Merge pull request #57 from ioggstream/ioggstream-53

Configurable references

Author: wurstbrot

assets/css/common.css

@@ -2,3 +2,7 @@
 html {
   overflow-y: scroll;
 }
+
+.form-radio {
+  display: inline-block;
+}

data-new/BuildAndDeployment/Sub-Dimensions.yaml

@@ -30,13 +30,15 @@ Build:
       time: 2
       resources: 2
     usefulness: 2
+    level: 2
     implementation:
     - Container technologies and orchestration like Docker, Kubernetes
     - *ci-cd
-    level: 2
-    samm2: i-secure-build|A|2
-    iso27001-2017:
-    - 14.2.6
+    references:
+      samm2:
+      - "samm2:i-secure-build|A|2"
+      iso27001-2017:
+      - "iso27001-2017:14.2.6"
   Defined build process:
     risk:
     - Performing builds without a defined process is error prone; for example, as
@@ -55,10 +57,12 @@ Build:
     implementation:
     - *ci-cd
     - Container technologies and orchestration like Docker, Kubernetes
-    samm2: i-secure-build|A|1
-    iso27001-2017:
-    - 12.1.1
-    - 14.2.2
+    references:
+      samm2:
+      - i-secure-build|A|1
+      iso27001-2017:
+      - 12.1.1
+      - 14.2.2
   Signing of code:
     risk: Unauthorized manipulation of source code might be difficult to spot.
     measure: Digitally signing commits helps to prevent unauthorized manipulation
@@ -72,10 +76,11 @@ Build:
     implementation: ~
     dependsOn:
     - Defined build process
-    samm: OA3-B
-    samm2: i-secure-build|A|2
-    iso27001-2017:
-    - 14.2.6
+    references:
+      samm: OA3-B
+      samm2: i-secure-build|A|2
+      iso27001-2017:
+      - 14.2.6
   Signing of artifacts:
     risk: Unauthorized manipulation of artifacts might be difficult to spot. For
       example, this may result in images with malicious code in the Docker registry.
@@ -92,10 +97,13 @@ Build:
     - <a href="https://in-toto.github.io/">in-toto</a>
     dependsOn:
     - Defined build process
-    samm: OA3-B
-    samm2: i-secure-build|A|1
-    iso27001-2017:
-    - 14.2.6
+    references:
+      samm:
+      - OA3-B
+      samm2:
+      - i-secure-build|A|1
+      iso27001-2017:
+      - 14.2.6
 Deployment:
   Backup before deployment:
     risk: If errors are experienced during the deployment process you want to deploy
@@ -112,11 +120,14 @@ Deployment:
       complex environments, a Point in Time Recovery for databases should be implemented.
     dependsOn:
     - Defined deployment process
-    samm: OE2-A
-    samm2: TODO
-    iso27001-2017:
-    - "12.3"
-    - 14.2.6
+    references:
+      samm:
+      - OE2-A
+      samm2:
+        - TODO
+      iso27001-2017:
+      - "12.3"
+      - 14.2.6
   Blue/Green Deployment:
     risk: A new artifacts version can have unknown defects.
     measure: By having multiple production environments, a deployment can be performant
@@ -132,14 +143,16 @@ Deployment:
       Deployments</a>
     dependsOn:
     - Smoke Test
-    samm2: TODO
-    iso27001-2017:
-    - 17.2.1
-    - 12.1.1
-    - 12.1.2
-    - 12.1.4
-    - 12.5.1
-    - 14.2.9
+    references:
+      samm2:
+      - TODO
+      iso27001-2017:
+      - 17.2.1
+      - 12.1.1
+      - 12.1.2
+      - 12.1.4
+      - 12.5.1
+      - 14.2.9
   Defined deployment process:
     risk: Deployments without a defined process are error prone thus allowing old
       or untested artifact to be deployed.
@@ -152,10 +165,11 @@ Deployment:
     usefulness: 4
     level: 1
     implementation: Jenkins, Docker
-    samm2: i-secure-deployment|A|1
-    iso27001-2017:
-    - 12.1.1
-    - 14.2.2
+    references:
+      samm2: i-secure-deployment|A|1
+      iso27001-2017:
+      - 12.1.1
+      - 14.2.2
   Environment depending configuration parameters:
     risk: Attackers who compromise source code can see confidential access information
       like database credentials.
@@ -168,11 +182,14 @@ Deployment:
     usefulness: 4
     level: 2
     implementation: ""
-    samm: SA2-A
-    samm2: i-secure-deployment|B|1
-    iso27001-2017:
-    - 9.4.5
-    - 14.2.6
+    references:
+      samm:
+      - SA2-A
+      samm2:
+      - i-secure-deployment|B|1
+      iso27001-2017:
+      - 9.4.5
+      - 14.2.6
   Handover of confidential parameters:
     risk:
     - Attackers who compromise a system can see confidential access information
@@ -192,14 +209,15 @@ Deployment:
     implementation: ""
     dependsOn:
     - Environment depending configuration parameters
-    samm: SA2-A
-    samm2: i-secure-deployment|B|2 TODO might be 1
-    iso27001-2017:
-    - 14.1.3
-    - 13.1.3
-    - 9.4.3
-    - 9.4.1
-    - 10.1.2
+    references:
+      samm: SA2-A
+      samm2: i-secure-deployment|B|2 TODO might be 1
+      iso27001-2017:
+      - 14.1.3
+      - 13.1.3
+      - 9.4.3
+      - 9.4.1
+      - 10.1.2
   Rolling update on deployment:
     risk: While a deployment is performed, the application can not be reached.
     measure: A deployment without downtime is performed*.
@@ -271,7 +289,7 @@ Deployment:
       resources: 1
     usefulness: 3
     level: 2
-    samm2: i-secure-deployment|A|2
+    samm2: samm2:i-secure-deployment|A|2
     iso27001-2017:
     - 15.1.1
     - 15.1.2

