scieee Science in your language
[en] (orig)

D2.8 Runtime Evidence Extractor – v1

Author: Schneider, Angelika; Wendland, Florian
Publisher: Zenodo
DOI: 10.5281/zenodo.17181789
Source: https://zenodo.org/records/17181789/files/EMERALD_D2.8_RuntimeEvidenceExtractor-v1_v1.0.pdf
Deli e able D2.8
Run ime E idence Ex ac o – 1
Edi o (s):
Angelika Schneide , Flo ian Wendland
Responsible Pa ne :
F aunho e AISEC (FHG)
S a us-Ve sion:
Final 1.0
Da e:
31.10.2024
Type:
OTHER
Dis ibu ion le el:
PU
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 23
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
D2.8 – Run ime E idence Ex ac o s – 1
Due Da e o Deli e y o he EC
31.10.2024
Wo kpackage esponsible o he
Deli e able:
WP2 – Me hodology o knowledge ex ac ion
Edi o (s):
Angelika Schneide (FHG), Flo ian Wendland (FHG)
Con ibu o (s):
-
Re iewe (s):
Ve ena Geis (SCCH)
C is ina Ma ínez, Juncal Alonso (TECNALIA)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2, WP3, WP4, and WP5
Abs ac :
This deli e able p esen s a ool o e idence ex ac ion
om un ime in o ma ion ha can be in eg a ed wi h
he ce i ica ion g aph.
I is he esul o wo k pe o med in Task 2.5. This
documen is a i s /in e im e sion, he inal e sion on
un ime e idence ex ac o s will be epo ed in D2.9.
Keywo d Lis :
E idence collec ion, un ime in o ma ion, cloud,
Cloudi o -Disco e y, echnical e idence.
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 23
www.eme ald-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
09.09.2024
Fi s d a e sion, ToC, execu i e
summa y, abou his deli e able
Angelika Schneide
(FHG)
0.2
23.09.2024
Limi a ions and u u e wo k, p o o ype
a chi ec u e, unc ional desc ip ion
Angelika Schneide
(FHG)
0.3
24.09.2024
Func ional desc ip ion, documen
s uc u e, appendices p epa ed
Angelika Schneide
(FHG)
0.4
25.09.2024
Componen ca d Cloudi o -Disco e y
Angelika Schneide
(FHG)
0.5
27.09.2024
Renaming in- o o, add disco e y
componen lags image, inco po a ing
commen s om Ch is ian Banse.
Angelika Schneide
(FHG)
0.6
07.10.2024
Desc ip ion o Codyze-P o enance
Flo ian Wendland
(FHG)
0.7
07.10.2024
Dele e appendix, add conclusion
Angelika Schneide
(FHG)
0.8
08.10.2024
Finalizing documen o he in e nal
e iew
Angelika Schneide
(FHG)
0.9
14.10.2024
In e nal QA e iew
Ve ena Geis (SCCH)
0.10
16.10.2024
Inco po a e QA e iew commen s
Angelika Schneide
(FHG)
0.11
18.10.2024
Inco po a e QA e iew commen s
Flo ian Wendland,
Angelika Schneide
(FHG)
0.12
28.10.2024
Final e iew
C is ina Ma ínez/
Juncal Alonso
(TECNALIA)
0.13
29.10.2024
Inco po a e inal e iew commen s
Flo ian Wendland,
Angelika Schneide
(FHG)
1.0
31.10.2024
Submi ed o he Eu opean
Commission
C is ina Ma ínez/
Juncal Alonso
(TECNALIA)
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 23
www.eme ald-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 6
Execu i e Summa y ....................................................................................................................... 7
1 In oduc ion ........................................................................................................................... 8
1.1 Abou his deli e able .................................................................................................... 8
1.2 Documen s uc u e ....................................................................................................... 8
2 Run ime e idence ex ac o s in he EMERALD a chi ec u e ............................................... 10
3 Cloudi o -Disco e y ............................................................................................................. 12
3.1 Func ional desc ip ion ................................................................................................. 12
3.2 Technical desc ip ion ................................................................................................... 13
3.2.1 P o o ype a chi ec u e ...................................................................................... 13
3.2.2 Technical speci ica ions ..................................................................................... 14
3.3 Deli e y and usage ....................................................................................................... 15
3.3.1 Package in o ma ion .......................................................................................... 15
3.3.2 Ins alla ion ......................................................................................................... 15
3.3.3 Ins uc ions o use ............................................................................................ 16
3.3.4 Licensing in o ma ion ........................................................................................ 18
