enhance SCA

wurstbrot · wurstbrot · commit 9f47930b5ceb · 2024-08-07T17:21:29.000+02:00
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
@@ -346,6 +346,7 @@ Test and Verification:
       comments: ""
     Software Composition Analysis (server side):
       uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
+      description: Use a tool like trivy and concentrate on application related vulnerabilities. At this stage, ignore vulnerabilities in container base images used in the service.
       risk: Server side components might have vulnerabilities.
       measure:
         Tests for known vulnerabilities in server side components (e.g. backend/middleware)
@@ -365,16 +366,16 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/trivy
       references:
         samm2:
           - V-ST-2-A
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
           - 8.8
-      isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - vmm-testing
     Usage of multiple analyzers:
       uuid: 297be001-8d94-41ee-ab29-207020d423c0
       risk:
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
@@ -340,12 +340,38 @@ Test and Verification:
           - 14.2.8
           - 14.2.1
         iso27001-2022:
-          - System hardening, virtual environments are not explicitly covered by ISO
-            27001 - too specific
+          - System hardening, virtual environments are not explicitly covered by ISO 27001 - too specific
           - 8.8
           - 8.32
           - 8.29
           - 8.25
       isImplemented: false
-      evidence: ""
-      comments: ""
+    Software Composition Analysis:
+      uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
+      risk: Infrastructure components might have vulnerabilities.
+      measure:
+        Tests for known vulnerabilities in server side components (e.g. backend/middleware) are performed.
+      difficultyOfImplementation:
+        knowledge: 3
+        time: 5
+        resources: 1
+      usefulness: 2
+      level: 4
+      dependsOn:
+        - Defined build process
+        - uuid:d918cd44-a972-43e9-a974-eff3f4a5dcfe
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dependency-che
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/trivy
+      references:
+        samm2:
+          - V-ST-2-A
+        iso27001-2017:
+          - 12.6.1
+        iso27001-2022:
+          - 8.8
+      tags:
+        - vmm-testing
