Merge pull request #323 from iriusrisk/release/1.19.0

release/1.19.0 to main

.github/workflows/semgrep.yml

@@ -15,4 +15,38 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
-      - run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
+
+      - id: semgrep
+        run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
+        continue-on-error: true
+
+      - name: Get branch name (pull request)
+        run: echo "BRANCH_NAME=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
+
+      - name: Set failure message vars
+        if: steps.semgrep.outcome == 'failure'
+        run: echo "icon=fire" >> $GITHUB_ENV
+
+      - name: Set success message vars
+        if: steps.semgrep.outcome == 'success'
+        run: echo "icon=checkered_flag" >> $GITHUB_ENV
+
+      - name: Format Branch name
+        shell: bash
+        run: echo "BRANCH_NAME=${BRANCH_NAME^^}" >> $GITHUB_ENV
+
+      - name: Semgrep report to Slack
+        if: ${{ env.BRANCH_NAME }} == 'DEV' || ${{ env.BRANCH_NAME }} == 'MAIN'
+        id: slack-report
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
+        with:
+          payload: |
+            {
+              "text": ":${{ env.icon }}: Semgrep-Startleft-${{ env.BRANCH_NAME }} vulnerability test result: ${{ steps.semgrep.outcome }} <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}|Pipeline logs>"
+            }
+        env:
+           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
+
+      - name: Stop if Semgrep finds a vulnerability
+        if: steps.semgrep.outcome == 'failure'
+        run: exit 1

docs/Quickstart-Guide-for-Beginners.md

@@ -83,7 +83,7 @@ With this two files we are ready to execute the `parse` command in order to gene
 ```shell
 startleft parse \
 	--iac-type TERRAFORM \
-	--mapping-file iriusrisk-tf-aws-mapping.yaml \
+	--default-mapping-file iriusrisk-tf-aws-mapping.yaml \
 	--output-file multinetwork_security_groups_with_lb.otm \
 	--project-name "Terraform MN Security Groups with LB" \
 	--project-id "tf-mn-sg-lb" \

docs/Troubleshooting.md

@@ -34,11 +34,25 @@ echo "C:\Program Files\Graphviz\bin" >> $PATH
 ```
 
 Installing the `pygraphviz` lib setting the OS files location: 
-
 ```shell
 pip install --global-option=build_ext --global-option="-IC:\Program files\Graphviz\include" --global-option="-LC:\Program files\Graphviz\lib" pygraphviz
 ```
 
+When on MacOS the pygraphviz compilation steps may fail because it can't find the graphviz headers.
+
+First, make sure you have graphviz installed, for homebrew run:
+```shell
+brew install graphviz
+```
+
+Export the compilation flags to tell pip's build process where to find the headers:
+```shell
+export CFLAGS="-I $(brew --prefix graphviz)/include"
+export LDFLAGS="-L $(brew --prefix graphviz)/lib"
+```
+
+You can now either try installing startleft (which will pull pygraphviz as a dependency) or install pygraphviz with `pip install pygraphviz`, in the same terminal.
+
 ---
 
 ### `pygraphviz/graphviz_wrap.c:154:11: fatal error: Python.h: No such file or directory`

docs/requirements.txt

@@ -1,2 +1,2 @@
-mkdocs-material==9.1.17
+mkdocs-material==9.2.8
 mkdocs-glightbox==0.3.4

docs/startleft-processors/external-threat-model/mtmt/MTMT-Mapping.md

@@ -14,25 +14,36 @@ Let's see how to identify the different elements:
 
 
 ## Trustzones
-For the TrustZones we need to write two fields: ``label`` and ``id``
+For the TrustZones we need to write two fields: ``label`` and ``type``
 
-The label will identify the MTMT TrustZone by its type. 
+The label will identify the MTMT TrustZone by its MTMT type or by its name. 
 
 Let's see an example with a TrustZone in the MTMT_example.tm7:
 
 ![](img/MTMT_example.png)
 
-Our TrustZone named ``Internet`` is of ``Generic Trust Border Boundary`` type.
+Our ``Generic Trust Border Boundary`` TrustZone is named ``Internet``.
+
 
 
 
 ![](img/mtmt_generic_trust_boundary.png)
 
-So we need to put this
-type in the label value.
+We can map it by either of the two: ``Generic Trust Border Boundary`` (MTMT type) or ``Internet`` (MTMT name).
+
+```yaml
+  - label: Generic Trust Border Boundary
+    type:  6376d53e-6461-412b-8e04-7b3fe2b397de
+```
+or
+```yaml
+  - label: Internet
+    type:  6376d53e-6461-412b-8e04-7b3fe2b397de
+```
+---
 
 The type in the mapping file will be the type in the OTM trust zone output.
-In this example, the `Generic Trust Border Boundary` source trust zones
+In this example, the `Generic Trust Border Boundary` source trust zone
 will be mapped to a OTM trust zone which type will be the value of the `type`
 in our mapping file.
 
