Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# ====== Metadata ======
id: f4159401-68d4-4292-843e-251187346edf
name: PasswordHashAlgorithmAllowed
description: >
This rule assesses whether an [Application] that offers the property
[Functionalities.CryptographicHash] uses a [p1:algorithm] suitable for
password hashing.
category: ApplicationSecurity
version: "v1"
comments: Using modern password hashing algorithms (e.g., Argon2id, bcrypt, scrypt)
improves resistance to offline cracking.
# ====== Configuration ======
configuration:
p1:
operator: "allIn"
targetValue: ["Argon2id", "bcrypt", "scrypt"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "allIn",
"target_value": ["Argon2id", "bcrypt", "scrypt"]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package cch.metrics.password_hash_algorithm_allowed

import data.cch.compare
import rego.v1
import input as app

default applicable = false

default compliant = false

hashes := [func | func := app.functionalities[_]; func.cryptographicHash]

applicable if {
app.type[_] == "Application"
}

compliant if {
count(violations) == 0
}

message := "The analyzed resource uses approved password hashing algorithms." if {
compliant
} else := "The analyzed resource contains evidence of weak password hashing algorithms." if {
not compliant
}

results := [
mapped |
func := app.functionalities[_]
mapped := {
"property": "cryptographicHash.algorithm",
"value": func.cryptographicHash.algorithm,
"target_value": data.target_value,
"operator": data.operator,
"success": compare(data.operator, data.target_value, func.cryptographicHash.algorithm),
}
]

violations := [x | y := results[_]; y.success == false; x = y]
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# ====== Metadata ======
id: e0f1b6f2-13f5-482e-924e-c9e29145d7e5
name: VulnerabilitiesNotExploitable
description: >
This rule assesses whether a [Resource] has no [Vulnerability] or only
[Vulnerability] entries with [p1:exploitable] set to false.
Comment on lines +5 to +6

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to avoid using the target_value in the description.

Suggested change
This rule assesses whether a [Resource] has no [Vulnerability] or only
[Vulnerability] entries with [p1:exploitable] set to false.
This rule assesses whether a [Resource] has no [Vulnerability] or all entries for [p1:exploitable] correctly configured.

category: ApplicationSecurity
version: "v1"
comments: Ensuring detected vulnerabilities are not exploitable reduces the risk of active compromise.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: False
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "==",
"target_value": false
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package cch.metrics.vulnerabilities_not_exploitable

import data.cch.compare
import rego.v1
import input.vulnerabilities as vul

default applicable = false

default compliant = false

applicable if {
true
}

compliant if {
not vul
}

compliant if {
vul
every v in vul {
compare(data.operator, data.target_value, v.exploitable)
}
}

message := "No vulnerabilities were detected for the resource." if {
compliant
not vul
} else := "All detected vulnerabilities are marked as not exploitable." if {
compliant
vul
} else := "At least one detected vulnerability is exploitable." if {
applicable
not compliant
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# ====== Metadata ======
id: b792af37-8154-425b-90c7-73c53c137132
name: NetworkEndpointAuthenticationRequired
description: >
This rule assesses whether a [NetworkService] has [Authenticity] with
[p1:noAuthentication] set to false.
Comment on lines +5 to +6

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This rule assesses whether a [NetworkService] has [Authenticity] with
[p1:noAuthentication] set to false.
This rule assesses whether a [NetworkService] has [Authenticity] with
[p1:noAuthentication] correctly configured.

category: NetworkSecurity
version: "v1"
comments: Basic access control requires network endpoints to avoid [NoAuthentication].
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: False
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "==",
"target_value": false
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package cch.metrics.network_endpoint_authentication_required

import data.cch.compare
import rego.v1
import input.authenticity as auth

default applicable = false

default compliant = false

applicable if {
auth
}

auth_no_authentication := true if {
auth.noAuthentication
} else := true if {
auth.no_authentication
} else := false

compliant if {
compare(data.operator, data.target_value, auth_no_authentication)
}

message := "Authentication is required for the network endpoint." if {
compliant
} else := "The network endpoint allows unauthenticated access." if {
not compliant
}
20 changes: 20 additions & 0 deletions ontology/v1/core/functionality.owx
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,9 @@
<Declaration>
<DataProperty abbreviatedIRI="prop:criticality"/>
</Declaration>
<Declaration>
<DataProperty abbreviatedIRI="prop:exploitable"/>
</Declaration>
<Declaration>
<DataProperty abbreviatedIRI="prop:source"/>
</Declaration>
Expand Down Expand Up @@ -1579,6 +1582,13 @@
<Datatype abbreviatedIRI="xsd:string"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="core:Vulnerability"/>
<DataSomeValuesFrom>
<DataProperty abbreviatedIRI="prop:exploitable"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="core:Vulnerability"/>
<DataSomeValuesFrom>
Expand Down Expand Up @@ -2543,6 +2553,16 @@
<AbbreviatedIRI>prop:criticality</AbbreviatedIRI>
<Literal>criticality: Contains the criticality of a vulnerability, e.g., low, medium, high, critical</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:comment"/>
<AbbreviatedIRI>prop:exploitable</AbbreviatedIRI>
<Literal>exploitable: Indicates whether a vulnerability is known to be exploitable</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:label"/>
<AbbreviatedIRI>prop:exploitable</AbbreviatedIRI>
<Literal>exploitable</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:label"/>
<AbbreviatedIRI>core:cve</AbbreviatedIRI>
Expand Down
20 changes: 20 additions & 0 deletions ontology/v1/ontology-merged.owx
Original file line number Diff line number Diff line change
Expand Up @@ -1136,6 +1136,9 @@
<Declaration>
<DataProperty IRI="/properties/enforced"/>
</Declaration>
<Declaration>
<DataProperty IRI="/properties/exploitable"/>
</Declaration>
<Declaration>
<DataProperty IRI="/properties/field"/>
</Declaration>
Expand Down Expand Up @@ -4666,6 +4669,13 @@
<Datatype abbreviatedIRI="xsd:string"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/Vulnerability"/>
<DataSomeValuesFrom>
<DataProperty IRI="/properties/exploitable"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/Vulnerability"/>
<DataSomeValuesFrom>
Expand Down Expand Up @@ -7689,6 +7699,16 @@ name = metadata.name</Literal>
<IRI>/properties/enforced</IRI>
<Literal xml:lang="english">enforced</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:comment"/>
<IRI>/properties/exploitable</IRI>
<Literal>exploitable: Indicates whether a vulnerability is known to be exploitable</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:label"/>
<IRI>/properties/exploitable</IRI>
<Literal>exploitable</Literal>
</AnnotationAssertion>
<AnnotationAssertion>
<AnnotationProperty abbreviatedIRI="rdfs:label"/>
<IRI>/properties/field</IRI>
Expand Down
2 changes: 2 additions & 0 deletions ontology/v1/ontology.proto
Original file line number Diff line number Diff line change
Expand Up @@ -4090,6 +4090,8 @@ message Vulnerability {
string cve = 205;
repeated string cwe = 18325;
string description = 10690;
// exploitable: Indicates whether a vulnerability is known to be exploitable
bool exploitable = 15966;
string url = 11925;
}

Expand Down