JSON Support in Open Horizon Policies

Status: In Progress

Sponsor User: IBM

Date of Submission: Jul 9, 2021 

Submitted by: Glen Darling

Affiliation(s): IBM

<Please fill out the above fields, and the Overview, Design and User Experience sections below for an initial review of the proposed feature.>

Scope and Signoff: (to be filled out by Chair)

Requesting support of JSON data in Open Horizon policies, especially to support SBOM but would also be generally useful and powerful

Overview

Software Bill of Materials (SBOM) is becoming a basic requirement in software procurement. It would be very powerful if Open Horizon could also support SBOM data to control deployment through policies. This would be a great opportunity to lead the industry in supporting SBOM information to manage deployment of software. I don't think any of our competitors could as easily support this.

Design

Currently SBOM information can be saved in policy properties using `list-of-string` data type, and can be tested with the `in` operator, but this is crude. It would be much more powerful if generalized JSON (such as the popular CycloneDX SBOM JSON format) would be supported as a property type and if JSON operators (e.g., similar to those you can use with the `jq` command) could be used in the constraint language to control deployment based on SBOM information.

User Experience

If this feature is provided it will be much easier for developers to add SBOM information in service policy properties in JSON form, and to test against SBOM information in deployment policy constraints.

Command Line Interface

I think no CLI changes are required but policy syntax would need to be expanded to support this.

External Components

None

Affected Components

I think the agent (anax) code and the exchange code would both require changes to support JSON in policies.

Security

No direct internal security implications. But externally the ability to manage software deployment using SBOM information has huge security benefitts.

APIs

Policy syntax would need to change.

Build, Install, Packaging

None

Documentation Notes

Documentation for policy properties and policy constraints would need to be updated accordingly.

Test

We would need to add tests to validate and verify the new policy syntax, and new constraint operators.