))`)
match := firstParagraphRegEx.FindStringSubmatch(text)
@@ -1723,19 +1846,19 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.defineLinkTarget("{function-assignment}")
r.currentChapterTitleBreadcrumb = title
- risksBusinessSideFunction := types.RisksOfOnlyBusinessSide(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksArchitectureFunction := types.RisksOfOnlyArchitecture(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksDevelopmentFunction := types.RisksOfOnlyDevelopment(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksOperationFunction := types.RisksOfOnlyOperation(parsedModel, parsedModel.GeneratedRisksByCategory)
+ risksBusinessSideFunction := reduceToFunctionRisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.BusinessSide)
+ risksArchitectureFunction := reduceToFunctionRisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Architecture)
+ risksDevelopmentFunction := reduceToFunctionRisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Development)
+ risksOperationFunction := reduceToFunctionRisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Operations)
- countBusinessSideFunction := types.CountRisks(risksBusinessSideFunction)
- countArchitectureFunction := types.CountRisks(risksArchitectureFunction)
- countDevelopmentFunction := types.CountRisks(risksDevelopmentFunction)
- countOperationFunction := types.CountRisks(risksOperationFunction)
+ countBusinessSideFunction := countRisks(risksBusinessSideFunction)
+ countArchitectureFunction := countRisks(risksArchitectureFunction)
+ countDevelopmentFunction := countRisks(risksDevelopmentFunction)
+ countOperationFunction := countRisks(risksOperationFunction)
var intro strings.Builder
intro.WriteString("This chapter clusters and assigns the risks by functions which are most likely able to " +
"check and mitigate them: " +
- "In total " + strconv.Itoa(types.TotalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
+ "In total " + strconv.Itoa(totalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
"of which " + strconv.Itoa(countBusinessSideFunction) + " should be checked by " + types.BusinessSide.Title() + ", " +
"" + strconv.Itoa(countArchitectureFunction) + " should be checked by " + types.Architecture.Title() + ", " +
"" + strconv.Itoa(countDevelopmentFunction) + " should be checked by " + types.Development.Title() + ", " +
@@ -1764,15 +1887,15 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksBusinessSideFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksBusinessSideFunction, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksBusinessSideFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksBusinessSideFunction, true, types.HighSeverity)),
types.HighSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksBusinessSideFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksBusinessSideFunction, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksBusinessSideFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksBusinessSideFunction, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksBusinessSideFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksBusinessSideFunction, true, types.LowSeverity)),
types.LowSeverity, true, true, false, false)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1791,15 +1914,15 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksArchitectureFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksArchitectureFunction, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksArchitectureFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksArchitectureFunction, true, types.HighSeverity)),
types.HighSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksArchitectureFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksArchitectureFunction, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksArchitectureFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksArchitectureFunction, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksArchitectureFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksArchitectureFunction, true, types.LowSeverity)),
types.LowSeverity, true, true, false, false)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1818,15 +1941,15 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksDevelopmentFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksDevelopmentFunction, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksDevelopmentFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksDevelopmentFunction, true, types.HighSeverity)),
types.HighSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksDevelopmentFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksDevelopmentFunction, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksDevelopmentFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksDevelopmentFunction, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksDevelopmentFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksDevelopmentFunction, true, types.LowSeverity)),
types.LowSeverity, true, true, false, false)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1845,15 +1968,15 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksOperationFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksOperationFunction, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksOperationFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksOperationFunction, true, types.HighSeverity)),
types.HighSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksOperationFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksOperationFunction, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksOperationFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksOperationFunction, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, false)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksOperationFunction, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksOperationFunction, true, types.LowSeverity)),
types.LowSeverity, true, true, false, false)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1862,6 +1985,19 @@ func (r *pdfReporter) createAssignmentByFunction(parsedModel *types.Model) {
r.pdf.SetDashPattern([]float64{}, 0)
}
+func reduceToFunctionRisk(parsedModel *types.Model, risksByCategory map[string][]*types.Risk, function types.RiskFunction) map[string][]*types.Risk {
+ result := make(map[string][]*types.Risk)
+ for categoryId, risks := range risksByCategory {
+ for _, risk := range risks {
+ category := types.GetRiskCategory(parsedModel, categoryId)
+ if category.Function == function {
+ result[categoryId] = append(result[categoryId], risk)
+ }
+ }
+ }
+ return result
+}
+
func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(0, 0, 0)
title := "STRIDE Classification of Identified Risks"
@@ -1869,22 +2005,22 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.defineLinkTarget("{stride}")
r.currentChapterTitleBreadcrumb = title
- risksSTRIDESpoofing := types.RisksOfOnlySTRIDESpoofing(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksSTRIDETampering := types.RisksOfOnlySTRIDETampering(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksSTRIDERepudiation := types.RisksOfOnlySTRIDERepudiation(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksSTRIDEInformationDisclosure := types.RisksOfOnlySTRIDEInformationDisclosure(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksSTRIDEDenialOfService := types.RisksOfOnlySTRIDEDenialOfService(parsedModel, parsedModel.GeneratedRisksByCategory)
- risksSTRIDEElevationOfPrivilege := types.RisksOfOnlySTRIDEElevationOfPrivilege(parsedModel, parsedModel.GeneratedRisksByCategory)
-
- countSTRIDESpoofing := types.CountRisks(risksSTRIDESpoofing)
- countSTRIDETampering := types.CountRisks(risksSTRIDETampering)
- countSTRIDERepudiation := types.CountRisks(risksSTRIDERepudiation)
- countSTRIDEInformationDisclosure := types.CountRisks(risksSTRIDEInformationDisclosure)
- countSTRIDEDenialOfService := types.CountRisks(risksSTRIDEDenialOfService)
- countSTRIDEElevationOfPrivilege := types.CountRisks(risksSTRIDEElevationOfPrivilege)
+ risksSTRIDESpoofing := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Spoofing)
+ risksSTRIDETampering := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Tampering)
