align with the latest changes

anmalkov · Apr 2, 2024 · 4840da3 · 4840da3
1 parent 0675926
commit 4840da3
Show file tree

Hide file tree

Showing 41 changed files with 2,189 additions and 75 deletions.
diff --git a/src/Crisp.Core.Tests/UnitTest1.cs b/src/Crisp.Core.Tests/UnitTest1.cs
@@ -96,20 +96,20 @@ public async Task Test2()
     //[Fact]
     public async Task Test3()
     {
-        var recommendations = new List<Recommendation>
+        var threats = new List<Threat>
         {
-            new Recommendation("4", "test 1", "**Principle:** Confidentiality and Integrity  \r\n**Affected Asset:** All services  \r\n**Threat:** Secrets leaking into unsecured locations are an easy way for adversaries to gain access to a system. These secrets can be used to either spoof the owners of these secrets or, in the case of encryption keys, use them to decrypt data.\r\n\r\n**Mitigation:**\r\n\r\nProper storage and management of secrets is critical in protecting systems from compromises, in most cases, with severe impact.\r\n\r\n1. Never store secrets in code, configuration files or databases. Instead, use a vault or any secure container (such as encrypted variables) to store secrets.\r\n2. Separate application secrets by environment.\r\n3. Rotate all secrets before turning over the application to the customer.\r\n\r\n- Store all secrets, encryption keys and certificates in Key Vault.\r\n- You can use multiple Key Vaults to separate secrets for different and critical services to minimize secrets leaking\r\n- Define and implement secrets rotation strategy. All items in the vault should have expiration dates.", null),
-            new Recommendation("3", "test 1", "**Principle:** Confidentiality  \r\n**Affected Asset:** All services  \r\n**Threat:** Broken or non-existent authentication mechanisms may allow attackers to gain access to confidential information.\r\n\r\n**Mitigation:**\r\n\r\nAll services within the Azure Trust Boundary must authenticate all incoming requests, including requests coming from the same network. Proper authorizations should also be applied to prevent unnecessary privileges.\r\n\r\n1. Use Azure AD authentication for centralized identity management.\r\n2. Whenever available, use Azure Managed Identities to authenticate services. Service Principals may be used if Managed Identities are not supported.\r\n3. External users or services may use Username + Passwords, Tokens, or Certificates to authenticate, provided these are stored on Key Vault or any other vaulting solution.\r\n4. For authorization, use Azure RBAC to segregate duties and grant only the least amount of access to perform an action at a particular scope.\r\n5. Leverage AAD PIM for any administrative access.\r\n6. Avoid storing secrets in databases or configuration files.", null),
-            new Recommendation("2", "test 1", "this is **bold and *italic* and** but this is \\*\\*not\\*\\* this is `new block` and this is \\`not a block\\`", null),
-            new Recommendation("1", "test 1", "this is [link test](http://www.google.com) and now **in bold [google](http://www.google.com?q=test&t=now) *italic* and bold**", null),
+            new Threat("4", "test 1", "**Principle:** Confidentiality and Integrity  \r\n**Affected Asset:** All services  \r\n**Threat:** Secrets leaking into unsecured locations are an easy way for adversaries to gain access to a system. These secrets can be used to either spoof the owners of these secrets or, in the case of encryption keys, use them to decrypt data.\r\n\r\n**Mitigation:**\r\n\r\nProper storage and management of secrets is critical in protecting systems from compromises, in most cases, with severe impact.\r\n\r\n1. Never store secrets in code, configuration files or databases. Instead, use a vault or any secure container (such as encrypted variables) to store secrets.\r\n2. Separate application secrets by environment.\r\n3. Rotate all secrets before turning over the application to the customer.\r\n\r\n- Store all secrets, encryption keys and certificates in Key Vault.\r\n- You can use multiple Key Vaults to separate secrets for different and critical services to minimize secrets leaking\r\n- Define and implement secrets rotation strategy. All items in the vault should have expiration dates.", ThreatStatus.NotMitigated, ThreatRisk.High, 1, null,  null),
+            new Threat("3", "test 1", "**Principle:** Confidentiality  \r\n**Affected Asset:** All services  \r\n**Threat:** Broken or non-existent authentication mechanisms may allow attackers to gain access to confidential information.\r\n\r\n**Mitigation:**\r\n\r\nAll services within the Azure Trust Boundary must authenticate all incoming requests, including requests coming from the same network. Proper authorizations should also be applied to prevent unnecessary privileges.\r\n\r\n1. Use Azure AD authentication for centralized identity management.\r\n2. Whenever available, use Azure Managed Identities to authenticate services. Service Principals may be used if Managed Identities are not supported.\r\n3. External users or services may use Username + Passwords, Tokens, or Certificates to authenticate, provided these are stored on Key Vault or any other vaulting solution.\r\n4. For authorization, use Azure RBAC to segregate duties and grant only the least amount of access to perform an action at a particular scope.\r\n5. Leverage AAD PIM for any administrative access.\r\n6. Avoid storing secrets in databases or configuration files.", ThreatStatus.PartiallyMitigated, ThreatRisk.Critical, 2, null, null),
+            new Threat("2", "test 1", "this is **bold and *italic* and** but this is \\*\\*not\\*\\* this is `new block` and this is \\`not a block\\`", ThreatStatus.Mitigated, ThreatRisk.Medium, 3, null, null),
+            new Threat("1", "test 1", "this is [link test](http://www.google.com) and now **in bold [google](http://www.google.com?q=test&t=now) *italic* and bold**", ThreatStatus.NotEvaluated, ThreatRisk.NotEvaluated, 4, null, null),
         };
 
