Tracking non-compliant components and services

[prabhu]

When a project uses a component or a service that might be non-compliant or not-approved,`it is essential to capture a justification for the use. This would help track all exemptions and reasoning in the organization's risk registry for GRC.

Based on my limited understanding of 1.6, below are some ways to achieve this:

• Organizations could create a custom definitions.standards to describe a compliance-as-code. declarations.claims.reasoning and counterEvidence could be used to mark the non-compliant components and services.
• annotations.text could be used for those organizations that do not have a codified definition for standards. However, an enum similar to vulnerabilities.analysis.justification would help with categorization.
• component.externalReferences.type = "risk-assessment" could be used to link to an external URL (such as a JIRA ticket or a wiki page) or a BOM-Link.

Are there other implementation ideas worth exploring?

[stevespringett]

That's the exact process that I would follow.