3.3.5 Download .......................................................................................................... 18
3.4 Limi a ions and u u e wo k ........................................................................................ 18
4 Codyze-P o enance ............................................................................................................. 19
4.1 Func ional desc ip ion ................................................................................................. 19
4.2 Technical desc ip ion ................................................................................................... 20
4.2.1 P o o ype a chi ec u e ...................................................................................... 20
4.2.2 Technical speci ica ions ..................................................................................... 20
4.3 Deli e y and usage ....................................................................................................... 20
4.3.1 Package in o ma ion .......................................................................................... 20
4.3.2 Ins alla ion ......................................................................................................... 20
4.3.3 Ins uc ions o use ............................................................................................ 21
4.3.4 Licensing in o ma ion ........................................................................................ 21
4.3.5 Download .......................................................................................................... 21
4.4 Limi a ions and u u e wo k ........................................................................................ 21
5 Conclusions .......................................................................................................................... 22
6 Re e ences ........................................................................................................................... 23
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 23
www.eme ald-he.eu
Lis o ables
TABLE 1. REQUIREMENT CLDISC.01 - DISCOVERY OF SECURITY FEATURES OF INFRASTRUCTURE COMPONENTS 13
TABLE 2. OVERVIEW OF THE IMPORTANT API FUNCTIONS FOR THE CLOUDITOR-DISCOVERY ......................... 14
TABLE 3. OVERVIEW OF THE PACKAGE STRUCTURE OF CLOUDITOR-DISCOVERY. .......................................... 15
TABLE 4. OVERVIEW OF TENTATIVE PACKAGE STRUCTURE FOR CODYZE-PROVENANCE ................................. 20
Lis o igu es
FIGURE 1. EXCERPT OF THE EMERALD COMPONENT DIAGRAM [8]. THE HIGHLIGHTED COMPONENT CLOUDITOR-
DISCOVERY AND THE COMPONENT CODYZE-PROVENANCE, WHICH IS PART OF THE CODYZE COMPONENT,
ARE DESCRIBED IN THIS DELIVERABLE. .......................................................................................... 11
FIGURE 2. OVERVIEW OF THE AVAILABLE OPTIONS FOR CLOUDITOR-DISCOVERY ......................................... 16
FIGURE 3. EMERALD UI VIEW FOR SETTING THE EVIDENCE COLLECTORS FOR A CERTIFICATION TARGET (D4.3
[13]) ..................................................................................................................................... 17
FIGURE 4. EMERALD UI VIEW FOR THE AVAILABLE FUNCTIONALITIES OF AN EVIDENCE COLLECTOR (D4.3 [13])
............................................................................................................................................. 17

D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 23
www.eme ald-he.eu
Te ms and abb e ia ions
AI
A i icial In elligence
AI-SEC
AI Secu i y E idence Collec o
AMOE
Assessmen and Managemen o O ganisa ional E idence
API
Applica ion P og amming In e ace
AWS
Amazon Web Se ices
Ce G aph
Ce i ica ion G aph
CI/CD
Con inuous In eg a ion / Con inuous Deploymen
CLI
command-line in e ace
Codyze
S a ic Code Analyze om FHG
CSAF
Common Secu i y Ad iso y F amewo k
CSP
Cloud Se ice P o ide
eknows
Pla o m o So wa e Analysis om SCCH
GA
G an Ag eemen o he p ojec
Gi Lab
Ve sion con ol and De Ops pla o m
gRPC
Google Remo e P ocedu e Call
in- o o
F amewo k de ining a es a ion o ma o so wa e supply chains
KPI
Key Pe o mance Indica o
KR
Key Resul
MEDINA
P edecesso p ojec o EMERALD
MVP
Minimum Viable P oduc
REST
Rep esen a ional S a e T ans e
SLSA
Supply-chain Le els o So wa e A i ac s
TOM
Technical and O ganisa ional Measu e
TRL
Technology Readiness Le el
WP
Wo k Package
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 23
www.eme ald-he.eu
Execu i e Summa y
This deli e able p esen s he ini ial design, a chi ec u e, and implemen a ion s a e o he
un ime e idence ex ac o s Cloudi o -Disco e y and Codyze-P o enance o WP2. I con ibu es
o he key esul KR1-EXTRACT o EMERALD, a amewo k o con inuously ex ac un ime
in o ma ion o a cloud se ice and p epa e sui able e idence based on hem.
