Skip to content

Commit 575b038

Browse files
authored
feat: add new security needs (#558)
1 parent 4d56861 commit 575b038

4 files changed

Lines changed: 328 additions & 15 deletions

File tree

docs/internals/requirements/requirements.rst

Lines changed: 77 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -140,9 +140,9 @@ This section provides an overview of current process requirements and their clar
140140
:parent_covered: NO: Can not cover 'ISO/IEC/IEEE/29148'
141141
:version: 1
142142
:implemented: YES
143-
:satisfies: gd_req__req_attr_description, gd_req__req_check_mandatory,
143+
:satisfies: gd_req__req_attr_description, gd_req__req_check_mandatory, gd_req__sec_argument
144144

145-
Docs-as-Code shall enforce that each need of type :need:`tool_req__docs_req_types` has a description (content)
145+
Enforce that each need of type :need:`tool_req__docs_req_types` has a description (content)
146146

147147

148148
.. tool_req:: Enforces description wording rules
@@ -1186,15 +1186,82 @@ Testing
11861186

11871187
Docs-As-Code shall enforce that every Safety Analysis has a short description of the failure effect (e.g. failure lead to an unintended actuation of the analysed element)
11881188

1189-
----------------------------------------------------------------
1190-
Safety Analysis (DFA + FMEA) Process to Tool Requirement Mapping
1191-
----------------------------------------------------------------
11921189

1193-
.. needtable::
1194-
:style: table
1195-
:types: gd_req
1196-
:columns: id;satisfies_back as "tool_req"
1197-
:filter: "gd_req__saf" in id
1190+
🔒 Security Analysis
1191+
#####################
1192+
1193+
1194+
.. tool_req:: Security Analysis Need Types
1195+
:id: tool_req__docs_sec_types
1196+
:implemented: YES
1197+
:tags: Security Analysis
1198+
:version: 1
1199+
:satisfies:
1200+
gd_req__sec_attr_uid,
1201+
gd_req__sec_attr_title,
1202+
:parent_covered: YES
1203+
1204+
Docs-As-Code shall support the following need types:
1205+
1206+
* Feature Security Analysis Threat (STRIDE) -> ``feat_sec_threat``
1207+
* Component Security Analysis Threat (STRIDE) -> ``comp_sec_threat``
1208+
* Platform Security Analysis Threat (STRIDE) -> ``plat_sec_threat``
1209+
* Feature Security Analysis (Threat Scenario) -> ``feat_sec_ana``
1210+
* Component Security Analysis (Threat Scenario) -> ``comp_sec_ana``
1211+
* Platform Security Analysis (Threat Scenario) -> ``plat_sec_ana``
1212+
1213+
1214+
.. tool_req:: Security Analysis: STRIDE Threat ID Attribute
1215+
:id: tool_req__docs_sec_attr_stride_threat_id
1216+
:implemented: YES
1217+
:tags: Security Analysis
1218+
:version: 1
1219+
:satisfies: gd_req__sec_attr_stride_threat_id
1220+
:parent_covered: YES
1221+
1222+
Docs-As-Code shall enforce that STRIDE threat needs
1223+
(``feat_sec_threat``, ``comp_sec_threat``, ``plat_sec_threat``)
1224+
have a mandatory ``threat_id`` attribute.
1225+
1226+
1227+
.. tool_req:: Security Analysis Threat Scenario Mandatory Attributes
1228+
:id: tool_req__docs_sec_attrs_mandatory
1229+
:implemented: YES
1230+
:tags: Security Analysis
1231+
:version: 1
1232+
:satisfies:
1233+
gd_req__sec_attr_threat_scenario_id,
1234+
gd_req__sec_attr_status,
1235+
gd_req__sec_attr_sufficient,
1236+
gd_req__sec_attr_teffect,
1237+
:parent_covered: YES
1238+
1239+
Enforce that threat scenario needs
1240+
(``feat_sec_ana``, ``comp_sec_ana``, ``plat_sec_ana``)
1241+
have the following mandatory attributes:
1242+
1243+
* ``threat_scenario_id``
1244+
* ``status``: ``valid`` or ``invalid``
1245+
* ``sufficient``: ``yes`` or ``no``
1246+
* ``threat_effect``: short description of the threat impact
1247+
1248+
1249+
.. tool_req:: Security Analysis Optional Attributes
1250+
:id: tool_req__docs_sec_attrs_optional
1251+
:implemented: YES
1252+
:tags: Security Analysis
1253+
:version: 1
1254+
:satisfies:
1255+
gd_req__sec_attr_mitigation_issue,
1256+
gd_req__sec_attr_aou,
1257+
:parent_covered: YES
1258+
1259+
Allow threat scenario needs
1260+
(``feat_sec_ana``, ``comp_sec_ana``, ``plat_sec_ana``)
1261+
to have the following optional attributes and links:
1262+
1263+
* ``mitigation_issue``: link to a GitHub issue
1264+
* ``mitigated_by``: link to ``aou_req``
11981265