@@ -59,7 +70,7 @@ The TrustZone OTM output will be:
     }]}
 ```
 
-In case we have two trust zones with the same type, the OTM will have two trust zones
+In case we have two trust zones with the same MTMT type (e.g: ``Generic Trust Border Boundary``), the OTM will have two trust zones
 with the same type but different id. In the mapping file is enough having mapped once:
 ```yaml
   - label: Generic Trust Border Boundary

docs/startleft-processors/iac/cft/CloudFormation-Examples.md

@@ -36,7 +36,7 @@ OTM file `multinetwork_security_groups_with_lb.otm` in the process.
 ```shell
 startleft parse \
 	--iac-type CLOUDFORMATION \
-	--mapping-file iriusrisk-cft-mapping.yaml \
+	--default-mapping-file iriusrisk-cft-mapping.yaml \
 	--output-file multinetwork_security_groups_with_lb.otm \
 	--project-name "CFT MN Security Groups with LB" \
 	--project-id "cft-mn-sg-lb" \
@@ -60,7 +60,7 @@ The following command will parse both CloudFormation source files creating an OT
 ```shell
 startleft parse \
 	--iac-type CLOUDFORMATION \
-	--mapping-file iriusrisk-cft-mapping.yaml \
+	--default-mapping-file iriusrisk-cft-mapping.yaml \
 	--output-file multinetwork_security_groups_with_lb_from_multiple_files.otm \
 	--project-name "CFT MN Security Groups with LB from multiple files" \
 	--project-id "cft-mn-sg-lb-ml-fl" \

docs/startleft-processors/iac/cft/CloudFormation-Quickstart.md

@@ -155,7 +155,7 @@ directory with identical contents to the one above.
 ```shell
 startleft parse \
 	--iac-type CLOUDFORMATION \
-	--mapping-file ec2-mapping.yaml \
+	--default-mapping-file ec2-mapping.yaml \
 	--output-file ec2.otm \
 	--project-id "my-ec2-project" \
 	--project-name "My EC2 project" \
@@ -182,7 +182,7 @@ curl --location --request POST localhost:5000/api/v1/startleft/iac \
 --header "Accept: application/json" \
 --form iac_type="CLOUDFORMATION" \
 --form iac_file=@"./ec2-cft.json" \
---form mapping_file=@"./ec2-mapping.yaml" \
+--form default_mapping_file=@"./ec2-mapping.yaml" \
 --form id="my-ec2-project" \
 --form name="My EC2 project"
 ```

docs/startleft-processors/iac/tf/Terraform-Examples.md

@@ -21,7 +21,7 @@ StartLeft supports parsing Terraform source files. Some examples are provided in
 ```shell
 startleft parse \
 	--iac-type TERRAFORM \
-	--mapping-file iriusrisk-tf-aws-mapping \
+	--default-mapping-file iriusrisk-tf-aws-mapping \
 	--output-file elb.otm \
 	--project-name "Terraform ELB" \
 	--project-id "terraform-elb" \

docs/startleft-processors/iac/tf/Terraform-Quickstart.md

@@ -142,7 +142,7 @@ directory with identical contents to the one above.
 ```shell
 startleft parse \
 	--iac-type TERRAFORM \
-	--mapping-file ec2-mapping.yaml \
+	--default-mapping-file ec2-mapping.yaml \
 	--output-file ec2.otm \
 	--project-id "my-ec2-project" \
 	--project-name "My EC2 project" \
@@ -164,7 +164,7 @@ curl --location --request POST localhost:5000/api/v1/startleft/iac \
 --header "Accept: application/json" \
 --form iac_type="TERRAFORM" \
 --form iac_file=@"./ec2-tf.json" \
---form mapping_file=@"./ec2-mapping.yaml" \
+--form default_mapping_file=@"./ec2-mapping.yaml" \
 --form id="my-ec2-project" \
 --form name="My EC2 project"
 ```

docs/startleft-processors/iac/tfplan/Terraform-Plan-Quickstart.md

@@ -86,7 +86,7 @@ directory.
 ```shell
 startleft parse \
 	--iac-type TFPLAN \
-	--mapping-file ir-mappings.yaml \
+	--default-mapping-file ir-mappings.yaml \
 	--output-file output.otm \
 	--project-id "my-project" \
 	--project-name "My project" \
@@ -108,7 +108,7 @@ curl --location --request POST localhost:5000/api/v1/startleft/iac \
 --form iac_type="TFPLAN" \
 --form iac_file=@"./tf-plan.json" \
 --form iac_file=@"./tf-graph.gv" \
---form mapping_file=@"./ir-mappings.yaml" \
+--form default_mapping_file=@"./ir-mappings.yaml" \
 --form id="my-project" \
 --form name="My project"
 ```

docs/startleft-processors/iac/tfplan/examples/aws-ingesting-click-logs-using-terraform.md

@@ -38,7 +38,7 @@ Use the StartLeft CLI to generate the OTM file:
 ```shell
 $ startleft parse \ 
   --iac-type TFPLAN \ 
-  --mapping-file ir-mappings.yaml \ 
+  --default-mapping-file ir-mappings.yaml \ 
   --output-file output.otm \
   --project-id "my-project" \
   --project-name "My project" \ 