+ risksSTRIDERepudiation := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.Repudiation)
+ risksSTRIDEInformationDisclosure := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.InformationDisclosure)
+ risksSTRIDEDenialOfService := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.DenialOfService)
+ risksSTRIDEElevationOfPrivilege := reduceToSTRIDERisk(parsedModel, parsedModel.GeneratedRisksByCategory, types.ElevationOfPrivilege)
+
+ countSTRIDESpoofing := countRisks(risksSTRIDESpoofing)
+ countSTRIDETampering := countRisks(risksSTRIDETampering)
+ countSTRIDERepudiation := countRisks(risksSTRIDERepudiation)
+ countSTRIDEInformationDisclosure := countRisks(risksSTRIDEInformationDisclosure)
+ countSTRIDEDenialOfService := countRisks(risksSTRIDEDenialOfService)
+ countSTRIDEElevationOfPrivilege := countRisks(risksSTRIDEElevationOfPrivilege)
var intro strings.Builder
intro.WriteString("This chapter clusters and classifies the risks by STRIDE categories: " +
- "In total " + strconv.Itoa(types.TotalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
+ "In total " + strconv.Itoa(totalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
"of which " + strconv.Itoa(countSTRIDESpoofing) + " in the " + types.Spoofing.Title() + " category, " +
"" + strconv.Itoa(countSTRIDETampering) + " in the " + types.Tampering.Title() + " category, " +
"" + strconv.Itoa(countSTRIDERepudiation) + " in the " + types.Repudiation.Title() + " category, " +
@@ -1915,15 +2051,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDESpoofing, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDESpoofing, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDESpoofing, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDESpoofing, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDESpoofing, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDESpoofing, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDESpoofing, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDESpoofing, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDESpoofing, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDESpoofing, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1942,15 +2078,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDETampering, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDETampering, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDETampering, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDETampering, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDETampering, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDETampering, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDETampering, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDETampering, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDETampering, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDETampering, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1969,15 +2105,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDERepudiation, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDERepudiation, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDERepudiation, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDERepudiation, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDERepudiation, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDERepudiation, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDERepudiation, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDERepudiation, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDERepudiation, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDERepudiation, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -1996,15 +2132,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDEInformationDisclosure, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEInformationDisclosure, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDEInformationDisclosure, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEInformationDisclosure, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDEInformationDisclosure, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEInformationDisclosure, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDEInformationDisclosure, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEInformationDisclosure, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDEInformationDisclosure, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEInformationDisclosure, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -2023,15 +2159,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDEDenialOfService, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEDenialOfService, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDEDenialOfService, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEDenialOfService, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDEDenialOfService, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEDenialOfService, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDEDenialOfService, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEDenialOfService, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDEDenialOfService, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEDenialOfService, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -2050,15 +2186,15 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetTextColor(150, 150, 150)
html.Write(5, "
n/a")
} else {
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyCriticalRisks(parsedModel, risksSTRIDEElevationOfPrivilege, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEElevationOfPrivilege, true, types.CriticalSeverity)),
types.CriticalSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyHighRisks(parsedModel, risksSTRIDEElevationOfPrivilege, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEElevationOfPrivilege, true, types.HighSeverity)),
types.HighSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyElevatedRisks(parsedModel, risksSTRIDEElevationOfPrivilege, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEElevationOfPrivilege, true, types.ElevatedSeverity)),
types.ElevatedSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyMediumRisks(parsedModel, risksSTRIDEElevationOfPrivilege, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEElevationOfPrivilege, true, types.MediumSeverity)),
types.MediumSeverity, true, true, false, true)
- r.addCategories(parsedModel, types.GetRiskCategories(parsedModel, types.CategoriesOfOnlyLowRisks(parsedModel, risksSTRIDEElevationOfPrivilege, true)),
+ r.addCategories(parsedModel, getRiskCategories(parsedModel, reduceToSeverityRisk(risksSTRIDEElevationOfPrivilege, true, types.LowSeverity)),
types.LowSeverity, true, true, false, true)
}
r.pdf.SetLeftMargin(oldLeft)
@@ -2067,6 +2203,82 @@ func (r *pdfReporter) createSTRIDE(parsedModel *types.Model) {
r.pdf.SetDashPattern([]float64{}, 0)
}
+func countRisks(risksByCategory map[string][]*types.Risk) int {
+ result := 0
+ for _, risks := range risksByCategory {
+ result += len(risks)
+ }
+ return result
+}
+
+func getRiskCategories(parsedModel *types.Model, categoryIDs []string) []*types.RiskCategory {
+ categoryMap := make(map[string]*types.RiskCategory)
+ for _, categoryId := range categoryIDs {
+ category := types.GetRiskCategory(parsedModel, categoryId)
+ if category != nil {
+ categoryMap[categoryId] = category
+ }
+ }
+
+ categories := make([]*types.RiskCategory, 0)
+ for categoryId := range categoryMap {
+ categories = append(categories, categoryMap[categoryId])
+ }
+
+ return categories
+}
+
+func reduceToSeverityRisk(risksByCategory map[string][]*types.Risk, initialRisks bool, severity types.RiskSeverity) []string {
+ categories := make(map[string]struct{}) // Go's trick of unique elements is a map
+ for categoryId, risks := range risksByCategory {
+ for _, risk := range risks {
+ if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
+ continue
+ }
+ if risk.Severity == severity {
+ categories[categoryId] = struct{}{}
+ }
+ }
+ }
+ // return as slice (of now unique values)
+ return keysAsSlice(categories)
+}
+
+func reduceToOnlyStillAtRisk(risksByCategory map[string][]*types.Risk) []string {
+ categories := make(map[string]struct{}) // Go's trick of unique elements is a map
+ for categoryId, risks := range risksByCategory {