         var wordTemplate = File.ReadAllBytes("template.docx");
 
         var stream = new MemoryStream();
         stream.Write(wordTemplate, 0, wordTemplate.Length);
 
-        OpenXmlHelper.AddThreats(stream, recommendations, null);
+        OpenXmlHelper.AddThreats(stream, threats, null);
 
         File.WriteAllBytes("result2.docx", stream.ToArray());
     }

diff --git a/src/Crisp.Core/Helpers/MarkdownReportHelper.cs b/src/Crisp.Core/Helpers/MarkdownReportHelper.cs
@@ -32,7 +32,7 @@ public static string GenerateThreatModelPropertiesSection(ThreatModel threatMode
         return section.ToString().TrimEnd(Environment.NewLine.ToCharArray());
     }
 
-    public static string GenerateResourcesRecommendationsForThreat(Recommendation threat,
+    public static string GenerateResourcesRecommendationsForThreat(Threat threat,
         IDictionary<string, IEnumerable<SecurityBenchmark>>? benchmarks)
     {
         if (threat.BenchmarkIds is null || !threat.BenchmarkIds.Any() || benchmarks is null)

diff --git a/src/Crisp.Core/Helpers/OpenXmlHelper.cs b/src/Crisp.Core/Helpers/OpenXmlHelper.cs
@@ -63,7 +63,7 @@ public static void AddDataflowAttributes(Stream stream, IEnumerable<DataflowAttr
         }
     }
 
-    public static void AddThreats(Stream stream, IEnumerable<Recommendation> threats,
+    public static void AddThreats(Stream stream, IEnumerable<Threat> threats,
         IDictionary<string, IEnumerable<SecurityBenchmark>>? benchmarks)
     {
         using var document = WordprocessingDocument.Open(stream, isEditable: true);

diff --git a/src/Crisp.Core/Models/Threat.cs b/src/Crisp.Core/Models/Threat.cs
@@ -0,0 +1,29 @@
+namespace Crisp.Core.Models;
+
+public enum ThreatStatus
+{
+    NotEvaluated,
+    NotMitigated,
+    PartiallyMitigated,
+    Mitigated
+}
+
+public enum ThreatRisk
+{
+    NotEvaluated,
+    Critical,
+    High,
+    Medium,
+    Low
+}
+
+public record Threat(
+    string Id,
+    string Title,
+    string Description,
+    ThreatStatus Status,
+    ThreatRisk Risk,
+    int OrderIndex,
+    IEnumerable<ThreatRecommendation>? Recommendations,
+    IEnumerable<string>? BenchmarkIds
+);
diff --git a/src/Crisp.Core/Models/ThreatModel.cs b/src/Crisp.Core/Models/ThreatModel.cs
@@ -19,7 +19,7 @@ public record ThreatModel(
     DateTime? UpdatedAt,
     bool AddResourcesRecommendations,
     IEnumerable<DataflowAttribute> DataflowAttributes,
-    IEnumerable<Recommendation> Threats,
+    IEnumerable<Threat> Threats,
     IDictionary<string, string>? Images,
     IEnumerable<string>? Resources
 ) : IStorableItem;
diff --git a/src/Crisp.Core/Models/ThreatRecommendation.cs b/src/Crisp.Core/Models/ThreatRecommendation.cs
@@ -0,0 +1,8 @@
+namespace Crisp.Core.Models;
+
+public record ThreatRecommendation(
+    string Id,
+    string Title,
+    string Description,
+    int OrderIndex
+);