feat(policies): expand data category grouping structure (#194)

* feat: update category grouping JSON file * feat: handle multiple groups per category * refactor: rework policies and extract common functions * refactor: rework policy output to handle new policy_breach structure * chore: update snapshots
Bearer · Dec 6, 2022 · a9f52d4 · a9f52d4
1 parent fcea3bb
commit a9f52d4
Show file tree

Hide file tree

Showing 19 changed files with 756 additions and 360 deletions.
diff --git a/integration/flags/.snapshots/TestInitCommand-init b/integration/flags/.snapshots/TestInitCommand-init
diff --git a/integration/flags/.snapshots/TestReportFlags-report-policies b/integration/flags/.snapshots/TestReportFlags-report-policies
@@ -1,9 +1,10 @@
-critical:
+high:
     - policy_name: Logger leaking
       policy_description: Logger leaks detected
       line_number: 1
       filename: testdata/policies/users.rb
-      category_group: Personal data
+      category_group:
+        - PII
       parent_line_number: 1
       parent_content: logger.info(user.address)
 

diff --git a/integration/policies/.snapshots/TestPolicies-http_get_parameters b/integration/policies/.snapshots/TestPolicies-http_get_parameters
@@ -1,19 +1,22 @@
 critical:
     - policy_name: HTTP GET parameters
       policy_description: Sending data as HTTP GET parameters
-      line_number: 4
+      line_number: 1
       filename: testdata/ruby/http_get_parameters.rb
-      category_group: Personal data
-      parent_line_number: 5
-      parent_content: URI.encode_www_form(user)
+      category_group:
+        - PII
+        - Sensitive data
+      parent_line_number: 1
+      parent_content: URI("http://my.api.com/users/search?ethnic_origin=#{user_1.ethnic_origin}")
 high:
     - policy_name: HTTP GET parameters
       policy_description: Sending data as HTTP GET parameters
-      line_number: 1
+      line_number: 4
       filename: testdata/ruby/http_get_parameters.rb
-      category_group: Sensitive data
-      parent_line_number: 1
-      parent_content: URI("http://my.api.com/users/search?ethnic_origin=#{user_1.ethnic_origin}")
+      category_group:
+        - PII
+      parent_line_number: 5
+      parent_content: URI.encode_www_form(user)
 
 
 --

diff --git a/integration/policies/.snapshots/TestPolicies-insecure_communication_with_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_communication_with_sensitive_data
@@ -3,7 +3,9 @@ medium:
       policy_description: Insecure communication in an application processing sensitive data
       line_number: 8
       filename: testdata/ruby/insecure_communication/with_sensitive_data.rb
-      category_group: Sensitive data
+      category_group:
+        - PII
+        - Sensitive data
       parent_line_number: 1
       parent_content: |-
         # Insecure communication

diff --git a/integration/policies/.snapshots/TestPolicies-insecure_ftp_with_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_ftp_with_sensitive_data
@@ -3,7 +3,9 @@ medium:
       policy_description: Communication with insecure FTP in an application processing sensitive data
       line_number: 10
       filename: testdata/ruby/insecure_ftp/with_sensitive_data.rb
-      category_group: sensitive data
+      category_group:
+        - PII
+        - Sensitive data
       parent_line_number: 10
       parent_content: Net::FTP::new("ftp.ruby-lang.org")
 

diff --git a/integration/policies/.snapshots/TestPolicies-insecure_smtp_with_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_smtp_with_sensitive_data
@@ -2,8 +2,9 @@ medium:
     - policy_name: Insecure SMTP
       policy_description: Communication with insecure SMTP in an application processing sensitive data
       line_number: 8
-      filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb
-      category_group: Sensitive data
+      category_group:
+        - PII
+        - Sensitive data
       parent_line_number: 1
       parent_content: |-
         # Insecure SMTP
@@ -40,8 +41,9 @@ medium:
     - policy_name: Insecure SMTP
       policy_description: Communication with insecure SMTP in an application processing sensitive data
       line_number: 14
-      filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb
-      category_group: Sensitive data
+      category_group:
+        - PII
+        - Sensitive data
       parent_line_number: 1
       parent_content: |-
         # Insecure SMTP