+ for _, risk := range risks {
+ if !risk.RiskStatus.IsStillAtRisk() {
+ continue
+ }
+ categories[categoryId] = struct{}{}
+ }
+ }
+ // return as slice (of now unique values)
+ return keysAsSlice(categories)
+}
+
+func keysAsSlice(categories map[string]struct{}) []string {
+ result := make([]string, 0, len(categories))
+ for k := range categories {
+ result = append(result, k)
+ }
+ return result
+}
+
+func reduceToSTRIDERisk(parsedModel *types.Model, risksByCategory map[string][]*types.Risk, stride types.STRIDE) map[string][]*types.Risk {
+ result := make(map[string][]*types.Risk)
+ for categoryId, risks := range risksByCategory {
+ for _, risk := range risks {
+ category := types.GetRiskCategory(parsedModel, categoryId)
+ if category != nil && category.STRIDE == stride {
+ result[categoryId] = append(result[categoryId], risk)
+ }
+ }
+ }
+ return result
+}
+
func (r *pdfReporter) createSecurityRequirements(parsedModel *types.Model) {
uni := r.pdf.UnicodeTranslatorFromDescriptor("")
r.pdf.SetTextColor(0, 0, 0)
@@ -2300,13 +2512,13 @@ func (r *pdfReporter) createRiskCategories(parsedModel *types.Model) {
r.defineLinkTarget("{intro-risks-by-vulnerability-category}")
html := r.pdf.HTMLBasicNew()
var text strings.Builder
- text.WriteString("In total " + strconv.Itoa(types.TotalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
+ text.WriteString("In total " + strconv.Itoa(totalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
"of which " +
- "" + strconv.Itoa(len(types.FilteredByOnlyCriticalRisks(parsedModel))) + " are rated as critical, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyHighRisks(parsedModel))) + " as high, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyElevatedRisks(parsedModel))) + " as elevated, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyMediumRisks(parsedModel))) + " as medium, " +
- "and " + strconv.Itoa(len(types.FilteredByOnlyLowRisks(parsedModel))) + " as low. " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.CriticalSeverity))) + " are rated as critical, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.HighSeverity))) + " as high, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.ElevatedSeverity))) + " as elevated, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.MediumSeverity))) + " as medium, " +
+ "and " + strconv.Itoa(len(filteredBySeverity(parsedModel, types.LowSeverity))) + " as low. " +
"
These risks are distributed across " + strconv.Itoa(len(parsedModel.GeneratedRisksByCategory)) + " vulnerability categories. ")
text.WriteString("The following sub-chapters of this section describe each identified risk category.") // TODO more explanation text
html.Write(5, text.String())
@@ -2330,12 +2542,12 @@ func (r *pdfReporter) createRiskCategories(parsedModel *types.Model) {
default:
r.pdfColorBlack()
}
- if len(types.ReduceToOnlyStillAtRisk(parsedModel, risksStr)) == 0 {
+ if len(types.ReduceToOnlyStillAtRisk(risksStr)) == 0 {
r.pdfColorBlack()
}
// category title
- countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(parsedModel, risksStr))
+ countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(risksStr))
suffix := strconv.Itoa(countStillAtRisk) + " / " + strconv.Itoa(len(risksStr)) + " Risk"
if len(risksStr) != 1 {
suffix += "s"
@@ -2567,13 +2779,13 @@ func (r *pdfReporter) createTechnicalAssets(parsedModel *types.Model) {
r.defineLinkTarget("{intro-risks-by-technical-asset}")
html := r.pdf.HTMLBasicNew()
var text strings.Builder
- text.WriteString("In total " + strconv.Itoa(types.TotalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
+ text.WriteString("In total " + strconv.Itoa(totalRiskCount(parsedModel)) + " potential risks have been identified during the threat modeling process " +
"of which " +
- "" + strconv.Itoa(len(types.FilteredByOnlyCriticalRisks(parsedModel))) + " are rated as critical, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyHighRisks(parsedModel))) + " as high, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyElevatedRisks(parsedModel))) + " as elevated, " +
- "" + strconv.Itoa(len(types.FilteredByOnlyMediumRisks(parsedModel))) + " as medium, " +
- "and " + strconv.Itoa(len(types.FilteredByOnlyLowRisks(parsedModel))) + " as low. " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.CriticalSeverity))) + " are rated as critical, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.HighSeverity))) + " as high, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.ElevatedSeverity))) + " as elevated, " +
+ "" + strconv.Itoa(len(filteredBySeverity(parsedModel, types.MediumSeverity))) + " as medium, " +
+ "and " + strconv.Itoa(len(filteredBySeverity(parsedModel, types.LowSeverity))) + " as low. " +
"
These risks are distributed across " + strconv.Itoa(len(parsedModel.InScopeTechnicalAssets())) + " in-scope technical assets. ")
text.WriteString("The following sub-chapters of this section describe each identified risk grouped by technical asset. ") // TODO more explanation text
text.WriteString("The RAA value of a technical asset is the calculated \"Relative Attacker Attractiveness\" value in percent.")
@@ -2582,7 +2794,7 @@ func (r *pdfReporter) createTechnicalAssets(parsedModel *types.Model) {
r.currentChapterTitleBreadcrumb = title
for _, technicalAsset := range sortedTechnicalAssetsByRiskSeverityAndTitle(parsedModel) {
risksStr := technicalAsset.GeneratedRisks(parsedModel)
- countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(parsedModel, risksStr))
+ countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(risksStr))
suffix := strconv.Itoa(countStillAtRisk) + " / " + strconv.Itoa(len(risksStr)) + " Risk"
if len(risksStr) != 1 {
suffix += "s"
@@ -2605,7 +2817,7 @@ func (r *pdfReporter) createTechnicalAssets(parsedModel *types.Model) {
default:
r.pdfColorBlack()
}
- if len(types.ReduceToOnlyStillAtRisk(parsedModel, risksStr)) == 0 {
+ if len(types.ReduceToOnlyStillAtRisk(risksStr)) == 0 {
r.pdfColorBlack()
}
}
@@ -3370,6 +3582,18 @@ func (r *pdfReporter) createTechnicalAssets(parsedModel *types.Model) {
}
}
+func filteredBySeverity(parsedModel *types.Model, severity types.RiskSeverity) []*types.Risk {
+ filteredRisks := make([]*types.Risk, 0)
+ for _, risks := range parsedModel.GeneratedRisksByCategory {
+ for _, risk := range risks {
+ if risk.Severity == severity {
+ filteredRisks = append(filteredRisks, risk)
+ }
+ }
+ }
+ return filteredRisks
+}
+
func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
uni := r.pdf.UnicodeTranslatorFromDescriptor("")
title := "Identified Data Breach Probabilities by Data Asset"
@@ -3377,13 +3601,13 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
r.addHeadline(title, false)
r.defineLinkTarget("{intro-risks-by-data-asset}")
html := r.pdf.HTMLBasicNew()
- html.Write(5, "In total "+strconv.Itoa(types.TotalRiskCount(parsedModel))+" potential risks have been identified during the threat modeling process "+
+ html.Write(5, "In total "+strconv.Itoa(totalRiskCount(parsedModel))+" potential risks have been identified during the threat modeling process "+
"of which "+
- ""+strconv.Itoa(len(types.FilteredByOnlyCriticalRisks(parsedModel)))+" are rated as critical, "+
- ""+strconv.Itoa(len(types.FilteredByOnlyHighRisks(parsedModel)))+" as high, "+
- ""+strconv.Itoa(len(types.FilteredByOnlyElevatedRisks(parsedModel)))+" as elevated, "+
- ""+strconv.Itoa(len(types.FilteredByOnlyMediumRisks(parsedModel)))+" as medium, "+
- "and "+strconv.Itoa(len(types.FilteredByOnlyLowRisks(parsedModel)))+" as low. "+
+ ""+strconv.Itoa(len(filteredBySeverity(parsedModel, types.CriticalSeverity)))+" are rated as critical, "+
+ ""+strconv.Itoa(len(filteredBySeverity(parsedModel, types.HighSeverity)))+" as high, "+
+ ""+strconv.Itoa(len(filteredBySeverity(parsedModel, types.ElevatedSeverity)))+" as elevated, "+
+ ""+strconv.Itoa(len(filteredBySeverity(parsedModel, types.MediumSeverity)))+" as medium, "+
+ "and "+strconv.Itoa(len(filteredBySeverity(parsedModel, types.LowSeverity)))+" as low. "+
"
These risks are distributed across "+strconv.Itoa(len(parsedModel.DataAssets))+" data assets. ")
html.Write(5, "The following sub-chapters of this section describe the derived data breach probabilities grouped by data asset.
