Merge pull request #236 from Tamronimus/master

wurstbrot · web-flow · commit 2880d67820b0 · 2023-07-14T07:33:02.000+02:00
Added schemas for validation of DSOMM yamls
diff --git a/Development.md b/Development.md
@@ -22,5 +22,5 @@ Run `ng test` to execute the unit tests via [Karma](https://karma-runner.github.
 
 - We follow the coding style defined by [ESLint](https://eslint.org/). 
 - We also use [Prettier](https://prettier.io/docs/en/index.html) as our opinionated code formatter.
-
+- To validate the schemas of the DSOMM yaml files in the IDE, it is recommended to use the VS Code extension [redhat.vscode-yaml](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml). The schemas are stored in /src/assets/YAML/schemas
 
diff --git a/src/assets/YAML/default/BuildAndDeployment/Build.yaml b/src/assets/YAML/default/BuildAndDeployment/Build.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-build-and-deployment.json
 ---
 Build and Deployment:
   Build:
diff --git a/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml b/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-build-and-deployment.json
 ---
 Build and Deployment:
   Deployment:
@@ -172,13 +173,12 @@ Build and Deployment:
         exists.
       dependsOn:
       - Defined deployment process
+      - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 3
       usefulness: 3
-      dependsOn:
-      - SBOM of components
       level: 3
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
@@ -311,13 +311,12 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Evaluation of the trust of used components:
-      risk:
-        - Application and system components like Open Source libraies or images can have implementation flaws or deployment flaws.
-        - Developers or operations might start random images in the production cluster 
-          which have malicious code or known vulnerabilities.
+      risk: 
+        Application and system components like Open Source libraies or images can have implementation flaws or deployment flaws. 
+        Developers or operations might start random images in the production cluster which have malicious code or known vulnerabilities.
       measure:
-        - Each components source is evaluated to be trusted. For example the source, number of developers included, email configuration used by maintainers to prevent maintainer account theft, typo-squatting, ...
-        - Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
+        Each components source is evaluated to be trusted. For example the source, number of developers included, email configuration used by maintainers to prevent maintainer account theft, typo-squatting, ...
+        Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
       difficultyOfImplementation:
         knowledge: 3
         time: 3
diff --git a/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml b/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-build-and-deployment.json
 ---
 Build and Deployment:
   Patch Management:
diff --git a/src/assets/YAML/default/CultureAndOrganization/Design.yaml b/src/assets/YAML/default/CultureAndOrganization/Design.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-culture-and-organization.json
 ---
 Culture and Organization:
   Design:
diff --git a/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml b/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-culture-and-organization.json
 ---
 Culture and Organization:
   Education and Guidance:
diff --git a/src/assets/YAML/default/CultureAndOrganization/Process.yaml b/src/assets/YAML/default/CultureAndOrganization/Process.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-culture-and-organization.json
 ---
 Culture and Organization:
   Process:
diff --git a/src/assets/YAML/default/Implementation/ApplicationHardening.yaml b/src/assets/YAML/default/Implementation/ApplicationHardening.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-implementation.json
 ---
 Implementation:
   Application Hardening:
diff --git a/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml b/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-implementation.json
 ---
 Implementation:
   Development and Source Control:
diff --git a/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml b/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-implementation.json
 ---
 Implementation:
   Infrastructure Hardening:
diff --git a/src/assets/YAML/default/InformationGathering/Logging.yaml b/src/assets/YAML/default/InformationGathering/Logging.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-information-gathering.json
 ---
 Information Gathering:
   Logging:
diff --git a/src/assets/YAML/default/InformationGathering/Monitoring.yaml b/src/assets/YAML/default/InformationGathering/Monitoring.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-information-gathering.json
 ---
 Information Gathering:
   Monitoring:
diff --git a/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml b/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Application tests:
@@ -58,7 +59,7 @@ Test and Verification:
         resources: 2
       usefulness: 3
       level: 2
-      comment: |
+      comments: |
         The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked.
