diff --git a/.github/workflows/validate_artifacts.yml b/.github/workflows/validate_artifacts.yml index 9cf7b57a..3600f388 100644 --- a/.github/workflows/validate_artifacts.yml +++ b/.github/workflows/validate_artifacts.yml @@ -16,10 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v1 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.github/workflows/validate_vrt.yml b/.github/workflows/validate_vrt.yml index 7b8378f3..bfa189dc 100644 --- a/.github/workflows/validate_vrt.yml +++ b/.github/workflows/validate_vrt.yml @@ -9,10 +9,10 @@ jobs: steps: - uses: actions/checkout@v1 - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v1 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/Dockerfile b/Dockerfile index 8824a941..f0da0ce0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ -FROM python:3.6 - -RUN pip install jsonschema GitPython semantic_version +FROM python:3.11 WORKDIR /tmp/vrt +ADD . /tmp/vrt + +RUN pip install -r lib/requirements.txt + CMD [ "python3", "-B" , "./lib/validate_vrt.py" ] diff --git a/lib/tests/test_vrt.py b/lib/tests/test_vrt.py index ea78802f..66976d16 100644 --- a/lib/tests/test_vrt.py +++ b/lib/tests/test_vrt.py @@ -7,6 +7,8 @@ class TestVrt(unittest.TestCase): def setUp(self): + print("\n`---{}---`".format(self._testMethodName)) + self.vrt = utils.get_json(utils.VRT_FILENAME) self.mappings = [ { 'filename': f, 'name': os.path.splitext(os.path.basename(f))[0] } for f in glob.glob(utils.MAPPING_DIR + '/**/*.json', recursive=True) if 'schema' not in f @@ -43,19 +45,22 @@ def test_mapping_schemas(self): self.validate_schema(schema_file, mapping['filename']) def all_vrt_ids_have_mapping(self, mappping_filename, key): - vrt = utils.get_json(utils.VRT_FILENAME) mapping = utils.get_json(mappping_filename) keyed_mapping = utils.key_by_id(mapping['content']) - for vrt_id_list in utils.all_id_lists(vrt, include_internal=False): - self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key), - 'no ' + key + ' mapping for ' + '.'.join(vrt_id_list)) + for vrt_id_list in utils.all_id_lists(self.vrt, include_internal=False): + result = utils.has_mapping(keyed_mapping, vrt_id_list, key) + if key == 'cwe' and not result: + print('WARNING: no ' + key + ' mapping for ' + '.'.join(vrt_id_list)) + else: + self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key), + 'no ' + key + ' mapping for ' + '.'.join(vrt_id_list)) def test_all_vrt_ids_have_all_mappings(self): for mapping in self.mappings: self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name']) def only_map_valid_ids(self, mapping_filename): - vrt_ids = utils.all_id_lists(utils.get_json(utils.VRT_FILENAME)) + vrt_ids = utils.all_id_lists(self.vrt) mapping_ids = utils.all_id_lists(utils.get_json(mapping_filename)) for id_list in mapping_ids: self.assertIn(id_list, vrt_ids, 'invalid id in ' + mapping_filename + ' - ' + '.'.join(id_list)) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index 6f2735f6..56e6611f 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -447,6 +447,63 @@ } ] }, + { + "id": "data_biases", + "children": [ + { + "id": "representation_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + }, + { + "id": "pre_existing_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + } + ] + }, + { + "id": "algorithmic_biases", + "children": [ + { + "id": "processing_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + }, + { + "id": "aggregation_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + } + ] + }, + { + "id": "societal_biases", + "children": [ + { + "id": "confirmation_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "id": "systemic_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + } + ] + }, + { + "id": "misinterpretation_biases", + "children": [ + { + "id": "context_ignorance", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ] + }, + { + "id": "developer_biases", + "children": [ + { + "id": "implicit_bias", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N" + } + ] + }, { "id": "sensitive_data_exposure", "children": [ @@ -828,31 +885,31 @@ ] }, { - "id": "physical_security_issues", - "children": [ - { - "id": "bypass_of_physical_access_control", - "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" - }, - { - "id": "weakness_in_physical_access_control", - "children": [ - { - "id": "cloneable_key", - "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" - }, - { - "id": "master_key_identification", - "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" - }, - { - "id": "commonly_keyed_system", - "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" - } - ] - } - ] - }, + "id": "physical_security_issues", + "children": [ + { + "id": "bypass_of_physical_access_control", + "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" + }, + { + "id": "weakness_in_physical_access_control", + "children": [ + { + "id": "cloneable_key", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + }, + { + "id": "master_key_identification", + "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" + }, + { + "id": "commonly_keyed_system", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" + } + ] + } + ] + }, { "id": "insecure_os_firmware", "children": [ @@ -873,7 +930,7 @@ } ] }, - { + { "id": "weakness_in_firmware_updates", "children": [ { @@ -889,54 +946,54 @@ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] - }, - { - "id": "kiosk_escape_or_breakout", - "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" - }, - { - "id": "poorly_configured_disk_encryption", - "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "id": "shared_credentials_on_storage", - "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" - }, - { - "id": "over_permissioned_credentials_on_storage", - "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" - }, - { - "id": "local_administrator_on_default_environment", - "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" - }, - { - "id": "poorly_configured_operating_system_security", - "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" - }, - { - "id": "recovery_of_disk_contains_sensitive_material", - "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "id": "failure_to_remove_sensitive_artifacts_from_disk", - "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - }, - { - "id": "data_not_encrypted_at_rest", - "children": [ - { - "id": "non_sensitive", - "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "id": "sensitive", - "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ] - } - ] -}, + }, + { + "id": "kiosk_escape_or_breakout", + "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" + }, + { + "id": "poorly_configured_disk_encryption", + "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "id": "shared_credentials_on_storage", + "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "id": "over_permissioned_credentials_on_storage", + "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "id": "local_administrator_on_default_environment", + "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + { + "id": "poorly_configured_operating_system_security", + "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" + }, + { + "id": "recovery_of_disk_contains_sensitive_material", + "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "id": "failure_to_remove_sensitive_artifacts_from_disk", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "id": "data_not_encrypted_at_rest", + "children": [ + { + "id": "non_sensitive", + "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + { + "id": "sensitive", + "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ] + } + ] + }, { "id": "cryptographic_weakness", "children": [ diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json index e7b953b6..1866223c 100644 --- a/mappings/cwe/cwe.json +++ b/mappings/cwe/cwe.json @@ -751,6 +751,68 @@ { "id": "indicators_of_compromise", "cwe": null + }, + { + "id": "data_biases", + "cwe": null, + "children": [ + { + "id": "representation_bias", + "cwe": null + }, + { + "id": "pre_existing_bias", + "cwe": null + } + ] + }, + { + "id": "algorithmic_biases", + "cwe": null, + "children": [ + { + "id": "processing_bias", + "cwe": null + }, + { + "id": "aggregation_bias", + "cwe": null + } + ] + }, + { + "id": "societal_biases", + "cwe": null, + "children": [ + { + "id": "confirmation_bias", + "cwe": null + }, + { + "id": "systemic_bias", + "cwe": null + } + ] + }, + { + "id": "misinterpretation_biases", + "cwe": null, + "children": [ + { + "id": "context_ignorance", + "cwe": null + } + ] + }, + { + "id": "developer_biases", + "cwe": null, + "children": [ + { + "id": "implicit_bias", + "cwe": null + } + ] } ] } diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 0f45b455..ffe20d61 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -1,7 +1,10 @@ { "metadata": { "default": null, - "keys": ["remediation_advice", "references"] + "keys": [ + "remediation_advice", + "references" + ] }, "content": [ { @@ -56,7 +59,9 @@ { "id": "same_site_scripting", "remediation_advice": "As a best practice, do not resolve targets or hostnames to 127.0.0.1 or similar addresses.", - "references": ["http://seclists.org/bugtraq/2008/Jan/270"] + "references": [ + "http://seclists.org/bugtraq/2008/Jan/270" + ] }, { "id": "ssl_attack_breach_poodle_etc", @@ -104,7 +109,9 @@ { "id": "missing_caa_record", "remediation_advice": "As the domain name holder you can modify the DNS zone file to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.", - "references": ["https://tools.ietf.org/html/rfc6844"] + "references": [ + "https://tools.ietf.org/html/rfc6844" + ] } ] }, @@ -163,7 +170,9 @@ { "id": "excessively_privileged_user_dba", "remediation_advice": "Ensure that the current DBMS session user has the least amount of privilege necessary.", - "references": ["https://www.owasp.org/index.php/Least_privilege"] + "references": [ + "https://www.owasp.org/index.php/Least_privilege" + ] } ] }, @@ -241,7 +250,9 @@ { "id": "cookie_scoped_to_parent_domain", "remediation_advice": "If possible do not set the domain for the session cookie. If domain is not set, so by default, the cookie will be a host only cookie, meaning accessible explicitly to the domain from which it was set.", - "references": ["https://tools.ietf.org/html/rfc6265"] + "references": [ + "https://tools.ietf.org/html/rfc6265" + ] }, { "id": "missing_secure_or_httponly_cookie_flag", @@ -287,7 +298,9 @@ { "id": "account_takeover", "remediation_advice": "Ensure correct implementation of OAuth protocol in order to protect client secrets and tokens, and provide secure access controls.", - "references": ["https://tools.ietf.org/html/rfc6819"] + "references": [ + "https://tools.ietf.org/html/rfc6819" + ] }, { "id": "account_squatting", @@ -525,7 +538,9 @@ { "id": "bitsquatting", "remediation_advice": "As a best practice, consider registering any potential bitsquatting domain names.", - "references": ["http://dinaburg.org/bitsquatting.html"] + "references": [ + "http://dinaburg.org/bitsquatting.html" + ] } ] }, @@ -615,7 +630,9 @@ { "id": "external_authentication_injection", "remediation_advice": "Even if unsafe HTML tags like `