdict (pass/fail/error) of a policy assessment.
- Correlate evidence across different policy engines and assessments.
Proposed Solution
Centralized Evidence Store
Implement a new component responsible for collecting, storing, and managing evidence.
This could be a simple file-based storage solution initially, with the potential for future extensions to integrate with S3 buckets, Git repositories, or dedicated evidence management systems.
The core logic would be to:
- Define a designated location for evidence and communicate to plugins as a global option
- Receive evidence linkage data from the result2oscal plugins.
- Using OSCAL Assessment Results to link the evidence back to the report
This may required extended the plugin API to add granularity to the RelevantEvidences field
Completion Criteria
Acceptance Criteria
- At least one policy engine plugin (e.g., Kyverno) is updated to demonstrate how to collect and return evidence.
- A new configuration option is added to c2pcli to specify the evidence storage location (this could also be an OpenTelemtry collector endpoint)
- C2P core logic is updated to receive, store, and link evidence to the generated OSCAL Assessment Results.
- The generated OSCAL Assessment Results document contains a reference to the stored evidence.