diff --git a/integration/policies/.snapshots/TestPolicies-logger_leaking b/integration/policies/.snapshots/TestPolicies-logger_leaking
@@ -1,9 +1,10 @@
-critical:
+high:
     - policy_name: Logger leaking
       policy_description: Logger leaks detected
       line_number: 1
       filename: testdata/ruby/logger_leaking.rb
-      category_group: Personal data
+      category_group:
+        - PII
       parent_line_number: 1
       parent_content: logger.info(user.address)
 

diff --git a/pkg/classification/db/category_grouping.json b/pkg/classification/db/category_grouping.json
@@ -1,100 +1,169 @@
 {
   "groups": {
-    "e1d3135b-3c0f-4b55-abce-19f27a26cbb3": "Personal data",
-    "f6a0c071-5908-4420-bac2-bba28d41223e": "Sensitive data"
+    "e1d3135b-3c0f-4b55-abce-19f27a26cbb3": {
+      "name": "Personal data",
+      "parent_uuids": []
+    },
+    "247fa503-115b-490a-96e5-bcd357bd5686": {
+      "name": "PHI",
+      "parent_uuids": [
+        "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      ]
+    },
+    "172d90e3-cb9a-46b6-90e5-dd7169c3af54": {
+      "name": "PII",
+      "parent_uuids": [
+        "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      ]
+    },
+    "f6a0c071-5908-4420-bac2-bba28d41223e": {
+      "name": "Sensitive data",
+      "parent_uuids": []
+    }
   },
   "category_mapping": {
     "dd88aee5-9d40-4ad2-8983-0c791ddec47c": {
       "name": "Authenticating",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "8099225c-7e49-414f-aac2-e7045379bb40": {
       "name": "Behavioral Information",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      ]
     },
     "79a36d6e-c5ca-4f61-ba53-0d7ad42cbe5a": {
       "name": "Communication",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "b5a3b0fd-dd5c-420d-91ce-dd2dddc8cc38": {
       "name": "Computer Device",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      ]
     },
     "cef587dd-76db-430b-9e18-7b031e1a193b": {
       "name": "Contact",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "4eda81b6-1314-47e2-bc4e-59d6024be4f4": {
       "name": "Credit History",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "5ab40519-89e8-4e4e-b2ef-2dabc13b352a": {
       "name": "Criminal Records",
-      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54",
+        "f6a0c071-5908-4420-bac2-bba28d41223e"
+      ]
     },
     "c3119d43-0562-48ac-9a8e-7217aa8686b8": {
       "name": "Demographic",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "35b94efa-9b67-49b2-abb9-29b6a759a030": {
       "name": "Ethnicity",
-      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54",
+        "f6a0c071-5908-4420-bac2-bba28d41223e"
+      ]
     },
     "e4d1e39a-6380-4da0-9596-642777f1b76d": {
       "name": "Family",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "7a794bd6-a6d1-429d-91a2-377acce9e9db": {
       "name": "Financial Accounts",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "14124881-6b92-4fc5-8005-ea7c1c09592e": {
       "name": "Identification",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
-    },
-    "623a4f94-0e23-411e-9bb3-481602f1757d": {
-      "name": "Knowledge and Belief",
-      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "c6622b62-bc22-4c0c-a2e4-5fc97d99e11a": {
       "name": "Location",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "7b1d36e7-46f9-4664-85a2-44fb15fbefd1": {
       "name": "Medical and Health",
-      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+      "group_uuids": [
+        "247fa503-115b-490a-96e5-bcd357bd5686",
+        "f6a0c071-5908-4420-bac2-bba28d41223e"
+      ]
     },
     "ebaa9c6a-8fbf-4e45-85e1-40799dfac414": {
       "name": "Personal Ownership",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "94007e1e-57d8-43e8-90f2-246236dc5dde": {
       "name": "Physical Characteristic",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "bc536e1e-e0d1-4b88-96d2-a2eaad1620d4": {
       "name": "Preference",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      ]
     },
     "ef613213-a222-4c01-ae38-c3043b68f738": {
       "name": "Professional Information",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "e354099e-b80c-47b5-a86c-8d936b520387": {
       "name": "Public Life",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
+    },
+    "623a4f94-0e23-411e-9bb3-481602f1757d": {
+      "name": "Religion, Philosophical, Political Beliefs",
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54",
+        "f6a0c071-5908-4420-bac2-bba28d41223e"
+      ]
     },
     "1d4000a7-93ec-4dd5-9f3b-0f2ff7026a0c": {
       "name": "Sexual",
-      "group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54",
+        "f6a0c071-5908-4420-bac2-bba28d41223e"
+      ]
     },
     "68631dba-5696-4cc0-b6a8-0175ca99a7a2": {
       "name": "Social Network",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     },
     "deda0a0f-029c-44ee-9cac-9f059866723e": {
       "name": "Transactional",
-      "group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
+      "group_uuids": [
+        "172d90e3-cb9a-46b6-90e5-dd7169c3af54"
+      ]
     }
   }
 }
diff --git a/pkg/classification/db/db.go b/pkg/classification/db/db.go
@@ -62,15 +62,25 @@ type DataType struct {
 }
 
 type DataCategory struct {
-	Name      string `json:"name" yaml:"name"`
-	UUID      string `json:"uuid,omitempty" yaml:"uuid,omitempty"`
-	GroupUUID string `json:"group_uuid,omitempty" yaml:"group_uuid,omitempty"`
-	GroupName string `json:"group_name,omitempty" yaml:"group_name,omitempty"`
+	Name   string                       `json:"name" yaml:"name"`
+	UUID   string                       `json:"uuid" yaml:"uuid"`
+	Groups map[string]DataCategoryGroup `json:"groups" yaml:"groups"`
+}
+
+type DataCategoryGroup struct {
+	Name string `json:"name" yaml:"name"`
+	UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"`
 }
 
 type DataCategoryGrouping struct {
-	Groups          map[string]string       `json:"groups"`
-	CategoryMapping map[string]DataCategory `json:"category_mapping"`
+	Groups map[string]struct {
+		Name        string   `json:"name" yaml:"name"`
+		ParentUUIDs []string `json:"parent_uuids,omitempty" yaml:"parent_uuids,omitempty"`
+	} `json:"groups"`
+	CategoryMapping map[string]struct {
+		Name       string   `json:"name" yaml:"name"`
+		GroupUUIDs []string `json:"group_uuids" yaml:"group_uuids"`
+	} `json:"category_mapping"`
 }
 
 type ObjectType string
@@ -183,9 +193,23 @@ func defaultDataCategories() []DataCategory {
 			handleError(err)
 		}
 
+		// Add all category groups
+		dataCategory.Groups = make(map[string]DataCategoryGroup)
 		categoryFromMapping := dataCategoryGrouping.CategoryMapping[dataCategory.UUID]
-		dataCategory.GroupUUID = categoryFromMapping.GroupUUID
-		dataCategory.GroupName = dataCategoryGrouping.Groups[categoryFromMapping.GroupUUID]
+		for _, groupUUID := range categoryFromMapping.GroupUUIDs {
+			group := dataCategoryGrouping.Groups[groupUUID]
+			dataCategory.Groups[groupUUID] = DataCategoryGroup{
+				Name: group.Name,
+				UUID: groupUUID,
+			}
+			// add parent group if present
+			for _, parentUUID := range group.ParentUUIDs {
+				dataCategory.Groups[parentUUID] = DataCategoryGroup{
+					Name: group.Name,
+					UUID: parentUUID,
+				}
+			}
+		}
 
 		dataCategories = append(dataCategories, dataCategory)
 	}