EMERALD ollows a knowledge g aph-based app oach o p o ide a uni ied iew o he cloud
se ice unde ce i ica ion a di e en laye s o he se ice, anging om he in as uc u e laye
(e.g., i ual esou ces), o he business laye (e.g., policies and p ocedu es), o he
implemen a ion laye (e.g., sou ce code iles) and da a laye (e.g., inc easingly used AI models)
in cloud applica ions. The un ime e idence ex ac o s, de eloped in Task 2.5 and desc ibed in
his deli e able, aim on he one hand a iden i ying c i ical secu i y- ela ed unc ionali y such as
da a enc yp ion, anspo enc yp ion, o au hen ica ion in cloud in as uc u e componen s. On
he o he hand, hey es ablish so wa e p o enance and a e ac a es a ion o comple ely ack
so wa e om i s incep ion as sou ce code o deployed build a e ac s. This is complemen a y
o he e idence ga he ed in Task 2.2. O he ela ed deli e ables in WP2, all due a p ojec mon h
12 (Oc obe 2024), p o ide unc ional and echnical de ails on u he e idence ex ac o s om
di e en sou ces, i.e., D2.2 [1] on sou ce e idence ex ac ion in Task 2.2, D2.4 [2] on e idence
ex ac ion om policy documen s in Task 2.3, and D2.6 [3] on secu i y and p i acy p ese ing
e idence ex ac ion in Task 2.4. All hese de ails con ibu ed o D2.1 [4] on he o e all
in o ma ion model o he ce i ica ion g aph in Task 2.1.
This documen s a s by illus a ing how he un ime ex ac o s i in o he o e all EMERALD
a chi ec u e. The main pa p o ides unc ional and echnical desc ip ions o he e idence
ex ac o s Cloudi o -Disco e y and Codyze-P o enance, including hei pu pose and scope, he
(cu en and planned) co e age o he EMERALD equi emen s, and he componen s’ in e nal
a chi ec u es. These desc ip ions a e complemen ed by in o ma ion on deli e y and usage, as
well as on limi a ions and u u e wo k. Finally, he documen concludes wi h a sho summa y.
The un ime e idence ex ac o s desc ibed in his deli e able con ibu e o KR1-EXTRACT by
p o iding nex -gene a ion e idence ga he ing ools and echniques based on a knowledge g aph
app oach. One ex ac o – Cloudi o -Disco e y –has cu en ly he ini ial p o o ype implemen ed
and is eady o be in eg a ed wi h o he componen s o he EMERALD a chi ec u e. The
equi emen o he componen is al eady pa ially sa is ied by he p esen ed p o o ype. The
second ex ac o – Codyze-P o enance – is a new componen wi hin he EMERALD a chi ec u e
and is cu en ly in i s ini ial design phase. Based on he wo k desc ibed in his deli e able, he
un ime e idence ex ac o s will be u he ex ended and in eg a ed in o he EMERALD
amewo k.
This is he i s i e a ion o he deli e able coming om Task 2.5. The second and inal e sion
o his deli e able wi h he upda ed ex ac o s will be deli e ed wi h D2.9 [5] in p ojec mon h
24 (Oc obe 2025). E idence will be p epa ed acco ding o he in eg a ed, g aph-based model
o seman ically linked and combined e idence, p o ided in D2.10 (in e im e sion) [6] in p ojec
mon h 15 (Janua y 2025) and D2.11 ( inal e sion) [7] in p ojec mon h 27 (Janua y 2026). The
ex ac ed e idence will be s o ed and assessed, i.e., o e i y he implemen a ion o secu i y
me ics, in he scope o WP3.