         A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9.
       implementation:
@@ -75,7 +76,6 @@ Test and Verification:
         - 8.29
       isImplemented: false
       evidence: ""
-      comments: ""
     Smoke Test:
       risk: During a deployment an error might happen which leads to non-availability
         of the system, a part of the system or a feature.
diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Consolidation:
@@ -234,7 +235,7 @@ Test and Verification:
         resources: 1
       usefulness: 4
       level: 1
-      comment: False positive analysis, specially for static analysis, is time consuming.
+      comments: False positive analysis, specially for static analysis, is time consuming.
       references:
         samm2:
         - I-DM-2-B
@@ -247,7 +248,6 @@ Test and Verification:
       implementation: []
       isImplemented: false
       evidence: ""
-      comments: ""
     Treatment of defects with severity middle:
       risk: Vulnerabilities with severity middle are not visible.
       measure: Vulnerabilities with severity middle are added to the quality gate.
@@ -257,7 +257,7 @@ Test and Verification:
         resources: 1
       usefulness: 3
       level: 3
-      comment: False positive analysis, specially for static analysis, is time consuming.
+      comments: False positive analysis, specially for static analysis, is time consuming.
       references:
         samm2:
         - I-DM-2-B
@@ -270,7 +270,6 @@ Test and Verification:
       implementation: []
       isImplemented: false
       evidence: ""
-      comments: ""
     Usage of a vulnerability management system:
       risk: Maintenance of false positives in each tool enforces a high workload.
         In addition a correlation of the same finding from different tools is not
diff --git a/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Dynamic depth for applications:
diff --git a/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Dynamic depth for infrastructure:
@@ -72,7 +73,7 @@ Test and Verification:
       level: 3
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/example-all-docker
-      comment: By preventing teams from trying out new components, innovation might
+      comments: By preventing teams from trying out new components, innovation might
         be hampered
       references:
         samm2: []
@@ -84,7 +85,6 @@ Test and Verification:
         - 8.8
       isImplemented: false
       evidence: ""
-      comments: ""
       dependsOn:
         - Evaluation of the trust of used components
     Test for unused Resources:
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Static depth for applications:
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Static depth for infrastructure:
diff --git a/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml b/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-test-and-verification.json
 ---
 Test and Verification:
   Test-Intensity:
diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../schemas/dsomm-implementations-schema.json
 implementations:
   signing-of-commits-protection:
     name: Enforcement of commit signing
diff --git a/src/assets/YAML/schemas/dsomm-implementations-schema.json b/src/assets/YAML/schemas/dsomm-implementations-schema.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Schema for Implementations",
+  "type": "object",
+  "properties": {
+    "implementations": {
+      "type": "object",
+      "patternProperties": {
+        ".*": {
+          "type": "object",
+          "properties": {
+            "name": {
+              "type": "string",
+              "default": ""
+            },
+            "tags": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "default": ""
+              }
+            },
+            "url": {
+              "type": "string",
+              "format": "uri",
+              "default": "https://"
+            },
+            "description": {
+              "type": "string",
+              "default": ""
+            }
+          },
+          "required": [
+            "name",
+            "tags",
+            "url",
+            "description"
+          ],
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": true
+    }
+  },
+  "required": [
+    "implementations"
+  ],
+  "additionalProperties": false
+}
diff --git a/src/assets/YAML/schemas/dsomm-schema-build-and-deployment.json b/src/assets/YAML/schemas/dsomm-schema-build-and-deployment.json
diff --git a/src/assets/YAML/schemas/dsomm-schema-culture-and-organization.json b/src/assets/YAML/schemas/dsomm-schema-culture-and-organization.json
diff --git a/src/assets/YAML/schemas/dsomm-schema-implementation.json b/src/assets/YAML/schemas/dsomm-schema-implementation.json
diff --git a/src/assets/YAML/schemas/dsomm-schema-information-gathering.json b/src/assets/YAML/schemas/dsomm-schema-information-gathering.json
diff --git a/src/assets/YAML/schemas/dsomm-schema-test-and-verification.json b/src/assets/YAML/schemas/dsomm-schema-test-and-verification.json

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# yaml-language-server: $schema=../../schemas/dsomm-schema-build-and-deployment.json`
`1`	`2`	`---`
`2`	`3`	`Build and Deployment:`
`3`	`4`	`Build:`