11991266

12001267
🗺️ Full Mapping

src/extensions/score_metamodel/__init__.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,15 @@ def setup(app: Sphinx) -> dict[str, str | bool]:
327327
app.config.needs_types += metamodel.needs_types
328328
app.config.needs_links.update(metamodel.needs_links)
329329
app.config.needs_fields.update(metamodel.needs_fields)
330+
app.config.needs_string_links.setdefault(
331+
"mitigation_issue_linker",
332+
{
333+
"regex": r"(?P<url>https://github\.com/[^/]+/(?P<repo>[^/]+)/issues/(?P<number>\d+))",
334+
"link_url": "{{url}}",
335+
"link_name": "{{repo}}#{{number}}",
336+
"options": ["mitigation_issue"],
337+
},
338+
)
330339
app.config.graph_checks = metamodel.needs_graph_check
331340
app.config.prohibited_words_checks = metamodel.prohibited_words_checks
332341

src/extensions/score_metamodel/metamodel.yaml

Lines changed: 115 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,7 @@ needs_types:
127127
gd_req:
128128
title: Process Requirements
129129
mandatory_options:
130+
# req-Id: tool_req__docs_common_attr_description
130131
content: ^[\s\S]+$
131132
optional_links:
132133
# req-Id: tool_req__docs_req_link_satisfies_allowed
@@ -289,6 +290,7 @@ needs_types:
289290
safety: ^(QM|ASIL_B)$
290291
# req-Id: tool_req__docs_common_attr_status
291292
status: ^(valid|invalid)$
293+
# req-Id: tool_req__docs_common_attr_description
292294
content: ^[\s\S]+$
293295
mandatory_links:
294296
# req-Id: tool_req__docs_req_link_satisfies_allowed
@@ -325,6 +327,7 @@ needs_types:
325327
safety: ^(QM|ASIL_B)$
326328
# req-Id: tool_req__docs_common_attr_status
327329
status: ^(valid|invalid)$
330+
# req-Id: tool_req__docs_common_attr_description
328331
content: ^[\s\S]+$
329332
mandatory_links:
330333
# req-Id: tool_req__docs_req_link_satisfies_allowed
@@ -350,6 +353,7 @@ needs_types:
350353
tool_req:
351354
title: Tool Requirement
352355
mandatory_options:
356+
# req-Id: tool_req__docs_common_attr_description
353357
content: ^[\s\S]+$
354358
optional_links:
355359
# req-Id: tool_req__docs_req_link_satisfies_allowed
@@ -385,6 +389,7 @@ needs_types:
385389
safety: ^(QM|ASIL_B)$
386390
# req-Id: tool_req__docs_common_attr_status
387391
status: ^(valid|invalid)$
392+
# req-Id: tool_req__docs_common_attr_description
388393
content: ^[\s\S]+$
389394
optional_options:
390395
codelink: ^.*$
@@ -746,11 +751,12 @@ needs_types:
746751
failure_effect: ^.*$
747752
sufficient: ^(yes|no)$
748753
status: ^(valid|invalid)$
754+
# req-Id: tool_req__docs_common_attr_description
749755
content: ^[\s\S]+$
750756
mandatory_links:
751757
violates: feat_arc_sta
752758
optional_options:
753-
mitigation_issue: ^https://github.com/.*$
759+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
754760
optional_links:
755761
mitigated_by: stkh_req, aou_req
756762
parts: 3
@@ -766,13 +772,14 @@ needs_types:
766772
sufficient: ^(yes|no)$
767773
status: ^(valid|invalid)$
768774
# req-Id: tool_req__docs_saf_attrs_content
775+
# req-Id: tool_req__docs_common_attr_description
769776
content: ^[\s\S]+$
770777
mandatory_links:
771778
# req-Id: tool_req__docs_saf_attrs_violates
772779
violates: feat_arc_sta
773780
optional_options:
774781
# req-Id: tool_req__docs_saf_attrs_mitigation_issue
775-
mitigation_issue: ^https://github.com/.*$
782+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
776783
optional_links:
777784
# req-Id: tool_req__docs_saf_attrs_mitigated_by
778785
# (only mandatory once valid status == valid)
@@ -796,7 +803,7 @@ needs_types:
796803
content: ^[\s\S]+$
797804
optional_options:
798805
# req-Id: tool_req__docs_saf_attrs_mitigation_issue
799-
mitigation_issue: ^https://github.com/.*$
806+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
800807
mandatory_links:
801808
# req-Id: tool_req__docs_saf_attrs_violates
802809
violates: comp_arc_sta
@@ -824,7 +831,7 @@ needs_types:
824831
content: ^[\s\S]+$
825832
optional_options:
826833
# req-Id: tool_req__docs_saf_attrs_mitigation_issue
827-
mitigation_issue: ^https://github.com/.*$
834+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
828835
mandatory_links:
829836
# req-Id: tool_req__docs_saf_attrs_violates
830837
violates: feat_arc_dyn, feat_arc_sta
@@ -851,7 +858,7 @@ needs_types:
851858
content: ^[\s\S]+$
852859
optional_options:
853860
# req-Id: tool_req__docs_saf_attrs_mitigation_issue
854-
mitigation_issue: ^https://github.com/.*$
861+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
855862
mandatory_links:
856863
# req-Id: tool_req__docs_saf_attrs_violates
857864
violates: comp_arc_dyn, comp_arc_sta
@@ -862,6 +869,109 @@ needs_types:
862869
- safety_analysis
863870
parts: 3
864871