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 23
www.eme ald-he.eu
1 In oduc ion
EMERALD aims o p o ide a nex gene a ion se o e idence ga he ing ools and echniques
based on a knowledge g aph app oach. KR1-EXTRACT suppo s an imp o ed and uni ied ool-
suppo ed app oach o con inuously ex ac knowledge om di e en laye s o a cloud se ice,
e.g., in as uc u e, pla o m, un ime in o ma ion, policy documen s, so wa e, and AI models.
The objec i e o WP2 is o es ablish a uni ied iew o he cloud se ice being ce i ied, known as
he ce i ica ion a ge , by ex ac ing and en iching knowledge o he di e en laye s o he
se ice and p o iding sui able e idence o secu i y me ics. A majo pa o his wo k package
is esea ch and design o mul iple ools and echniques o ex ac knowledge ou o a ious
sou ces. A g aph-based model, called he ce i ica ion g aph (Ce G aph), se es as a common
s uc u e ha is illed by all e idence ex ac ion componen s.
1.1 Abou his deli e able
The goal o his deli e able is o p esen he design and implemen a ion o he EMERALD
e idence ex ac o s, ha ex ac un ime in o ma ion om cloud se ices. This is a epo on
he ini ial p o o ype e lec ing an ea ly s age o implemen a ion and in eg a ion o he ex ac o
and is he i s o wo i e a ions o deli e ables, esul ing om Task 2.5.
E idence on he un ime in o ma ion le el is ga he ed by he un ime in o ma ion e idence
ex ac o Cloudi o -Disco e y, which suppo s he Ce G aph da a model. The Cloudi o -
Disco e y componen is based on he espec i e mic ose ice o Cloudi o
1
and was al eady used
in MEDINA
2
. I ocuses on gene a ing e idence o secu i y- ela ed indings, such as enc yp ion
in use, a es enc yp ion o es ic ed po s. While he componen was a TRL 5 in MEDINA, i
should be ad anced o TRL 7 in EMERALD.
Ano he sou ce o un ime in o ma ion a e CI/CD pipelines and hei jobs. Du ing he build o a
cloud se ice o applica ion om sou ce code, jobs such as applica ion secu i y es ing, so wa e
composi ion analysis and secu e so wa e de elopmen measu es augmen he con idence in
he secu i y o he inal build a e ac . Codyze-P o enance is a new addi ion o EMERALD and
cu en ly unde design ha in ends o ga he e idence abou CI/CD pipeline execu ions. This
e idence would acili a e o assess secu i y enhancing jobs execu ed du ing a build in a CI/CD
pipeline. Mo eo e , Codyze-P o enance will p o ide a es a ions o execu ed jobs and link
hem oge he o p o ide p o enance. F om a es a ion and p o enance epo s i becomes
possible o ack he comple e supply chain o so wa e a e ac s om sou ce code o deployed
a e ac s.
Fu he mo e, applica ion-speci ic un ime in o ma ion (e.g., ound in log iles) migh be used o
p o ide addi ional con ex ega ding he execu ed unc ionali y. Fo now, i is jus an idea and
no implemen ed.
1.2 Documen s uc u e
The documen is s uc u ed as ollows.
In Sec ion 2, we discuss how he un ime e idence ex ac o s i in o he o e all EMERALD
a chi ec u e and hei ela ionship wi h o he componen s. Sec ion 3 desc ibes he Cloudi o -
Disco e y e idence ex ac o , which p o ides he ex ac ion o un ime in o ma ion o cloud
se ices. Sec ion 4 desc ibes he Codyze-P o enance e idence ex ac o , which p o ides
aceabili y and a es a ion along CI/CD pipelines. Fo each ex ac o , we p o ide unc ional and
1
h ps://gi hub.com/cloudi o /cloudi o / ee/main/se ice/disco e y
2
h ps://medina-p ojec .eu/
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 23
www.eme ald-he.eu
echnical desc ip ions, along wi h in o ma ion abou deli e y, usage, limi a ions, and u u e
wo k.
