From a1821e15ca5046f9a6d678b7de8cc8af11244f50 Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Fri, 13 Mar 2026 10:50:58 +0100 Subject: [PATCH 1/3] Added --- .../VulnerabilitiesNotExploitable.yaml | 14 ++++++++ .../VulnerabilitiesNotExploitable/data.json | 4 +++ .../VulnerabilitiesNotExploitable/metric.rego | 35 +++++++++++++++++++ ontology/v1/core/functionality.owx | 20 +++++++++++ 4 files changed, 73 insertions(+) create mode 100644 metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml create mode 100644 metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json create mode 100644 metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml new file mode 100644 index 00000000..4c8b56dc --- /dev/null +++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml @@ -0,0 +1,14 @@ +# ====== Metadata ====== +id: e0f1b6f2-13f5-482e-924e-c9e29145d7e5 +name: VulnerabilitiesNotExploitable +description: > + This rule assesses whether a [Resource] has no [Vulnerability] or only + [Vulnerability] entries with [p1:exploitable] set to false. +category: ApplicationSecurity +version: "v1" +comments: Ensuring detected vulnerabilities are not exploitable reduces the risk of active compromise. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: False diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json new file mode 100644 index 00000000..bf987f3c --- /dev/null +++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json @@ -0,0 +1,4 @@ +{ + "operator": "==", + "target_value": false +} diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego new file mode 100644 index 00000000..095d333b --- /dev/null +++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego @@ -0,0 +1,35 @@ +package cch.metrics.vulnerabilities_not_exploitable + +import data.cch.compare +import rego.v1 +import input.vulnerabilities as vul + +default applicable = false + +default compliant = false + +applicable if { + true +} + +compliant if { + not vul +} + +compliant if { + vul + every v in vul { + compare(data.operator, data.target_value, v.exploitable) + } +} + +message := "No vulnerabilities were detected for the resource." if { + compliant + not vul +} else := "All detected vulnerabilities are marked as not exploitable." if { + compliant + vul +} else := "At least one detected vulnerability is exploitable." if { + applicable + not compliant +} diff --git a/ontology/v1/core/functionality.owx b/ontology/v1/core/functionality.owx index e80e5b1b..bfcc4b03 100644 --- a/ontology/v1/core/functionality.owx +++ b/ontology/v1/core/functionality.owx @@ -310,6 +310,9 @@ + + + @@ -1579,6 +1582,13 @@ + + + + + + + @@ -2543,6 +2553,16 @@ prop:criticality criticality: Contains the criticality of a vulnerability, e.g., low, medium, high, critical + + + prop:exploitable + exploitable: Indicates whether a vulnerability is known to be exploitable + + + + prop:exploitable + exploitable + core:cve From f20165207c608e77d96fed87ab8dc594bb135d01 Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Thu, 19 Mar 2026 12:36:58 +0100 Subject: [PATCH 2/3] Adding metrics for access control --- .../PasswordHashAlgorithmAllowed.yaml | 16 ++++++++ .../PasswordHashAlgorithmAllowed/data.json | 4 ++ .../PasswordHashAlgorithmAllowed/metric.rego | 39 +++++++++++++++++++ ...NetworkEndpointAuthenticationRequired.yaml | 14 +++++++ .../data.json | 4 ++ .../metric.rego | 29 ++++++++++++++ 6 files changed, 106 insertions(+) create mode 100644 metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml create mode 100644 metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json create mode 100644 metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego create mode 100644 metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml create mode 100644 metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json create mode 100644 metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml new file mode 100644 index 00000000..cec7c94e --- /dev/null +++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml @@ -0,0 +1,16 @@ +# ====== Metadata ====== +id: f4159401-68d4-4292-843e-251187346edf +name: PasswordHashAlgorithmAllowed +description: > + This rule assesses whether an [Application] that offers the property + [Functionalities.CryptographicHash] uses a [p1:algorithm] suitable for + password hashing. +category: ApplicationSecurity +version: "v1" +comments: Using modern password hashing algorithms (e.g., Argon2id, bcrypt, scrypt) + improves resistance to offline