data.php

@@ -1,58 +1,24 @@
 <?php
 require_once("functions.php");
 
-$dimensions = array();
+// get form data
+$showPerformed = ($_GET['performed'] ?? false) == "true" ? "true" : false;
+$showPlanned = ($_GET['planned'] ?? false) == "true" ? "true" : false;
 
-$files = scandir("data");
+$dimensions = getDimensions();
 
-$dimensions = readYaml("data/dimensions.yaml");
-
-ksort($dimensions);
-foreach ($dimensions as $dimensionName => $subDimension) {
-    ksort($subDimension);
-    foreach ($subDimension as $subDimensionName => $elements) {
-        if (substr($subDimensionName, 0, 1) == "_")
-            continue;
-        $newElements = $elements;
-        ksort($newElements);
-        $dimensions[$dimensionName][$subDimensionName] = $newElements;
-    }
-}
-
-if (array_key_exists("performed", $_GET)) {
-    $showPerformed = $_GET['performed'];
-
-    if ($showPerformed != "true") $showPerformed = false;
-} else {
-    $showPerformed = false;
-}
-
-if (array_key_exists("planned", $_GET)) {
-    $showPlanned = $_GET['planned'];
-
-    if ($showPlanned != "true") $showPlanned = false;
-} else {
-    $showPlanned = false;
-}
+// Create filteredDimensions
 $filteredDimensions = array();
-foreach ($dimensions as $dimensionName => $subDimension) {
-    ksort($subDimension);
-    foreach ($subDimension as $subDimensionName => $elements) {
-        if (substr($subDimensionName, 0, 1) == "_")
+foreach(getActions($dimensions) as list($dimension, $subdimension, $activities)) {
+    foreach ($activities as $activityName => $activity) {
+        if (elementIsSelected($activityName) && !$showPerformed) {
             continue;
-        $newElements = $elements;
-        ksort($newElements);
-        foreach ($newElements as $activityName => $activity) {
-            if (elementIsSelected($activityName) && !$showPerformed) {
-                continue;
-            }
-
-            if (!elementIsSelected($activityName) && !$showPlanned) {
-                continue;
-            }
-            $filteredDimensions[$dimensionName][$subDimensionName][$activityName] = $activity;
         }
 