Sec ion 5 ends up wi h he conclusions o his deli e able.
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 23
www.eme ald-he.eu
Figu e 2. O e iew o he a ailable op ions o Cloudi o -Disco e y
3.3.3 Ins uc ions o use
Wi hin he EMERALD p ojec , he EMERALD UI is de eloped and used o access and manage he
wo k low wi hin he amewo k. The Cloudi o -Disco e y is no di ec ly accessible h ough he
EMERALD UI; howe e , i can be a ached o he Ce i ica ion Ta ge in he EMERALD UI.
Figu e 3 shows he EMERALD UI iew o selec ing an e idence collec o . Poin 1-3 p o ide
addi ional in o ma ion abou he e idence ex ac o , while he bu on a poin 4 allows he use
o add a new e idence collec o . Poin 5 displays he cu en s a us o he e idence ex ac o .

D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 23
www.eme ald-he.eu
Figu e 3. EMERALD UI iew o se ing he e idence collec o s o a Ce i ica ion Ta ge (D4.3 [14])
Figu e 4 p esen s he subsequen iew con aining con igu a ion in o ma ion o he selec ed
e idence collec o . The speci ics o which in o ma ion will be displayed and wha unc ionali ies
will be a ailable o Cloudi o -Disco e y a e ye o be de ined.
Figu e 4. EMERALD UI iew o he a ailable unc ionali ies o an e idence collec o (D4.3 [14])
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 23
www.eme ald-he.eu
Fu he in o ma ion ega ding he EMERALD UI can be ound in D4.3 [14].
No e ha he ins alla ion o he e idence collec o s canno be pe o med ia he EMERALD UI;
howe e , use s can a ach indi idual e idence collec o s o a Ce i ica ion Ta ge .
The a ailable use manual can be ound in he Cloudi o README
16
and he CLI
17
.
3.3.4 Licensing in o ma ion
The Cloudi o is licensed unde he open-sou ce Apache-2.0 license including all sub-
componen s such as Cloudi o -Disco e y.
3.3.5 Download
The Cloudi o sou ce code can be ound in he Cloudi o Gi Hub eposi o y
18
. The adap ed
EMERALD componen Cloudi o -Disco e y can be ound in he public EMERALD Gi Lab
eposi o y
19
.
3.4 Limi a ions and u u e wo k
This sec ion desc ibes he limi a ions and u u e wo k o he Cloudi o -Disco e y componen .
The limi a ions a e as ollows:
• Cloudi o -Disco e y cu en ly ga he s da a om Mic oso Azu e, AWS, Kube ne es
en i onmen s and CSAF, bu i s unc ionali y is es ic ed by he access pe missions
g an ed o i in use managemen sys ems like Azu e Ac i e Di ec o y. As a esul , i can
only access esou ces ha a e isible o he assigned use .
• Changes o he cloud p o ide APIs may equi e upda es o he componen . Fo
example, i key secu i y ea u es, such as a es enc yp ion, a e modi ied, hei
in eg a ion in o he EMERALD e idence mus be adjus ed acco dingly.
• The e idence collec ion is es ic ed by he capabili ies o he cloud p o ide APIs. I a
speci ic enc yp ion ea u e is no suppo ed by an API, cap u ing e idence o ha
ea u e will no be possible.
• Cloudi o -Disco e y inco po a es on ological e ms in o he e idence; he e o e, he
cons ain s o he on ology mus be conside ed:
o Fi s , i is c ucial ha he on ology e ms a e accu a ely in eg a ed in o he
e idence; o he wise, he assessmen componen may yield inco ec me ics.
o Second, he on ology equi es ongoing upda es, and any modi ica ions mus be
e lec ed as well in he Cloudi o -Disco e y componen .
o We ha e al eady de eloped a ool called owl2p o o ha con e s he modelled
on ology in o an app op ia e P o obu schema, which can be di ec ly used in
a ious p og amming languages. Howe e , he code in he Cloudi o -Disco e y
componen s ill needs o be adjus ed o mo e signi ican changes.
Fu u e wo k will concen a e on implemen ing addi ional disco e e s o secu i y- ela ed cloud
con igu a ions o he CSPs OpenS ack
20
and OpenNebula
21
, aiming o in eg a e he pilo
pa ne s as well.