") // TODO more explanation text
r.pdf.SetFont("Helvetica", "", fontSizeSmall)
@@ -3399,7 +3623,7 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
html.Write(5, "
")
}
r.pdfColorBlack()
- switch dataAsset.IdentifiedDataBreachProbabilityStillAtRisk(parsedModel) {
+ switch identifiedDataBreachProbabilityStillAtRisk(parsedModel, dataAsset) {
case types.Probable:
colorHighRisk(r.pdf)
case types.Possible:
@@ -3409,11 +3633,11 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
default:
r.pdfColorBlack()
}
- if !dataAsset.IsDataBreachPotentialStillAtRisk(parsedModel) {
+ if !isDataBreachPotentialStillAtRisk(parsedModel, dataAsset) {
r.pdfColorBlack()
}
risksStr := dataAsset.IdentifiedDataBreachProbabilityRisks(parsedModel)
- countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(parsedModel, risksStr))
+ countStillAtRisk := len(types.ReduceToOnlyStillAtRisk(risksStr))
suffix := strconv.Itoa(countStillAtRisk) + " / " + strconv.Itoa(len(risksStr)) + " Risk"
if len(risksStr) != 1 {
suffix += "s"
@@ -3426,35 +3650,6 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
html.Write(5, "
")
r.pdf.SetFont("Helvetica", "", fontSizeBody)
- /*
- r.pdfColorGray()
- r.pdf.CellFormat(5, 6, "", "0", 0, "", false, 0, "")
- r.pdf.CellFormat(40, 6, "Indirect Breach:", "0", 0, "", false, 0, "")
- r.pdfColorBlack()
- r.pdf.SetFont("Helvetica", "B", fontSizeBody)
- probability := dataAsset.IdentifiedDataBreachProbability()
- dataBreachText := probability.String()
- switch probability {
- case model.Probable:
- colorHighRisk(r.pdf)
- case model.Possible:
- colorMediumRisk(r.pdf)
- case model.Improbable:
- colorLowRisk(r.pdf)
- default:
- r.pdfColorBlack()
- }
- if !dataAsset.IsDataBreachPotentialStillAtRisk() {
- r.pdfColorBlack()
- dataBreachText = "none"
- }
- r.pdf.MultiCell(145, 6, dataBreachText, "0", "0", false)
- r.pdf.SetFont("Helvetica", "", fontSizeBody)
- if r.pdf.GetY() > 265 {
- r.pageBreak()
- r.pdf.SetY(36)
- }
- */
r.pdfColorGray()
r.pdf.CellFormat(5, 6, "", "0", 0, "", false, 0, "")
r.pdf.CellFormat(40, 6, "ID:", "0", 0, "", false, 0, "")
@@ -3651,73 +3846,12 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
}
r.pdf.MultiCell(145, 6, uni(receivedViaText), "0", "0", false)
- /*
- // where is this data asset at risk (i.e. why)
- risksByTechAssetId := dataAsset.IdentifiedRisksByResponsibleTechnicalAssetId()
- techAssetsResponsible := make([]model.TechnicalAsset, 0)
- for techAssetId, _ := range risksByTechAssetId {
- techAssetsResponsible = append(techAssetsResponsible, parsedModel.TechnicalAssets[techAssetId])
- }
- sort.Sort(model.ByTechnicalAssetRiskSeverityAndTitleSortStillAtRisk(techAssetsResponsible))
- assetStr := "assets"
- if len(techAssetsResponsible) == 1 {
- assetStr = "asset"
- }
- if r.pdf.GetY() > 265 {
- r.pageBreak()
- r.pdf.SetY(36)
- }
- r.pdfColorGray()
- r.pdf.CellFormat(5, 6, "", "0", 0, "", false, 0, "")
- r.pdf.CellFormat(40, 6, "Risk via:", "0", 0, "", false, 0, "")
- if len(techAssetsResponsible) == 0 {
- r.pdfColorGray()
- r.pdf.MultiCell(145, 6, "This data asset is not directly at risk via any technical asset.", "0", "0", false)
- } else {
- r.pdfColorBlack()
- r.pdf.MultiCell(145, 6, "This data asset is at direct risk via "+strconv.Itoa(len(techAssetsResponsible))+" technical "+assetStr+":", "0", "0", false)
- for _, techAssetResponsible := range techAssetsResponsible {
- if r.pdf.GetY() > 265 {
- r.pageBreak()
- r.pdf.SetY(36)
- }
- switch model.HighestSeverityStillAtRisk(techAssetResponsible.GeneratedRisks()) {
- case model.High:
- colorHighRisk(r.pdf)
- case model.Medium:
- colorMediumRisk(r.pdf)
- case model.Low:
- colorLowRisk(r.pdf)
- default:
- r.pdfColorBlack()
- }
- risksStr := techAssetResponsible.GeneratedRisks()
- if len(model.ReduceToOnlyStillAtRisk(risksStr)) == 0 {
- r.pdfColorBlack()
- }
- riskStr := "risksStr"
- if len(risksStr) == 1 {
- riskStr = "risk"
- }
- r.pdf.CellFormat(10, 6, "", "0", 0, "", false, 0, "")
- posY := r.pdf.GetY()
- risksResponsible := techAssetResponsible.GeneratedRisks()
- risksResponsibleStillAtRisk := model.ReduceToOnlyStillAtRisk(risksResponsible)
- r.pdf.SetFont("Helvetica", "", fontSizeSmall)
- r.pdf.MultiCell(185, 6, uni(techAssetResponsible.Title)+": "+strconv.Itoa(len(risksResponsibleStillAtRisk))+" / "+strconv.Itoa(len(risksResponsible))+" "+riskStr, "0", "0", false)
- r.pdf.SetFont("Helvetica", "", fontSizeBody)
- r.pdf.Link(20, posY, 180, r.pdf.GetY()-posY, tocLinkIdByAssetId[techAssetResponsible.ID])
- }
- r.pdfColorBlack()
- }
- */
-
r.pdfColorGray()
r.pdf.CellFormat(5, 6, "", "0", 0, "", false, 0, "")
r.pdf.CellFormat(40, 6, "Data Breach:", "0", 0, "", false, 0, "")
r.pdfColorBlack()
r.pdf.SetFont("Helvetica", "B", fontSizeBody)
- dataBreachProbability := dataAsset.IdentifiedDataBreachProbabilityStillAtRisk(parsedModel)