cracking. +# ====== Configuration ====== +configuration: + p1: + operator: "allIn" + targetValue: ["Argon2id", "bcrypt", "scrypt"] diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json new file mode 100644 index 00000000..1a29c685 --- /dev/null +++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json @@ -0,0 +1,4 @@ +{ + "operator": "allIn", + "target_value": ["Argon2id", "bcrypt", "scrypt"] +} diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego new file mode 100644 index 00000000..684f8dc1 --- /dev/null +++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego @@ -0,0 +1,39 @@ +package cch.metrics.password_hash_algorithm_allowed + +import data.cch.compare +import rego.v1 +import input as app + +default applicable = false + +default compliant = false + +hashes := [func | func := app.functionalities[_]; func.cryptographicHash] + +applicable if { + app.type[_] == "Application" +} + +compliant if { + count(violations) == 0 +} + +message := "The analyzed resource uses approved password hashing algorithms." if { + compliant +} else := "The analyzed resource contains evidence of weak password hashing algorithms." if { + not compliant +} + +results := [ + mapped | + func := app.functionalities[_] + mapped := { + "property": "cryptographicHash.algorithm", + "value": func.cryptographicHash.algorithm, + "target_value": data.target_value, + "operator": data.operator, + "success": compare(data.operator, data.target_value, func.cryptographicHash.algorithm), + } +] + +violations := [x | y := results[_]; y.success == false; x = y] diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml new file mode 100644 index 00000000..ab30647b --- /dev/null +++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml @@ -0,0 +1,14 @@ +# ====== Metadata ====== +id: b792af37-8154-425b-90c7-73c53c137132 +name: NetworkEndpointAuthenticationRequired +description: > + This rule assesses whether a [NetworkService] has [Authenticity] with + [p1:noAuthentication] set to false. +category: NetworkSecurity +version: "v1" +comments: Basic access control requires network endpoints to avoid [NoAuthentication]. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: False diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json new file mode 100644 index 00000000..bf987f3c --- /dev/null +++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json @@ -0,0 +1,4 @@ +{ + "operator": "==", + "target_value": false +} diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego new file mode 100644 index 00000000..803a4ca9 --- /dev/null +++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego @@ -0,0 +1,29 @@ +package cch.metrics.network_endpoint_authentication_required + +import data.cch.compare +import rego.v1 +import input.authenticity as auth + +default applicable = false + +default compliant = false + +applicable if { + auth +} + +auth_no_authentication := true if { + auth.noAuthentication +} else := true if { + auth.no_authentication +} else := false + +compliant if { + compare(data.operator, data.target_value, auth_no_authentication) +} + +message := "Authentication is required for the network endpoint." if { + compliant +} else := "The network endpoint allows unauthenticated access." if { + not compliant +} From 1e39c1e05582a3646819d44442c04aa24bd144a4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 19 Mar 2026 11:37:45 +0000 Subject: [PATCH 3/3] Auto-update merged ontology and proto files [skip ci] --- ontology/v1/ontology-merged.owx | 20 ++++++++++++++++++++ ontology/v1/ontology.proto | 2 ++ 2 files changed, 22 insertions(+) diff --git a/ontology/v1/ontology-merged.owx b/ontology/v1/ontology-merged.owx index 95d9708d..4bb112c2 100644 --- a/ontology/v1/ontology-merged.owx +++ b/ontology/v1/ontology-merged.owx @@ -1136,6 +1136,9 @@ + + + @@ -4666,6 +4669,13 @@ + + + + + + + @@ -7689,6 +7699,16 @@ name = metadata.name /properties/enforced enforced + + + /properties/exploitable + exploitable: Indicates whether a vulnerability is known to be exploitable + + + + /properties/exploitable + exploitable + /properties/field diff --git a/ontology/v1/ontology.proto b/ontology/v1/ontology.proto index e094d349..b8b94bda 100644 --- a/ontology/v1/ontology.proto +++ b/ontology/v1/ontology.proto @@ -4090,6 +4090,8 @@ message Vulnerability { string cve = 205; repeated string cwe = 18325; string description = 10690; + // exploitable: Indicates whether a vulnerability is known to be exploitable + bool exploitable = 15966; string url = 11925; }