16
h ps://gi hub.com/cloudi o /cloudi o
17
h ps://gi hub.com/cloudi o /cloudi o #cloudi o -cli
18
h ps://gi hub.com/cloudi o /cloudi o / ee/main/se ice/disco e y
19
h ps://gi .code. ecnalia.com/eme ald/public/componen s/disco e y
20
h ps://www.opens ack.o g/
21
h ps://opennebula.io/
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 23
www.eme ald-he.eu
4 Codyze-P o enance
Codyze-P o enance is a new addi ion o he Codyze componen in EMERALD. I adds un ime
e idence ex ac ion capabili ies o Codyze. I will c ea e a e i iable ail o e idence om sou ce
code o unning cloud se ices and applica ions. This p o enance c ea es a s onge link
be ween s a ic analysis based on sou ce e idence ex ac o s and un ime e idence ex ac o s.
4.1 Func ional desc ip ion
O e all pu pose. Codyze-P o enance is in ended as a ealisa ion o he SLSA p o enance
amewo k
22
and he in- o o a es a ion amewo k
23
. The SLSA p o enance amewo k speci ies
measu es o ha den he secu i y o supply chains o so wa e a e ac s. In addi ion o speci ying
how each s ep in a so wa e’s supply chain can be secu i y ha dened, i also links he di e en
s ages o one ano he o suppo aceabili y and p o enance. The in- o o a es a ion
amewo k p o ides he echnical speci ica ion on how o c ea e hese links by gene a ing
e i iable s a emen s abou wha wen in o a s age, wha happened in a s age and wha esul ed
om a s age. Codyze-P o enance c ea es p o enance and a es a ions o so wa e build
p ocesses. This in o ma ion allows o ack and e i y wha da a wen in o a build p ocess, wha
ools whe e execu ed and wha a e ac s we e c ea ed. Thus, i becomes possible o ace he
o igin o a unning cloud se ice and applica ion back o i s speci ic sou ce code and
co esponding build p ocess.
Codyze-P o enance will p o ide he necessa y ool and suppo ing componen s o ealize SLSA
and in- o o in a CI/CD pipeline. Mo eo e , i will submi p o enance and a es a ions o he
E idence S o e o u he assessmen .
Con ex and scope. Codyze-P o enance needs o be in eg a ed in o a CI/CD pipeline and
execu ed on e e y un o he CI/CD pipeline o a cloud se ice o applica ion. I will adjus he
build p ocess o suppo he gene a ion o p o enance and a es a ions. They a e collec ed and
ans o med in o e idence wi hin he EMERALD amewo k and submi ed o he E idence S o e.
Mo i a ion. One challenge du ing un ime is o e i y he o igin o a unning cloud se ice o
applica ion. Usually, i ’s s ill possible o iden i y he con aine image o bina y ha is unning.
Howe e , i becomes inc easingly di icul o p o ide de ails on how he se ice o applica ion
was buil , which buil s eps we e execu ed, o wha sou ce code e sion was used in he build.
A comple e so wa e supply chain would desc ibe all esou ces and p ocess p oducing he inal
deployable se ice o applica ion. This p o enance allows o e i y equi emen s such as
manda o y secu i y es ing o applica ions o secu i y checks o dependencies. Mo eo e , a
s ong link be ween sou ces and build p ocesses on he one hand and he un ime on he o he
hand is c ea ed.
Requi emen s. Cu en ly, Codyze-P o enance is a new addi ion in EMERALD and co esponding
equi emen s s ill need o be de ined.
Inno a ion. Codyze-P o enance p o ides a use - iendly app oach o in eg a e SLSA and in- o o
in o so wa e build p ocesses o cloud se ices and applica ions. Collec ed e idence enhance
he abili y o assess compliance wi h espec o compliance schemes.
22
h ps://slsa.de /
23
h ps://in- o o.io/
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 23
www.eme ald-he.eu
4.2 Technical desc ip ion
The ollowing subsec ions ou line he echnical de ails o Codyze-P o enance as hey a e
en isioned.