872+
# Security Analysis
873+
# req-Id: tool_req__docs_sec_types
874+
feat_sec_threat:
875+
title: Feature Security Analysis Threat (STRIDE)
876+
mandatory_options:
877+
# req-Id: tool_req__docs_sec_attr_stride_threat_id
878+
threat_id: ^(AU_01_0[1-3]|AZ_01_0[1-3]|CT_01_0[1-2]|DS_01_0[1-3]|EX_01_0[1-6]|LA_01_0[1-3]|MT_01_0[1-7])$
879+
status: ^(valid|invalid)$
880+
content: ^[\s\S]+$
881+
tags:
882+
- stride_threat
883+
- security_analysis
884+
parts: 3
885+
886+
# req-Id: tool_req__docs_sec_types
887+
comp_sec_threat:
888+
title: Component Security Analysis Threat (STRIDE)
889+
mandatory_options:
890+
# req-Id: tool_req__docs_sec_attr_stride_threat_id
891+
threat_id: ^(AU_01_0[1-3]|AZ_01_0[1-3]|CT_01_0[1-2]|DS_01_0[1-3]|EX_01_0[1-6]|LA_01_0[1-3]|MT_01_0[1-7])$
892+
status: ^(valid|invalid)$
893+
content: ^[\s\S]+$
894+
tags:
895+
- stride_threat
896+
- security_analysis
897+
parts: 3
898+
899+
# req-Id: tool_req__docs_sec_types
900+
plat_sec_threat:
901+
title: Platform Security Analysis Threat (STRIDE)
902+
mandatory_options:
903+
# req-Id: tool_req__docs_sec_attr_stride_threat_id
904+
threat_id: ^(AU_01_0[1-3]|AZ_01_0[1-3]|CT_01_0[1-2]|DS_01_0[1-3]|EX_01_0[1-6]|LA_01_0[1-3]|MT_01_0[1-7])$
905+
status: ^(valid|invalid)$
906+
content: ^[\s\S]+$
907+
tags:
908+
- stride_threat
909+
- security_analysis
910+
parts: 3
911+
912+
# req-Id: tool_req__docs_sec_types
913+
feat_sec_ana:
914+
title: Feature Security Analysis (Threat Scenario)
915+
mandatory_options:
916+
# req-Id: tool_req__docs_sec_attrs_mandatory
917+
threat_scenario_id: ^(AS_01_(01|02|04|05|06|07|09|10)|CO_01_0[1-7]|SC_01_0[2-5]|SI_01_0[2-5]|UI_01_(0[1-9]|1[0-2]))$
918+
# req-Id: tool_req__docs_sec_attrs_mandatory
919+
status: ^(valid|invalid)$
920+
# req-Id: tool_req__docs_sec_attrs_mandatory
921+
sufficient: ^(yes|no)$
922+
# req-Id: tool_req__docs_sec_attrs_mandatory
923+
threat_effect: ^.+$
924+
# req-Id: tool_req__docs_common_attr_description
925+
content: ^[\s\S]+$
926+
optional_options:
927+
# req-Id: tool_req__docs_sec_attrs_optional
928+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
929+
optional_links:
930+
# req-Id: tool_req__docs_sec_attrs_optional
931+
mitigated_by: feat_req, aou_req
932+
tags:
933+
- threat_scenario
934+
- security_analysis
935+
parts: 3
936+
937+
# req-Id: tool_req__docs_sec_types
938+
comp_sec_ana:
939+
title: Component Security Analysis (Threat Scenario)
940+
mandatory_options:
941+
threat_scenario_id: ^(AS_01_(01|02|04|05|06|07|09|10)|CO_01_0[1-7]|SC_01_0[2-5]|SI_01_0[2-5]|UI_01_(0[1-9]|1[0-2]))$
942+
status: ^(valid|invalid)$
943+
sufficient: ^(yes|no)$
944+
threat_effect: ^.+$
945+
# req-Id: tool_req__docs_common_attr_description
946+
content: ^[\s\S]+$
947+
optional_options:
948+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
949+
optional_links:
950+
mitigated_by: comp_req, aou_req
951+
tags:
952+
- threat_scenario
953+
- security_analysis
954+
parts: 3
955+
956+
# req-Id: tool_req__docs_sec_types
957+
plat_sec_ana:
958+
title: Platform Security Analysis (Threat Scenario)
959+
mandatory_options:
960+
threat_scenario_id: ^(AS_01_(01|02|04|05|06|07|09|10)|CO_01_0[1-7]|SC_01_0[2-5]|SI_01_0[2-5]|UI_01_(0[1-9]|1[0-2]))$
961+
status: ^(valid|invalid)$
962+
sufficient: ^(yes|no)$
963+
threat_effect: ^.+$
964+
# req-Id: tool_req__docs_common_attr_description
965+
content: ^[\s\S]+$
966+
optional_options:
967+
mitigation_issue: ^https://github\.com/[^/]+/[^/]+/issues/\d+$
968+
optional_links:
969+
mitigated_by: feat_req, aou_req
970+
tags:
971+
- threat_scenario
972+
- security_analysis
973+
parts: 3
974+
865975
testcase:
866976
title: Testcase Needs parsed from test.xml files
867977
optional_options:

0 commit comments

Comments
 (0)