[trustable-software] Our thoughts on OpenControl and Mustard
Jim MacArthur
jim.macarthur at codethink.co.uk
Mon Oct 10 11:11:05 UTC 2016
On 07/10/16 16:32, Paul Sherwood wrote:
> That's interesting... so is there an established body of work for that?
> i.e. is someone maintaining metadata for OpenSSL and a host of other
> standard components vs NIST, or other standards?
Not yet, but I think the ultimate goal is for that to be part of the
project itself. It would require adding an opencontrol.yaml file to the
top level of a project and adding a subdirectory with more metadata in
it. In the early days I'd expect this to be externally contributed to
important projects rather than expecting the existing developers to add it.
>> Naturally, you still need to create and update the component
>> information, and this process will be susceptible to errors, but
>> breaking the problem down should make this much easier and catch some
>> errors.
>
> So there's no magic way to manage the metadata when we *update* a
> component... presumably someone has to fix/review it for the new version
> each time?
There's no magic way currently in OpenControl or Mustard, no. I'd like
to look into that; I'm quite sure there will be some way to usefully
link code changes back to requirements and controls in some cases,
although there will be unpleasant corner cases. For example, changing
one line in a C header file can potentially change the behaviour of all
the code in the project, so would have to invalidate all the compliance
data.
>> There's also a lot of things I'd like to add to both these systems -
>> I think standards could be linked to sections of source code, for
>> example. Anyone who's worked with the GCC codebase might have seen
>> that they annotate functions with parts of the standard they comply
>> with. This is a manual process at the moment.
>
> One of the things I like about the Mustard implementation is the ability
> to embed text (and this git-commitable, diffable) representations of UML
> diagrams via PlantUML. Is there anything similar for OpenControl? Would
> it even make sense?
PlantUML only requires a plain text field somewhere, so it would be
quite easy to add into OpenControl. PlantUML is not coupled to any of
Mustard's data structure as far as I know.
More information about the trustable-software
mailing list