4.2.1 P o o ype a chi ec u e
Codyze-P o enance will consis o an applica ion ha collec s p o enance and a es a ion
epo s de ined by he SLSA and in- o o amewo k. These epo s a e ans o med in o e idence
o EMERALD and submi ed o he E idence S o e. In addi ion, Codyze-P o enance will p o ide
empla es and suppo ing iles o c ea e a CI/CD pipeline ha suppo s he gene a ion o
p o enance and a es a ion epo s.
A his s age, a mo e de ailed p o o ype a chi ec u e canno be p esen ed because Codyze-
P o enance is s ill in i s ini ial design phase.
4.2.1.1 Sub-componen s desc ip ion
A his poin o planning, no de ails on possible sub-componen s can be p o ided.
4.2.2 Technical speci ica ions
Codyze-P o enance will be de eloped in he p og amming language Ko lin wi h a Ja a Vi ual
Machine as backend. Mo eo e , i will p o ide empla es and o he suppo ing iles o acili a e
an in eg a ion in o CI/CD pipelines. To his end, he ocus is on Gi Lab, which is also used as he
eposi o y and CI/CD pla o m in EMERALD. Fu he de ails will be p o ided in he nex i e a ion
o his epo on un ime e idence ex ac o s in D2.9 [5].
4.3 Deli e y and usage
The ollowing subsec ions de ail he deli e y and usage o Codyze-P o enance. The p o ided
in o ma ion is cu en ly wo k in p og ess and may change.
4.3.1 Package in o ma ion
Codyze-P o enance will be deli e ed as an applica ion bundled in an a chi e. The s uc u e o
his package is summa ized in Table 4.
Table 4. O e iew o en a i e package s uc u e o Codyze-P o enance
Folde
Desc ip ion
bin/
Con ains execu ion sc ip s o Windows and Linux/macOS
docs/
Con ains de ailed documen a ion
e c/
Con ains sample con igu a ion iles and suppo ing iles
lib/
Con ains applica ion and dependen lib a ies
LICENSE
License ex (Apache License, Ve sion 2.0)
README.md
Sho documen a ion including sho summa y desc ip ion,
ins alla ion and usage ins uc ions, and u he in o ma ion
4.3.2 Ins alla ion
Ins alla ion ins uc ions will be p o ided as pa o a README and documen a ion o Codyze-
P o enance (c . Table 4).
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 23
www.eme ald-he.eu
4.3.3 Ins uc ions o use
Ins uc ions on how o use Codyze-P o enance will be p o ided as pa o he eleased packages
(c . olde ‘docs/’ and ‘README.md’ in Table 4). This in o ma ion will also be a ailable in he
public Gi Lab eposi o y24 o EMERALD.
4.3.4 Licensing in o ma ion
Codyze-P o enance will be licensed as open sou ce unde Apache License, Ve sion 2.0. In
addi ion, i is ensu ed ha hi d-pa y dependencies a e compa ible wi h he Apache License,
Ve sion 2.0.
4.3.5 Download
Codyze-P o enance will be a ailable om he public EMERALD Gi Lab eposi o y
24
hos ed by
Tecnalia. The eposi o y is going o hos he sou ce code, he documen a ion, bina y a e ac s
and suppo ing ma e ials.
4.4 Limi a ions and u u e wo k
Codyze-P o idence is a new componen added o he EMERALD amewo k. I is cu en ly in i s
ini ial design phase and many o i s de ails a e ye o be speci ied. Hence, he goal is o ha e an
ini ial MVP as soon as possible.
24
h ps://gi .code. ecnalia.com/eme ald/public/componen s/codyze/codyze-p o enance (WIP)

D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 23
www.eme ald-he.eu
5 Conclusions
The EMERALD p ojec p oposes a holis ic app oach o e idence collec ion, encompassing all
le els o he cloud se ice om he in as uc u e laye (e.g., i ual esou ces) o he business
laye (e.g., policies and p ocedu e), and he implemen a ion laye (e.g., sou ce code iles).