+ dataBreachProbability := identifiedDataBreachProbabilityStillAtRisk(parsedModel, dataAsset)
riskText := dataBreachProbability.String()
switch dataBreachProbability {
case types.Probable:
@@ -3729,7 +3863,7 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
default:
r.pdfColorBlack()
}
- if !dataAsset.IsDataBreachPotentialStillAtRisk(parsedModel) {
+ if !isDataBreachPotentialStillAtRisk(parsedModel, dataAsset) {
r.pdfColorBlack()
riskText = "none"
}
@@ -3741,8 +3875,8 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
}
// how can is this data asset be indirectly lost (i.e. why)
- dataBreachRisksStillAtRisk := dataAsset.IdentifiedDataBreachProbabilityRisksStillAtRisk(parsedModel)
- types.SortByDataBreachProbability(dataBreachRisksStillAtRisk, parsedModel)
+ dataBreachRisksStillAtRisk := identifiedDataBreachProbabilityRisksStillAtRisk(parsedModel, dataAsset)
+ sortByDataBreachProbability(dataBreachRisksStillAtRisk, parsedModel)
if r.pdf.GetY() > 265 {
r.pageBreak()
r.pdf.SetY(36)
@@ -3791,6 +3925,81 @@ func (r *pdfReporter) createDataAssets(parsedModel *types.Model) {
}
}
+func sortByDataBreachProbability(risks []*types.Risk, parsedModel *types.Model) {
+ sort.Slice(risks, func(i, j int) bool {
+
+ if risks[i].DataBreachProbability == risks[j].DataBreachProbability {
+ trackingStatusLeft := risks[i].RiskStatus
+ trackingStatusRight := risks[j].RiskStatus
+ if trackingStatusLeft == trackingStatusRight {
+ return risks[i].Title < risks[j].Title
+ } else {
+ return trackingStatusLeft < trackingStatusRight
+ }
+ }
+ return risks[i].DataBreachProbability > risks[j].DataBreachProbability
+ })
+}
+
+func identifiedDataBreachProbabilityRisksStillAtRisk(parsedModel *types.Model, dataAsset *types.DataAsset) []*types.Risk {
+ result := make([]*types.Risk, 0)
+ for _, risk := range filteredByStillAtRisk(parsedModel) {
+ for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
+ if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, dataAsset.Id) {
+ result = append(result, risk)
+ break
+ }
+ }
+ }
+ return result
+}
+
+func identifiedDataBreachProbabilityStillAtRisk(parsedModel *types.Model, dataAsset *types.DataAsset) types.DataBreachProbability {
+ highestProbability := types.Improbable
+ for _, risk := range filteredByStillAtRisk(parsedModel) {
+ for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
+ if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, dataAsset.Id) {
+ if risk.DataBreachProbability > highestProbability {
+ highestProbability = risk.DataBreachProbability
+ break
+ }
+ }
+ }
+ }
+ return highestProbability
+}
+
+func isDataBreachPotentialStillAtRisk(parsedModel *types.Model, dataAsset *types.DataAsset) bool {
+ for _, risk := range filteredByStillAtRisk(parsedModel) {
+ for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
+ if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, dataAsset.Id) {
+ return true
+ }
+ }
+ }
+ return false
+}
+
+func filteredByStillAtRisk(parsedModel *types.Model) []*types.Risk {
+ filteredRisks := make([]*types.Risk, 0)
+ for _, risks := range parsedModel.GeneratedRisksByCategory {
+ for _, risk := range risks {
+ if risk.RiskStatus.IsStillAtRisk() {
+ filteredRisks = append(filteredRisks, risk)
+ }
+ }
+ }
+ return filteredRisks
+}
+
+func totalRiskCount(parsedModel *types.Model) int {
+ count := 0
+ for _, risks := range parsedModel.GeneratedRisksByCategory {
+ count += len(risks)
+ }
+ return count
+}
+
func (r *pdfReporter) createTrustBoundaries(parsedModel *types.Model) {
uni := r.pdf.UnicodeTranslatorFromDescriptor("")
title := "Trust Boundaries"
diff --git a/pkg/security/types/data_asset.go b/pkg/security/types/data_asset.go
index 399276bc..e05fa32a 100644
--- a/pkg/security/types/data_asset.go
+++ b/pkg/security/types/data_asset.go
@@ -31,37 +31,6 @@ func (what DataAsset) IsTaggedWithBaseTag(baseTag string) bool {
return IsTaggedWithBaseTag(what.Tags, baseTag)
}
-func (what DataAsset) IdentifiedRisksByResponsibleTechnicalAssetId(model *Model) map[string][]*Risk {
- uniqueTechAssetIDsResponsibleForThisDataAsset := make(map[string]interface{})
- for _, techAsset := range what.ProcessedByTechnicalAssetsSorted(model) {
- if len(techAsset.GeneratedRisks(model)) > 0 {
- uniqueTechAssetIDsResponsibleForThisDataAsset[techAsset.Id] = true
- }
- }
- for _, techAsset := range what.StoredByTechnicalAssetsSorted(model) {
- if len(techAsset.GeneratedRisks(model)) > 0 {
- uniqueTechAssetIDsResponsibleForThisDataAsset[techAsset.Id] = true
- }
- }
-
- result := make(map[string][]*Risk)
- for techAssetId := range uniqueTechAssetIDsResponsibleForThisDataAsset {
- result[techAssetId] = append(result[techAssetId], model.TechnicalAssets[techAssetId].GeneratedRisks(model)...)
