Add metric DocumentCSAFRedRestricted#51
Conversation
| @@ -0,0 +1,9 @@ | |||
| --- # Metadata | |||
| - id: DocumentCSAFRedRestricted | |||
| - description: This rule assesses whether a [SecurityAdvisoryDocument] that provides the property [RemoteDocumentLocation] is access protected by ensuring that the [noAuthentication] property is not utilized. | |||
There was a problem hiding this comment.
There is a reference to p1 missing
There was a problem hiding this comment.
I added the reference p1 to the noAuthentication property, but it doesn’t make any difference since the Rego rule does not check against the target value.
There was a problem hiding this comment.
Okay, I would just find it more intuitive to reference [noAuthentication] with p1 and then set the p1 targetValue to false ("noAuthentication should not be set")
|
We have "isIn" as a compare function, so we would need the opposite "not isIn". But we need a new compare function for that, right? |
Couldn´t we use just the operator |
|
Yes, but we have to keep in mind that there is not dedicated compare function for that, so:
|
|
No, you are right. But I would prefer to use the not operator instead of writing new compare functions. |
|
Okay let's use this solution for now. I think it's not very well readable, but it is a rare case anyway |
…ty-Certification-Hub/security-metrics into 50-documentcsafredrestricted
| id: DocumentCSAFRedRestricted | ||
| category: CSAF | ||
| description: This rule assesses whether a [SecurityAdvisoryDocument] that provides the property [RemoteDocumentLocation] is access protected by ensuring that the [p1:noAuthentication] property is not utilized. | ||
| version: 1.0 |
There was a problem hiding this comment.
No, we do not need a string, the rego file already checks if one of the two labels are available. Furthermore it is checked if noAuthentication is available and that is the part which is not checked by the configuration values.
…ty-Certification-Hub/security-metrics into 50-documentcsafredrestricted
@immqu I think we should extend the compare function by adding an operator named "isNot" or "notUsed" to verify if a property is not utilized. This enhancement would allow us to write this metric in a more intuitive manner.