This deli e able con ains he echnical epo on he design, a chi ec u e, and cu en
implemen a ion s a us o he un ime e idence ex ac o componen s o Task 2.5 ("Ex ac ion
o e idence using un ime in o ma ion"). The componen s adhe e o he o e all EMERALD
amewo k and align wi h he echnical equi emen s ga he ed wi hin he scope o WP1. The
deli e able ou lines he ela ionship o he p esen ed componen s wi h o he componen s o
he EMERALD amewo k and de ails he in e nal s uc u e, subcomponen s, and echnical
implemen a ion in o ma ion o each componen -- as a as known a he cu en ime.
The componen s in oduced in his deli e able include he un ime e idence ex ac ion
componen s Cloudi o -Disco e y and Codyze-P o enance. The Cloudi o -Disco e y componen
was al eady used in MEDINA and has a wo king p o o ype ha can be in eg a ed in o he
EMERALD amewo k. I has been enhanced o inco po a e a a ie y o disco e ed esou ces
and he use o he newly de eloped Owl2p o o ool o he au oma ic gene a ion o he
necessa y On ology objec s. Codyze-P o enance is a new addi ion o he Codyze componen ,
which will ex ac e idence om CI/CD pipelines and p o ide a es a ions and p o enances o
so wa e builds and a e ac s. I ’s cu en ly in i s ini ial design phase, wi h de ails ye o be
speci ied.
In he upcoming phases o he p ojec , he Cloudi o -Disco e y and Codyze-P o enance
componen s will be u he de eloped and in eg a ed in o he EMERALD amewo k. The nex
and inal i e a ion o his deli e able will p o ide he upda es on hese componen s in p ojec
mon h 24 (D2.9 [5]).
D2.8 - Run ime E idence Ex ac o s – 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 23
www.eme ald-he.eu
6 Re e ences
[1]
EMERALD Conso ium, “D2.2 Sou ce E idence Ex ac o – 1: E idence ex ac ion om
sou ce code ha can be in eg a ed wi h he ce i ica ion g aph,” 2024.
[2]
EMERALD Conso ium, “D2.4 AMOE – 1: E idence ex ac ion om policy documen s ha
can be in eg a ed wi h he ce i ica ion g aph,” 2024.
[3]
EMERALD Conso ium, “D2.6 ML model ce i ica ion – 1: Secu i y and p i acy p ese ing
e idence ha can be in eg a ed wi h he ce i ica ion g aph,” 2024.
[4]
EMERALD Conso ium, “D2.1 G aph On ology o E idence S o age: Desc ip ion o a
uni o m schema o s o ing and linking he e ogenous da a,” 2024.
[5]
EMERALD Conso ium, “D2.9 Run ime e idence ex ac o – 2: E idence ex ac ion om
un ime da a ha can be in eg a ed wi h he ce i ica ion g aph,” 2025.
[6]
EMERALD Conso ium, “D2.10 Ce i ica ion G aph– 1: In eg a ion o he g aph wi h
seman ically linked and combined e idence,” 2025.
[7]
EMERALD Conso ium, “D2.11 Ce i ica ion G aph– 2: In eg a ion o he g aph wi h
seman ically linked and combined e idence,” 2026.
[8]
EMERALD Conso ium, “D1.1 Da a modelling and in e ac ion mechanisms - 1,” 2024.
[9]
EMERALD Conso ium, “EMERALD Glossa y,” 2024.
[10]
EMERALD Conso ium, “D3.3 E idence assessmen and Ce i ica ion–Implemen a ion- 1,”
2024.
[11]
MEDINA Conso ium, “D3.6 Tools and echniques o collec ing e idence o echnical and
o ganisa ional measu es- 3 (h ps://medina-p ojec .eu/public-deli e ables/),” 2023.
[12]
EMERALD Conso ium, “D3.1 E idence Assessmen and Ce i ica ion - Concep s - 1,”
2024.
[13]
C. Banse, A. Schneide and I. Kunz, “owl2p o o: Enabling Seman ic P ocessing in Mode n
Cloud Mic o-Se ices,” To appea in: 16 h In e na ional Con e ence on Knowledge
Enginee ing and On ology De elopmen .
[14]
EMERALD Conso ium, “D4.3 Use in e ac ion and use expe ience concep - 1,” 2024.