- }
- return result
-}
-
-func (what DataAsset) IsDataBreachPotentialStillAtRisk(parsedModel *Model) bool {
- for _, risk := range FilteredByStillAtRisk(parsedModel) {
- for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
- if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, what.Id) {
- return true
- }
- }
- }
- return false
-}
-
func (what DataAsset) IdentifiedDataBreachProbability(parsedModel *Model) DataBreachProbability {
highestProbability := Improbable
for _, risk := range AllRisks(parsedModel) {
@@ -77,34 +46,6 @@ func (what DataAsset) IdentifiedDataBreachProbability(parsedModel *Model) DataBr
return highestProbability
}
-func (what DataAsset) IdentifiedDataBreachProbabilityStillAtRisk(parsedModel *Model) DataBreachProbability {
- highestProbability := Improbable
- for _, risk := range FilteredByStillAtRisk(parsedModel) {
- for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
- if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, what.Id) {
- if risk.DataBreachProbability > highestProbability {
- highestProbability = risk.DataBreachProbability
- break
- }
- }
- }
- }
- return highestProbability
-}
-
-func (what DataAsset) IdentifiedDataBreachProbabilityRisksStillAtRisk(parsedModel *Model) []*Risk {
- result := make([]*Risk, 0)
- for _, risk := range FilteredByStillAtRisk(parsedModel) {
- for _, techAsset := range risk.DataBreachTechnicalAssetIDs {
- if contains(parsedModel.TechnicalAssets[techAsset].DataAssetsProcessed, what.Id) {
- result = append(result, risk)
- break
- }
- }
- }
- return result
-}
-
func (what DataAsset) IdentifiedDataBreachProbabilityRisks(parsedModel *Model) []*Risk {
result := make([]*Risk, 0)
for _, risk := range AllRisks(parsedModel) {
@@ -174,36 +115,6 @@ func (what DataAsset) ReceivedViaCommLinksSorted(parsedModel *Model) []*Communic
return result
}
-func SortByDataAssetDataBreachProbabilityAndTitle(parsedModel *Model, assets []*DataAsset) {
- sort.Slice(assets, func(i, j int) bool {
- highestDataBreachProbabilityLeft := assets[i].IdentifiedDataBreachProbability(parsedModel)
- highestDataBreachProbabilityRight := assets[j].IdentifiedDataBreachProbability(parsedModel)
- if highestDataBreachProbabilityLeft == highestDataBreachProbabilityRight {
- return assets[i].Title < assets[j].Title
- }
- return highestDataBreachProbabilityLeft > highestDataBreachProbabilityRight
- })
-}
-
-func SortByDataAssetDataBreachProbabilityAndTitleStillAtRisk(parsedModel *Model, assets []*DataAsset) {
- sort.Slice(assets, func(i, j int) bool {
- risksLeft := assets[i].IdentifiedDataBreachProbabilityRisksStillAtRisk(parsedModel)
- risksRight := assets[j].IdentifiedDataBreachProbabilityRisksStillAtRisk(parsedModel)
- highestDataBreachProbabilityLeft := assets[i].IdentifiedDataBreachProbabilityStillAtRisk(parsedModel)
- highestDataBreachProbabilityRight := assets[j].IdentifiedDataBreachProbabilityStillAtRisk(parsedModel)
- if highestDataBreachProbabilityLeft == highestDataBreachProbabilityRight {
- if len(risksLeft) == 0 && len(risksRight) > 0 {
- return false
- }
- if len(risksLeft) > 0 && len(risksRight) == 0 {
- return true
- }
- return assets[i].Title < assets[j].Title
- }
- return highestDataBreachProbabilityLeft > highestDataBreachProbabilityRight
- })
-}
-
type ByDataAssetTitleSort []*DataAsset
func (what ByDataAssetTitleSort) Len() int { return len(what) }
diff --git a/pkg/security/types/risks.go b/pkg/security/types/risks.go
index 39d1b5ca..7349d763 100644
--- a/pkg/security/types/risks.go
+++ b/pkg/security/types/risks.go
@@ -29,23 +29,6 @@ func GetRiskCategory(parsedModel *Model, categoryID string) *RiskCategory {
return nil
}
-func GetRiskCategories(parsedModel *Model, categoryIDs []string) []*RiskCategory {
- categoryMap := make(map[string]*RiskCategory)
- for _, categoryId := range categoryIDs {
- category := GetRiskCategory(parsedModel, categoryId)
- if category != nil {
- categoryMap[categoryId] = category
- }
- }
-
- categories := make([]*RiskCategory, 0)
- for categoryId := range categoryMap {
- categories = append(categories, categoryMap[categoryId])
- }
-
- return categories
-}
-
func AllRisks(parsedModel *Model) []*Risk {
result := make([]*Risk, 0)
for _, risks := range parsedModel.GeneratedRisksByCategory {
@@ -54,7 +37,7 @@ func AllRisks(parsedModel *Model) []*Risk {
return result
}
-func ReduceToOnlyStillAtRisk(parsedModel *Model, risks []*Risk) []*Risk {
+func ReduceToOnlyStillAtRisk(risks []*Risk) []*Risk {
filteredRisks := make([]*Risk, 0)
for _, risk := range risks {
if risk.RiskStatus.IsStillAtRisk() {
@@ -64,26 +47,6 @@ func ReduceToOnlyStillAtRisk(parsedModel *Model, risks []*Risk) []*Risk {
return filteredRisks
}
-func HighestExploitationLikelihood(risks []*Risk) RiskExploitationLikelihood {
- result := Unlikely
- for _, risk := range risks {
- if risk.ExploitationLikelihood > result {
- result = risk.ExploitationLikelihood
- }
- }
- return result
-}
-
-func HighestExploitationImpact(risks []*Risk) RiskExploitationImpact {
- result := LowImpact
- for _, risk := range risks {
- if risk.ExploitationImpact > result {
- result = risk.ExploitationImpact
- }
- }
- return result
-}
-
func HighestSeverityStillAtRisk(model *Model, risks []*Risk) RiskSeverity {
result := LowSeverity
for _, risk := range risks {
@@ -106,8 +69,8 @@ func (what ByRiskCategoryTitleSort) Less(i, j int) bool {
func SortByRiskCategoryHighestContainingRiskSeveritySortStillAtRisk(parsedModel *Model, riskCategories []*RiskCategory) {
sort.Slice(riskCategories, func(i, j int) bool {
- risksLeft := ReduceToOnlyStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[riskCategories[i].ID])
- risksRight := ReduceToOnlyStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[riskCategories[j].ID])
+ risksLeft := ReduceToOnlyStillAtRisk(parsedModel.GeneratedRisksByCategory[riskCategories[i].ID])
+ risksRight := ReduceToOnlyStillAtRisk(parsedModel.GeneratedRisksByCategory[riskCategories[j].ID])
highestLeft := HighestSeverityStillAtRisk(parsedModel, risksLeft)
highestRight := HighestSeverityStillAtRisk(parsedModel, risksRight)
if highestLeft == highestRight {
@@ -156,22 +119,6 @@ func SortByRiskSeverity(risks []*Risk, parsedModel *Model) {
})
}
-func SortByDataBreachProbability(risks []*Risk, parsedModel *Model) {
- sort.Slice(risks, func(i, j int) bool {
-
- if risks[i].DataBreachProbability == risks[j].DataBreachProbability {
- trackingStatusLeft := risks[i].RiskStatus
- trackingStatusRight := risks[j].RiskStatus
- if trackingStatusLeft == trackingStatusRight {
- return risks[i].Title < risks[j].Title
- } else {
- return trackingStatusLeft < trackingStatusRight
- }
- }
- return risks[i].DataBreachProbability > risks[j].DataBreachProbability
- })
-}
-
// as in Go ranging over map is random order, range over them in sorted (hence reproducible) way:
func SortedRiskCategories(parsedModel *Model) []*RiskCategory {
@@ -197,633 +144,3 @@ func SortedRisksOfCategory(parsedModel *Model, category *RiskCategory) []*Risk {
SortByRiskSeverity(risks, parsedModel)
return risks
}
-
-func CountRisks(risksByCategory map[string][]*Risk) int {
- result := 0
