Skip to content

Add metric DocumentCSAFRedRestricted#51

Open
anatheka wants to merge 25 commits into
mainfrom
50-documentcsafredrestricted
Open

Add metric DocumentCSAFRedRestricted#51
anatheka wants to merge 25 commits into
mainfrom
50-documentcsafredrestricted

Conversation

@anatheka

@anatheka anatheka commented Apr 23, 2025

Copy link
Copy Markdown
Collaborator

@immqu I think we should extend the compare function by adding an operator named "isNot" or "notUsed" to verify if a property is not utilized. This enhancement would allow us to write this metric in a more intuitive manner.

@anatheka anatheka linked an issue Apr 23, 2025 that may be closed by this pull request
@anatheka anatheka self-assigned this Apr 23, 2025
@anatheka anatheka requested a review from immqu April 23, 2025 11:07
@@ -0,0 +1,9 @@
--- # Metadata
- id: DocumentCSAFRedRestricted
- description: This rule assesses whether a [SecurityAdvisoryDocument] that provides the property [RemoteDocumentLocation] is access protected by ensuring that the [noAuthentication] property is not utilized.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a reference to p1 missing

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the reference p1 to the noAuthentication property, but it doesn’t make any difference since the Rego rule does not check against the target value.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I would just find it more intuitive to reference [noAuthentication] with p1 and then set the p1 targetValue to false ("noAuthentication should not be set")

@immqu

immqu commented Apr 23, 2025

Copy link
Copy Markdown
Collaborator

We have "isIn" as a compare function, so we would need the opposite "not isIn". But we need a new compare function for that, right?

@anatheka

Copy link
Copy Markdown
Collaborator Author

We have "isIn" as a compare function, so we would need the opposite "not isIn". But we need a new compare function for that, right?

Couldn´t we use just the operator not? https://www.openpolicyagent.org/docs/policy-language#negation

@immqu

immqu commented Jun 23, 2025

Copy link
Copy Markdown
Collaborator

Yes, but we have to keep in mind that there is not dedicated compare function for that, so:

  • Either we have to write a new compare function or adapt the existing "isIn" function
  • Or we have to write the respective policies like so: compliant if {not compare(data.operator, data.target_value, val)}
    Or am I overlooking another possibility?

@anatheka

Copy link
Copy Markdown
Collaborator Author

No, you are right. But I would prefer to use the not operator instead of writing new compare functions.

@anatheka anatheka marked this pull request as draft June 24, 2025 08:28
@immqu

immqu commented Jun 24, 2025

Copy link
Copy Markdown
Collaborator

Okay let's use this solution for now. I think it's not very well readable, but it is a rare case anyway

@anatheka anatheka marked this pull request as ready for review June 24, 2025 08:44
@anatheka anatheka requested a review from immqu June 24, 2025 08:46
id: DocumentCSAFRedRestricted
category: CSAF
description: This rule assesses whether a [SecurityAdvisoryDocument] that provides the property [RemoteDocumentLocation] is access protected by ensuring that the [p1:noAuthentication] property is not utilized.
version: 1.0

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be a string

@anatheka anatheka Jan 26, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we do not need a string, the rego file already checks if one of the two labels are available. Furthermore it is checked if noAuthentication is available and that is the part which is not checked by the configuration values.

Comment thread metrics/CSAF/DocumentCSAFRedRestricted/DocumentCSAFRedRestricted.yaml Outdated
Comment thread metrics/CSAF/DocumentCSAFRedRestricted/metric.rego Outdated
@anatheka anatheka requested a review from immqu July 9, 2025 08:23
@oxisto oxisto added the CSAF label Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

DocumentCSAFRedRestricted

3 participants