Add evidence possiblity for assessments

Author: wurstbrot

README.md

@@ -17,6 +17,9 @@ Go to https://dsomm.timo-pagel.de or clone [this repository](https://github.com/
 
 In this [video](https://www.youtube.com/watch?v=tX9RHZ_O5NU) Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination with [OWASP SAMM](https//owaspsamm.org) is explained.
 
+In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO.
+You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php' `define(IS_SHOW_EVIDENCE_TODO, true);`
+
 # Community
 Join #dsomm in [OWASP Slack](https://owasp.slack.com/join/shared_invite/zt-g398htpy-AZ40HOM1WUOZguJKbblqkw#/).
 Create issues or even better Pull Requests in [github](https://github.com/wurstbrot/DevSecOps-MaturityModel/).

bib.php

@@ -1,6 +1,8 @@
 <?php
 error_reporting(E_ERROR);
 define(NUMBER_LEVELS, 4);
+define(IS_SHOW_EVIDENCE_TODO, false);
+
 function readCSV($filename, $delimiter)
 {
     if (!file_exists($filename) || !is_readable($filename))

data.php

@@ -138,10 +138,27 @@ function build_table_tooltip($array, $headerWeight = 2)
     $mapResources = $mapTime;
     $mapUsefulness = $mapTime;
 
+    $evidenceContent = "";
+    if(array_key_exists("evidence", $array)) {
+        if( is_array($array['evidence'])) {
+            $evidenceContent .= "<ul>";
+            foreach($array['evidence'] as $content) {
+                $evidenceContent .= "<li>".str_replace("\"", "'", $content) . "</li>";
+            }
+            $evidenceContent .= "</ul>";
+        }else {
+            $evidenceContent = str_replace("\"", "'", $array['evidence']);
+        }
+    }else {
+        $evidenceContent = "TODO";
+    }
+
     $html = "";
     $html .= "<h" . $headerWeight . ">Risk and Opportunity</h$headerWeight>";
-    $html .= "<div><b>" . gettext("Risk") . ":</b> " . $array['risk'] . "</div>";
-    $html .= "<div><b>" . gettext("Opportunity") . ":</b> " . $array['measure'] . "</div>";
+    $html .= "<div><b>" . "Risk" . ":</b> " . $array['risk'] . "</div>";
+    $html .= "<div><b>" . "Opportunity" . ":</b> " . $array['measure'] . "</div>";
+    if(IS_SHOW_EVIDENCE_TODO || $evidenceContent != "TODO")
+        $html .= "<div><b>" . "Evidence" . ":</b> " . $evidenceContent . "</div>"; 
     $html .= "<hr />";
     $html .= "<h$headerWeight>Exploit details</h$headerWeight>";
     $html .= "<div><b>Usefullness:</b> " . ucfirst($mapUsefulness[$array['usefulness']-1]) . "</div>";

data/BuildandDeployment.yml

@@ -21,6 +21,7 @@ Build:
       For example, as a result of incorrect security related configuration.
     measure: A well defined build process lowers the possibility of errors during the build
       process.
+    evidence: The build process is defined in <a href="REPLACE-ME">REPLACE-ME Pipeline</a> in the folder <i>vars</>. Projects are using a <i>Jenkinsfile</i> to use the defined process.
     difficultyOfImplementation:
       knowledge: 2
       time: 3

data/CultureandOrg.yml

@@ -47,6 +47,9 @@ Education and Guidance:
   Regular security training of security champions:
     risk: Understanding security is hard, even for security champions.
     measure: Regular security training of security champions.
+    evidence:
+      - Process Documentation: TODO
+      - Training Content: TOODO
     difficultyOfImplementation:
       knowledge: 3
       time: 2