- for _, risks := range risksByCategory {
- result += len(risks)
- }
- return result
-}
-
-func RisksOfOnlySTRIDESpoofing(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category != nil {
- if category.STRIDE == Spoofing {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- }
- return result
-}
-
-func RisksOfOnlySTRIDETampering(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category != nil {
- if category.STRIDE == Tampering {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- }
- return result
-}
-
-func RisksOfOnlySTRIDERepudiation(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.STRIDE == Repudiation {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlySTRIDEInformationDisclosure(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.STRIDE == InformationDisclosure {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlySTRIDEDenialOfService(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.STRIDE == DenialOfService {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlySTRIDEElevationOfPrivilege(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.STRIDE == ElevationOfPrivilege {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlyBusinessSide(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == BusinessSide {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlyArchitecture(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Architecture {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlyDevelopment(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Development {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func RisksOfOnlyOperation(parsedModel *Model, risksByCategory map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Operations {
- result[categoryId] = append(result[categoryId], risk)
- }
- }
- }
- return result
-}
-
-func CategoriesOfOnlyRisksStillAtRisk(parsedModel *Model, risksByCategory map[string][]*Risk) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- categories[categoryId] = struct{}{}
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func CategoriesOfOnlyCriticalRisks(parsedModel *Model, risksByCategory map[string][]*Risk, initialRisks bool) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- if risk.Severity == CriticalSeverity {
- categories[categoryId] = struct{}{}
- }
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func CategoriesOfOnlyHighRisks(parsedModel *Model, risksByCategory map[string][]*Risk, initialRisks bool) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- highest := HighestSeverity(parsedModel.GeneratedRisksByCategory[categoryId])
- if !initialRisks {
- highest = HighestSeverityStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[categoryId])
- }
- if risk.Severity == HighSeverity && highest < CriticalSeverity {
- categories[categoryId] = struct{}{}
- }
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func CategoriesOfOnlyElevatedRisks(parsedModel *Model, risksByCategory map[string][]*Risk, initialRisks bool) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- highest := HighestSeverity(parsedModel.GeneratedRisksByCategory[categoryId])
- if !initialRisks {
- highest = HighestSeverityStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[categoryId])
- }
- if risk.Severity == ElevatedSeverity && highest < HighSeverity {
- categories[categoryId] = struct{}{}
- }
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func CategoriesOfOnlyMediumRisks(parsedModel *Model, risksByCategory map[string][]*Risk, initialRisks bool) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- highest := HighestSeverity(parsedModel.GeneratedRisksByCategory[categoryId])
- if !initialRisks {
- highest = HighestSeverityStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[categoryId])
- }
- if risk.Severity == MediumSeverity && highest < ElevatedSeverity {
- categories[categoryId] = struct{}{}
- }
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func CategoriesOfOnlyLowRisks(parsedModel *Model, risksByCategory map[string][]*Risk, initialRisks bool) []string {
- categories := make(map[string]struct{}) // Go's trick of unique elements is a map
- for categoryId, risks := range risksByCategory {
- for _, risk := range risks {
- if !initialRisks && !risk.RiskStatus.IsStillAtRisk() {
- continue
- }
- highest := HighestSeverity(parsedModel.GeneratedRisksByCategory[categoryId])
- if !initialRisks {
- highest = HighestSeverityStillAtRisk(parsedModel, parsedModel.GeneratedRisksByCategory[categoryId])
- }
- if risk.Severity == LowSeverity && highest < MediumSeverity {
- categories[categoryId] = struct{}{}
- }
- }
- }
- // return as slice (of now unique values)
- return keysAsSlice(categories)
-}
-
-func HighestSeverity(risks []*Risk) RiskSeverity {
- result := LowSeverity
- for _, risk := range risks {
- if risk.Severity > result {
- result = risk.Severity
- }
- }
- return result
-}
-
-func keysAsSlice(categories map[string]struct{}) []string {
- result := make([]string, 0, len(categories))
- for k := range categories {
- result = append(result, k)
- }
- return result
-}
-
-func FilteredByOnlyBusinessSide(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for categoryId, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == BusinessSide {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyArchitecture(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for categoryId, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Architecture {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyDevelopment(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for categoryId, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Development {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyOperation(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for categoryId, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.Function == Operations {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyCriticalRisks(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.Severity == CriticalSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyHighRisks(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.Severity == HighSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyElevatedRisks(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.Severity == ElevatedSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyMediumRisks(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.Severity == MediumSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByOnlyLowRisks(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.Severity == LowSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilterByModelFailures(parsedModel *Model, risksByCat map[string][]*Risk) map[string][]*Risk {
- result := make(map[string][]*Risk)
- for categoryId, risks := range risksByCat {
- category := GetRiskCategory(parsedModel, categoryId)
- if category.ModelFailurePossibleReason {
- result[categoryId] = risks
- }
- }
-
- return result
-}
-
-func FlattenRiskSlice(risksByCat map[string][]*Risk) []*Risk {
- result := make([]*Risk, 0)
- for _, risks := range risksByCat {
- result = append(result, risks...)
