Skip to content

Add Optional #Evidence type to #AssessmentLog #417

Description

@jpower432

Is your feature request related to a problem?

The evidence chain (EvaluationLog → EnforcementLog → AuditLog) traces across logs, but there is no way to record what specifically the evaluator examined within the target during an assessment.

AssessmentLog records pass/fail with a message, but not I consulted THIS specific resource at THIS time. This means consumers like SARIF converters cannot populate file locations effectively, and auditors cannot verify what data sources the evaluator actually consulted without requesting supplementary evidence.

Describe the solution you'd like

Add a #Provenance type and optional field to #AssessmentLog in evaluationlog.cue:

Example

  #Provenance: {
      // address identifies what was consulted (file path, API endpoint, ARN, image ref, etc.)
      address:   string
      // collected is the timestamp when the data was acquired
      collected: #Datetime @go(Collected)
      // observed is the relevant content extracted
      observed?: string
  }

Three fields (two required, one optional), modality-neutral -- works for file scans, API checks, container scans, cloud config, physical audits, and interviews.

On #AssessmentLog:
The field is optional and backward-compatible.
provenance?: [#Provenance, ...#Provenance] @go(Provenance,type=[]Provenance)

Describe alternatives you've considered

Extensive naming exploration rejected 11 alternatives:

  • #Observation — collides with #ResultType: "Observation" enum value in auditlog.cue
  • #Subject — in OSCAL, subject means the component (inventory item instance) being assessed (equivalent to Gemara's target)
  • #Evidence — already exists on #AuditResult for macro-level log references
  • #Resource — already exists as a type (#Entity extension)
  • #Source — source field already exists on #Mapping in mappingdocument.cue
  • #Sample — implies statistical sampling methodology
  • #Examination — synonym/subset of Assessment and Evaluation

Success Criteria

  • Criterion 1: #Provenance type and provenance? field on #AssessmentLog are added to evaluationlog.cue and pass CUE validation
  • Criterion 2: Existing EvaluationLog YAML documents validate without changes (backward-compatible)
  • Criterion 3: The backward compatibility check (test/compat_test.go) passes with the new field
  • Criterion 4: go-gemara can generate types from the updated schema and round-trip provenance data through YAML serialization

Additional context

assessment-logs:
    - requirement:
        reference-id: osps-baseline
        entry-id: OSPS-AC-01.01
      description: "MFA enforcement check"
      result: Passed
      message: "MFA is enabled for all organization members"
      provenance:
        - address: "https://api.github.com/orgs/myorg/settings"
          collected: "2025-08-22T16:02:00Z"
          observed: '{"two_factor_requirement_enabled": true}'
        - address: "https://api.github.com/orgs/myorg/members?filter=2fa_disabled"
          collected: "2025-08-22T16:02:01Z"
          observed: "[]"

Rel #23

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions