fix(policies): policy determines severity of policy breach (#152)

* fix: remove severity from data categories

* fix: add group UUID to data category when initialising DB

* feat: calculate policy breach severity based on data category grouping

* fix: replace data type name with category name

* chore: update snapshots

* fix: include category group name in category

integration/flags/.snapshots/TestReportFlags-report-policies

@@ -1,5 +1,5 @@
 - result:
-    - data_type: Physical Address
+    - category_group: Personal data
       filename: users.rb
       line_number: "1"
       policy_description: Logger leaks detected

pkg/classification/db/category_grouping.json

@@ -0,0 +1,100 @@
+{
+  "groups": {
+    "e1d3135b-3c0f-4b55-abce-19f27a26cbb3": "Personal data",
+    "f6a0c071-5908-4420-bac2-bba28d41223e": "Sensitive data"
+  },
+  "category_mapping": {
+    "dd88aee5-9d40-4ad2-8983-0c791ddec47c": {
+      "name": "Authenticating",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "8099225c-7e49-414f-aac2-e7045379bb40": {
+      "name": "Behavioral Information",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "79a36d6e-c5ca-4f61-ba53-0d7ad42cbe5a": {
+      "name": "Communication",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "b5a3b0fd-dd5c-420d-91ce-dd2dddc8cc38": {
+      "name": "Computer Device",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "cef587dd-76db-430b-9e18-7b031e1a193b": {
+      "name": "Contact",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "4eda81b6-1314-47e2-bc4e-59d6024be4f4": {
+      "name": "Credit History",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "5ab40519-89e8-4e4e-b2ef-2dabc13b352a": {
+      "name": "Criminal Records",
+      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+    },
+    "c3119d43-0562-48ac-9a8e-7217aa8686b8": {
+      "name": "Demographic",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "35b94efa-9b67-49b2-abb9-29b6a759a030": {
+      "name": "Ethnicity",
+      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+    },
+    "e4d1e39a-6380-4da0-9596-642777f1b76d": {
+      "name": "Family",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "7a794bd6-a6d1-429d-91a2-377acce9e9db": {
+      "name": "Financial Accounts",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "14124881-6b92-4fc5-8005-ea7c1c09592e": {
+      "name": "Identification",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "623a4f94-0e23-411e-9bb3-481602f1757d": {
+      "name": "Knowledge and Belief",
+      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+    },
+    "c6622b62-bc22-4c0c-a2e4-5fc97d99e11a": {
+      "name": "Location",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "7b1d36e7-46f9-4664-85a2-44fb15fbefd1": {
+      "name": "Medical and Health",
+      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+    },
+    "ebaa9c6a-8fbf-4e45-85e1-40799dfac414": {
+      "name": "Personal Ownership",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "94007e1e-57d8-43e8-90f2-246236dc5dde": {
+      "name": "Physical Characteristic",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "bc536e1e-e0d1-4b88-96d2-a2eaad1620d4": {
+      "name": "Preference",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "ef613213-a222-4c01-ae38-c3043b68f738": {
+      "name": "Professional Information",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "e354099e-b80c-47b5-a86c-8d936b520387": {
+      "name": "Public Life",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "1d4000a7-93ec-4dd5-9f3b-0f2ff7026a0c": {
+      "name": "Sexual",
+      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+    },
+    "68631dba-5696-4cc0-b6a8-0175ca99a7a2": {
+      "name": "Social Network",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    },
+    "deda0a0f-029c-44ee-9cac-9f059866723e": {
+      "name": "Transactional",
+      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+    }
+  }
+}

pkg/classification/db/data_categories/authenticating.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Authenticating",
-  "severity": "critical",
   "uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c"
 }

pkg/classification/db/data_categories/behavioral_information.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Behavioral Information",
-  "severity": "high",
   "uuid": "8099225c-7e49-414f-aac2-e7045379bb40"
 }

pkg/classification/db/data_categories/communication.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Communication",
-  "severity": "high",
   "uuid": "79a36d6e-c5ca-4f61-ba53-0d7ad42cbe5a"
 }

pkg/classification/db/data_categories/computer_device.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Computer Device",
-  "severity": "medium",
   "uuid": "b5a3b0fd-dd5c-420d-91ce-dd2dddc8cc38"
 }

pkg/classification/db/data_categories/contact.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Contact",
-  "severity": "high",
   "uuid": "cef587dd-76db-430b-9e18-7b031e1a193b"
 }

pkg/classification/db/data_categories/credit_history.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Credit History",
-  "severity": "medium",
   "uuid": "4eda81b6-1314-47e2-bc4e-59d6024be4f4"
 }

pkg/classification/db/data_categories/criminal_records.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Criminal Records",
-  "severity": "high",
   "uuid": "5ab40519-89e8-4e4e-b2ef-2dabc13b352a"
 }

pkg/classification/db/data_categories/demographic.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Demographic",
-  "severity": "medium",
   "uuid": "c3119d43-0562-48ac-9a8e-7217aa8686b8"
 }

pkg/classification/db/data_categories/ethnicity.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Ethnicity",
-  "severity": "medium",
   "uuid": "35b94efa-9b67-49b2-abb9-29b6a759a030"
 }

pkg/classification/db/data_categories/family.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Family",
-  "severity": "medium",
   "uuid": "e4d1e39a-6380-4da0-9596-642777f1b76d"
 }

pkg/classification/db/data_categories/financial_accounts.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Financial Accounts",
-  "severity": "high",
   "uuid": "7a794bd6-a6d1-429d-91a2-377acce9e9db"
 }

pkg/classification/db/data_categories/identification.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Identification",
-  "severity": "critical",
   "uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e"
 }

pkg/classification/db/data_categories/knowledge_and_belief.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Knowledge and Belief",
-  "severity": "medium",
   "uuid": "623a4f94-0e23-411e-9bb3-481602f1757d"
 }

pkg/classification/db/data_categories/location.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Location",
-  "severity": "high",
   "uuid": "c6622b62-bc22-4c0c-a2e4-5fc97d99e11a"
 }

pkg/classification/db/data_categories/medical_and_health.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Medical and Health",
-  "severity": "high",
   "uuid": "7b1d36e7-46f9-4664-85a2-44fb15fbefd1"
 }

pkg/classification/db/data_categories/personal_ownership.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Personal Ownership",
-  "severity": "high",
   "uuid": "ebaa9c6a-8fbf-4e45-85e1-40799dfac414"
 }

pkg/classification/db/data_categories/physical_characteristic.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Physical Characteristic",
-  "severity": "high",
   "uuid": "94007e1e-57d8-43e8-90f2-246236dc5dde"
 }

pkg/classification/db/data_categories/preference.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Preference",
-  "severity": "medium",
   "uuid": "bc536e1e-e0d1-4b88-96d2-a2eaad1620d4"
 }

pkg/classification/db/data_categories/professional_information.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Professional Information",
-  "severity": "high",
   "uuid": "ef613213-a222-4c01-ae38-c3043b68f738"
 }

pkg/classification/db/data_categories/public_life.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Public Life",
-  "severity": "high",
   "uuid": "e354099e-b80c-47b5-a86c-8d936b520387"
 }

pkg/classification/db/data_categories/sexual.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Sexual",
-  "severity": "high",
   "uuid": "1d4000a7-93ec-4dd5-9f3b-0f2ff7026a0c"
 }

pkg/classification/db/data_categories/social_network.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Social Network",
-  "severity": "medium",
   "uuid": "68631dba-5696-4cc0-b6a8-0175ca99a7a2"
 }

pkg/classification/db/data_categories/transactional.json

@@ -1,6 +1,5 @@
 {
   "metadata": { "version": "1.0" },
   "name": "Transactional",
-  "severity": "high",
   "uuid": "deda0a0f-029c-44ee-9cac-9f059866723e"
 }

pkg/classification/db/db.go

@@ -25,6 +25,9 @@ var dataTypeClassificationPatternsDir embed.FS
 //go:embed known_person_object_patterns
 var knownPersonObjectPatternsDir embed.FS
 
+//go:embed category_grouping.json
+var categoryGroupingFile embed.FS
+
 type DefaultDB struct {
 	Recipes                        []Recipe
 	DataTypes                      []DataType
@@ -59,9 +62,15 @@ type DataType struct {
 }
 
 type DataCategory struct {
-	Name     string `json:"name" yaml:"name"`
-	UUID     string `json:"uuid" yaml:"uuid"`
-	Severity string `json:"severity" yaml:"severity"`
+	Name      string `json:"name" yaml:"name"`
+	UUID      string `json:"uuid,omitempty" yaml:"uuid,omitempty"`
+	GroupUUID string `json:"group_uuid,omitempty" yaml:"group_uuid,omitempty"`
+	GroupName string `json:"group_name,omitempty" yaml:"group_name,omitempty"`
+}
+
+type DataCategoryGrouping struct {
+	Groups          map[string]string       `json:"groups"`
+	CategoryMapping map[string]DataCategory `json:"category_mapping"`
 }
 
 type ObjectType string
@@ -144,6 +153,18 @@ func defaultRecipes() []Recipe {
 func defaultDataCategories() []DataCategory {
 	dataCategories := []DataCategory{}
 
+	categoryGroupingJson, err := categoryGroupingFile.ReadFile("category_grouping.json")
+	if err != nil {
+		handleError(err)
+	}
+
+	var dataCategoryGrouping DataCategoryGrouping
+	rawBytes := []byte(categoryGroupingJson)
+	err = json.Unmarshal(rawBytes, &dataCategoryGrouping)
+	if err != nil {
+		handleError(err)
+	}
+
 	files, err := dataCategoriesDir.ReadDir("data_categories")
 	if err != nil {
 		handleError(err)
@@ -162,6 +183,10 @@ func defaultDataCategories() []DataCategory {
 			handleError(err)
 		}
 
+		categoryFromMapping := dataCategoryGrouping.CategoryMapping[dataCategory.UUID]
+		dataCategory.GroupUUID = categoryFromMapping.GroupUUID
+		dataCategory.GroupName = dataCategoryGrouping.Groups[categoryFromMapping.GroupUUID]
+
 		dataCategories = append(dataCategories, dataCategory)
 	}
 

pkg/commands/process/settings/policies/logger_leaks.rego

@@ -2,6 +2,9 @@ package bearer.logger_leaks
 
 import future.keywords
 
+sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e"
+personal_data_group_uuid := "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+
 result[item] {
     some detector in input.dataflow.risks
     detector.detector_id == input.policy_id
@@ -10,14 +13,37 @@ result[item] {
 
     some category in input.data_categories
     category.uuid == data_type.category_uuid
+    category.group_uuid == sensitive_data_group_uuid
 
     location = data_type.locations[_]
     item := {
+        "policy_id": input.policy_id,
+        "policy_name": input.policy_name,
         "policy_description": input.policy_description,
+        "severity": "critical",
+        "category_group": category.group_name,
+        "filename": location.filename,
+        "line_number": location.line_number
+    }
+}
+
+result[item] {
+    some detector in input.dataflow.risks
+    detector.detector_id == input.policy_id
+
+    data_type = detector.data_types[_]
+
+    some category in input.data_categories
+    category.uuid == data_type.category_uuid
+    category.group_uuid == personal_data_group_uuid
+
+    location = data_type.locations[_]
+    item := {
         "policy_id": input.policy_id,
         "policy_name": input.policy_name,
-        "data_type": data_type.name,
-        "severity": category.severity,
+        "policy_description": input.policy_description,
+        "severity": "high",
+        "category_group": category.group_name,
         "filename": location.filename,
         "line_number": location.line_number
     }