docs/usage/Command-Line-Interface.md

@@ -99,34 +99,26 @@ This command is used for parsing source files into the Open Threat Model format.
 The options that it supports are:
 
 ```shell
-  -t, --iac-type [CLOUDFORMATION|TERRAFORM]
-                                  The IaC file type. NOTE: This argument
+   -t, --iac-type [CLOUDFORMATION|TERRAFORM|TFPLAN]
+                                  The IaC file type. NOTE: This argument is
+                                  mutually exclusive with  arguments:
+                                  [diagram_type, etm_type]. [required]
+  -g, --diagram-type [VISIO|LUCID]
+                                  The diagram file type. NOTE: This argument
                                   is mutually exclusive with  arguments:
-                                  [custom_mapping_file,
-                                  default_mapping_file, diagram_type].
-  -g, --diagram-type [VISIO|LUCID]      
-                                  The diagram file type. NOTE: This
-                                  argument is mutually exclusive with
-                                  arguments: [mapping_file, iac_type].
-  -m, --mapping-file TEXT         
-                                  Mapping file to parse the IaC file.
-                                  NOTE: This argument is mutually
-                                  exclusive with  arguments:
-                                  [custom_mapping_file,
-                                  default_mapping_file, diagram_type].
-  -d, --default-mapping-file TEXT
-                                  Default mapping file to parse the
-                                  diagram or ETM file. NOTE: This argument is
+                                  [etm_type, iac_type]. [required]
+  -e, --etm-type [MTMT]           The etm file type. NOTE: This argument is
                                   mutually exclusive with  arguments:
-                                  [mapping_file, iac_type].
-  -c, --custom-mapping-file TEXT  
-                                  Custom mapping file to parse the
-                                  diagram or ETM file.
+                                  [diagram_type, iac_type]. [required]
+  -d, --default-mapping-file TEXT
+                                  Default mapping file to parse the diagram
+                                  file. [required]
+  -c, --custom-mapping-file TEXT  Custom mapping file to parse the diagram
+                                  file.
   -o, --output-file TEXT          OTM output file.
   -n, --project-name TEXT         Project name.  [required]
   -i, --project-id TEXT           Project id.  [required]
   --help                          Show this message and exit.
-
 ```
 > :material-information-outline: Notice that the argument with the `IaC or diagram file name` to parse is not 
 > preceded by a parameter 

docs/usage/REST-API.md

@@ -72,12 +72,17 @@ Request Body:
     iac_type:                   Required. Type of the IaC file: [CLOUDFORMATION, TERRAFORM]
     id                          Required. ID of the new project
     name                        Required. Name of the new project
-    mapping_file                Required. File that contains the mapping between IaC resources and threat model resources.
+    default_mapping_file        Required. File that contains the default mapping file between the diagram resources and threat model resources
+    custom_mapping_file         Optional. File that contains the custom user mapping file between the diagram resources and threat model resources
 ```
 This endpoint accepts one or more IaC source files (currently [Cloudformation](../startleft-processors/iac/cft/CloudFormation-Quickstart.md) 
-or [Terraform](../startleft-processors/iac/tf/Terraform-Quickstart.md)) and a mapping file, and generates an OTM with 
+or [Terraform](../startleft-processors/iac/tf/Terraform-Quickstart.md)),a mapping file, and an optional custom mapping file, and generates an OTM with 
 the resulting threat modeling content.
 
+???+ warning "mapping_file parameter is DEPRECATED"
+
+    In previous version mapping_file parameter was used instead default_mapping_file, now you can send one or the other until mapping_file  parameter is definitely deleted and only default_mapping_file will be accepted.
+
 ??? example "Example"
     === "Request"
         ``` shell
@@ -88,7 +93,8 @@ the resulting threat modeling content.
         --form iac_type="CLOUDFORMATION" \
         --form iac_file=@"./resources_cft_file.json" \
         --form iac_file=@"./networks_cft_file.json" \
-        --form mapping_file=@"./iriusrisk-cft-mapping.yaml" \
+        --form default_mapping_file=@"./default-mapping.yaml" \
+        --form custom_mapping_file=@"./custom-mapping.yaml" \
         --form id="cft-to-otm-example" \
         --form name="CFT to OTM example"
         ```