+        if (!elementIsSelected($activityName) && !$showPlanned) {
+            continue;
+        }
+        $filteredDimensions[$dimension][$subdimension][$activityName] = $activity;
     }
 }
 
@@ -72,7 +38,7 @@ function getDifficultyOfImplementationWithDependencies($dimensions, $elementImpl
 
     if (array_key_exists('dependsOn', $elementImplementation) && $aggregated == "true") {
         foreach ($elementImplementation['dependsOn'] as $dependency) {
-            $dependencyElement = getElementByName($dimensions, $dependency);
+            $dependencyElement = getActivity($dimensions, $dependency);
             getDifficultyOfImplementationWithDependencies($dimensions, $dependencyElement, $allElements);
 
 
@@ -100,7 +66,7 @@ function getDifficultyOfImplementation($dimensions, $elementImplementation)
 
     if (array_key_exists('dependsOn', $elementImplementation) && $aggregated == "true") {
         foreach ($elementImplementation['dependsOn'] as $dependency) {
-            $dependencyElement = getElementByName($dimensions, $dependency);
+            $dependencyElement = getActivity($dimensions, $dependency);
             $value += getDifficultyOfImplementation($dimensions, $dependencyElement);
         }
     }
@@ -140,10 +106,8 @@ function getElementContent($element)
     if (!is_array($element)){
         return str_replace("\"", "'", $element);
     }
-
     if (isAssoc($element)) {
         $contentString = "";
-
         foreach ($element as $title => $elementContent) {
             $titleWithSpace = preg_replace('/(?<=[a-z])[A-Z]|[A-Z](?=[a-z])/', ' $0', $title);
             $contentString .= "<b>" . ucfirst($titleWithSpace) . "</b>";
@@ -182,6 +146,9 @@ function render_risk($risk) {
     }
     return $risk;
 }
+/**
+ * Render an activity in a tooltip.
+ */
 function build_table_tooltip($array, $headerWeight = 2)
 {
     $mapKnowLedge = array("Very Low (one discipline)", "Low (one discipline)", "Medium (two disciplines)", "High (two disciplines)", "Very High (three or more disciplines)");
@@ -210,13 +177,14 @@ function build_table_tooltip($array, $headerWeight = 2)
     return $html;
 }
 
-function getElementByName($dimensions, $name)
+
+function getActivity($dimensions, $name)
 {
     foreach ($dimensions as $dimensionName => $subDimension) {
-        foreach ($subDimension as $subDimensionName => $elements) {
-            foreach ($elements as $activityName => $element) {
+        foreach ($subDimension as $subDimensionName => $activities) {
+            foreach ($activities as $activityName => $activity) {
                 if ($activityName == $name) {
-                    return $element;
+                    return $activity;
                 }
             }
         }

data/strings.yml

@@ -4,6 +4,23 @@
 #
 strings:
   en: &en
+    references:
+      samm2:
+        label: OWASP SAMM VERSION 2
+        description: |-
+          https://owaspsamm.org/blog/2020/01/31/samm2-release/
+      iso27001-2017:
+        label: ISO27001 2017
+        description: |-
+          ISO 27001 / 2017
+      samm:
+        label: OWASP SAMM (Software Assurance Maturity Model)
+        description: |-
+          Software Assurance Maturity Model
+          The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate
+          and implement a strategy for software security that is tailored
+          to the specific risks facing the organization.
+
     labels: ["Very Low", "Low", "Medium", "High", "Very High"]
     hardness: ["Very soft", "Soft", "Medium", "High", "Very high"]
     maturity_levels: ["Level 1: Basic understanding of security practices" ,