risk can be a list.

ioggstream · ioggstream · commit 7ac6bec8b6b1 · 2021-02-10T12:45:22.000+01:00
diff --git a/data.php b/data.php
@@ -172,6 +172,14 @@ function isAssoc(array $arr)
     return array_keys($arr) !== range(0, count($arr) - 1);
 }
 
+
+function render_risk($risk) {
+
+    if (is_array($risk)) {
+        return implode("\ ", $risk);
+    }
+    return $risk;
+}
 function build_table_tooltip($array, $headerWeight = 2)
 {
     $mapKnowLedge = array("Very Low (one discipline)", "Low (one discipline)", "Medium (two disciplines)", "High (two disciplines)", "Very High (three or more disciplines)");
@@ -187,7 +195,7 @@ function build_table_tooltip($array, $headerWeight = 2)
 
     $html = "";
     $html .= "<h" . $headerWeight . ">Risk and Opportunity</h$headerWeight>";
-    $html .= "<div><b>" . "Risk" . ":</b> " . $array['risk'] . "</div>";
+    $html .= "<div><b>" . "Risk" . ":</b> " . render_risk($array['risk']) . "</div>";
     $html .= "<div><b>" . "Opportunity" . ":</b> " . $array['measure'] . "</div>";
     if (IS_SHOW_EVIDENCE_TODO || $evidenceContent != "TODO")
         $html .= "<div><b>" . "Evidence" . ":</b> " . $evidenceContent . "</div>";
diff --git a/data/BuildandDeployment.yml b/data/BuildandDeployment.yml
@@ -2,9 +2,10 @@
 sub-dimensions:
   Build:
     Building and testing of artifacts in virtual environments:
-      risk: While building and testing artifacts, third party systems, application frameworks
-        and 3rd party libraries are used. These might be malicious as a result of vulnerable
-        libraries or because they are altered during the delivery phase.
+      risk:
+        - While building and testing artifacts, third party systems, application frameworks
+          and 3rd party libraries are used. These might be malicious as a result of vulnerable
+          libraries or because they are altered during the delivery phase.
       measure: Each step during within the build and testing phase is performed in a separate virtual
         environments, which is destroyed afterward.
       meta:
@@ -22,8 +23,9 @@ sub-dimensions:
       iso27001-2017:
         - 14.2.6
     Defined build process:
-      risk: Performing builds without a defined process is error prone.
-        For example, as a result of incorrect security related configuration.
+      risk:
+        - Performing builds without a defined process is error prone;
+          for example, as a result of incorrect security related configuration.
       measure: A well defined build process lowers the possibility of errors during the build
         process.
       evidence: The build process is defined in <a href="REPLACE-ME">REPLACE-ME Pipeline</a> in the folder <i>vars</>. Projects are using a <i>Jenkinsfile</i> to use the defined process.
@@ -149,9 +151,11 @@ sub-dimensions:
         - 9.4.5
         - 14.2.6
     Handover of confidential parameters:
-      risk: Attackers who compromise a system can see confidential access information
-        like database credentials. Parameters are often used to set credentials, for
-        example by starting containers or applications. These parameters can often be
+      risk:
+      - Attackers who compromise a system can see confidential access information
+        like database credentials.
+      - Parameters are often used to set credentials, for
+        example by starting containers or applications; these parameters can often be
         seen by any one listing running processes on the target system.
       measure: By using encryption, it is harder to read credentials , e.g.
         from the file system. Also, the usage of a credential management system can help
diff --git a/data/strings.yml b/data/strings.yml
@@ -6,6 +6,10 @@ strings:
   en: &en
     labels: ["Very Low", "Low", "Medium", "High", "Very High"]
     hardness: ["Very soft", "Soft", "Medium", "High", "Very high"]
+    maturity_levels: ["Level 1: Basic understanding of security practices" ,
+             "Level 2: Adoption of basic security practices",
+             "Level 3: High adoption of security practices",
+             "Level 4: Advanced deployment of security practices at scale"]
   de:
     <<: *en
     hardness: ["Sehr gering", "Gering", "Mittel", "Hoch", "Sehr hoch"]
diff --git a/detail.php b/detail.php
@@ -47,16 +47,7 @@ function printDetail($dimension, $subdimension, $activityName, $dimensions, $rep
         echo "<h" . ($headerWeight + 1) . ">Additional Information</h" . ($headerWeight + 1) . ">";
         if (array_key_exists("dependsOn", $element)) {
             $dependsOn = $element['dependsOn'];
-            $dependencies = "";
-            $first = true;
-            foreach ($dependsOn as $dimensionElement) {
-                if (!$first) {
-                    $dependencies .= ", ";
-                }
-                $dependencies .= $dimensionElement;
-                $first = false;
-            }
-
+            $dependencies =  implode(", ", $dependsOn);
             echo "<div><b>Dependencies:</b> $dependencies</div>";
         }
         echo getElementContentAndCheckExistence($element, "meta");