- }
- return result
-}
-
-func TotalRiskCount(parsedModel *Model) int {
- count := 0
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- count += len(risks)
- }
- return count
-}
-
-func FilteredByRiskTrackingUnchecked(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == Unchecked {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByRiskTrackingInDiscussion(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == InDiscussion {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByRiskTrackingAccepted(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == Accepted {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByRiskTrackingInProgress(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == InProgress {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByRiskTrackingMitigated(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == Mitigated {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func FilteredByRiskTrackingFalsePositive(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus == FalsePositive {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyHighRisk(risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.Severity == HighSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyMediumRisk(risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.Severity == MediumSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyLowRisk(risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.Severity == LowSeverity {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingUnchecked(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == Unchecked {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingInDiscussion(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == InDiscussion {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingAccepted(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == Accepted {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingInProgress(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == InProgress {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingMitigated(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == Mitigated {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func ReduceToOnlyRiskTrackingFalsePositive(parsedModel *Model, risks []*Risk) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risk := range risks {
- if risk.RiskStatus == FalsePositive {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- return filteredRisks
-}
-
-func FilteredByStillAtRisk(parsedModel *Model) []*Risk {
- filteredRisks := make([]*Risk, 0)
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- if risk.RiskStatus.IsStillAtRisk() {
- filteredRisks = append(filteredRisks, risk)
- }
- }
- }
- return filteredRisks
-}
-
-func OverallRiskStatistics(parsedModel *Model) RiskStatistics {
- result := RiskStatistics{}
- result.Risks = make(map[string]map[string]int)
- result.Risks[CriticalSeverity.String()] = make(map[string]int)
- result.Risks[CriticalSeverity.String()][Unchecked.String()] = 0
- result.Risks[CriticalSeverity.String()][InDiscussion.String()] = 0
- result.Risks[CriticalSeverity.String()][Accepted.String()] = 0
- result.Risks[CriticalSeverity.String()][InProgress.String()] = 0
- result.Risks[CriticalSeverity.String()][Mitigated.String()] = 0
- result.Risks[CriticalSeverity.String()][FalsePositive.String()] = 0
- result.Risks[HighSeverity.String()] = make(map[string]int)
- result.Risks[HighSeverity.String()][Unchecked.String()] = 0
- result.Risks[HighSeverity.String()][InDiscussion.String()] = 0
- result.Risks[HighSeverity.String()][Accepted.String()] = 0
- result.Risks[HighSeverity.String()][InProgress.String()] = 0
- result.Risks[HighSeverity.String()][Mitigated.String()] = 0
- result.Risks[HighSeverity.String()][FalsePositive.String()] = 0
- result.Risks[ElevatedSeverity.String()] = make(map[string]int)
- result.Risks[ElevatedSeverity.String()][Unchecked.String()] = 0
- result.Risks[ElevatedSeverity.String()][InDiscussion.String()] = 0
- result.Risks[ElevatedSeverity.String()][Accepted.String()] = 0
- result.Risks[ElevatedSeverity.String()][InProgress.String()] = 0
- result.Risks[ElevatedSeverity.String()][Mitigated.String()] = 0
- result.Risks[ElevatedSeverity.String()][FalsePositive.String()] = 0
- result.Risks[MediumSeverity.String()] = make(map[string]int)
- result.Risks[MediumSeverity.String()][Unchecked.String()] = 0
- result.Risks[MediumSeverity.String()][InDiscussion.String()] = 0
- result.Risks[MediumSeverity.String()][Accepted.String()] = 0
- result.Risks[MediumSeverity.String()][InProgress.String()] = 0
- result.Risks[MediumSeverity.String()][Mitigated.String()] = 0
- result.Risks[MediumSeverity.String()][FalsePositive.String()] = 0
- result.Risks[LowSeverity.String()] = make(map[string]int)
- result.Risks[LowSeverity.String()][Unchecked.String()] = 0
- result.Risks[LowSeverity.String()][InDiscussion.String()] = 0
- result.Risks[LowSeverity.String()][Accepted.String()] = 0
- result.Risks[LowSeverity.String()][InProgress.String()] = 0
- result.Risks[LowSeverity.String()][Mitigated.String()] = 0
- result.Risks[LowSeverity.String()][FalsePositive.String()] = 0
- for _, risks := range parsedModel.GeneratedRisksByCategory {
- for _, risk := range risks {
- result.Risks[risk.Severity.String()][risk.RiskStatus.String()]++
- }
- }
- return result
-}
diff --git a/pkg/security/types/technical_asset.go b/pkg/security/types/technical_asset.go
index 5a2bdc9b..970a62c1 100644
--- a/pkg/security/types/technical_asset.go
+++ b/pkg/security/types/technical_asset.go
@@ -365,35 +365,6 @@ func (what TechnicalAsset) GetTrustBoundaryId(model *Model) string {
return ""
}
-func SortByTechnicalAssetRiskSeverityAndTitleStillAtRisk(assets []*TechnicalAsset, parsedModel *Model) {
- sort.Slice(assets, func(i, j int) bool {
- risksLeft := ReduceToOnlyStillAtRisk(parsedModel, assets[i].GeneratedRisks(parsedModel))
- risksRight := ReduceToOnlyStillAtRisk(parsedModel, assets[j].GeneratedRisks(parsedModel))
- highestSeverityLeft := HighestSeverityStillAtRisk(parsedModel, risksLeft)
- highestSeverityRight := HighestSeverityStillAtRisk(parsedModel, risksRight)
- var result bool
- if highestSeverityLeft == highestSeverityRight {
- if len(risksLeft) == 0 && len(risksRight) > 0 {
- return false
- } else if len(risksLeft) > 0 && len(risksRight) == 0 {
- return true
- } else {
- result = assets[i].Title < assets[j].Title
- }
- } else {
- result = highestSeverityLeft > highestSeverityRight
- }
- if assets[i].OutOfScope && assets[j].OutOfScope {
- result = assets[i].Title < assets[j].Title
- } else if assets[i].OutOfScope {
- result = false
- } else if assets[j].OutOfScope {
- result = true
- }
- return result
- })
-}
-
type ByTechnicalAssetRAAAndTitleSort []*TechnicalAsset
func (what ByTechnicalAssetRAAAndTitleSort) Len() int { return len(what) }