feat(policies): add risk severity via data category (#124)

* feat: add category to dataflow risk datatype * feat: add data category files * feat: pass data categories to rego policy * feat: update severity levels to Delibr spec * feat: pass policy name and description to rego chore: update snapshots * fix: don't blow up if policy returns no results * feat: add policy information to location feat: add policy "id" to policy type * fix: prefer results to locations
Bearer · Nov 17, 2022 · aecc710 · aecc710
1 parent 56e9f2e
commit aecc710
Show file tree

Hide file tree

Showing 33 changed files with 366 additions and 30 deletions.
diff --git a/integration/flags/.snapshots/TestReportFlags-report-policies b/integration/flags/.snapshots/TestReportFlags-report-policies
@@ -1,7 +1,18 @@
-- level: warning
-  locations:
-    - filename: users.rb
+- result:
+    - data_type: Physical Address
+      filename: users.rb
       line_number: "1"
+      policy_description: Logger leaks detected
+      policy_id: detect_ruby_logger
+      policy_name: Logger leaks
+      severity: high
+    - data_type: Unique Identifier
+      filename: users.rb
+      line_number: "1"
+      policy_description: Logger leaks detected
+      policy_id: detect_ruby_logger
+      policy_name: Logger leaks
+      severity: critical
 
 
 --

diff --git a/pkg/classification/db/data_categories/authenticating.json b/pkg/classification/db/data_categories/authenticating.json
@@ -0,0 +1,8 @@
+{
+  "metadata": {
+    "version": "1.0"
+  },
+  "uuid": "12f0efe5-ee25-4688-b111-4b8b120fcd96",
+  "name": "Authenticating",
+  "severity": "critical"
+}
diff --git a/pkg/classification/db/data_categories/behavioral_information.json b/pkg/classification/db/data_categories/behavioral_information.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "fbd60d10-7408-4d52-9d9b-7d9cdf633099",
+  "name": "Behavioral Information",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/communication.json b/pkg/classification/db/data_categories/communication.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "b089d17c-9fcb-45f3-8b14-f2dc9eac26a6",
+  "name": "Communication",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/computer_device.json b/pkg/classification/db/data_categories/computer_device.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "5e116e08-9d86-4b78-b2af-b345e82e1e9b",
+  "name": "Computer Device",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/contact.json b/pkg/classification/db/data_categories/contact.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "e22bfd4a-9afe-4b6f-9436-33bc9c034798",
+  "name": "Contact",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/credit_history.json b/pkg/classification/db/data_categories/credit_history.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "ff748c7f-8cf7-40aa-b398-242983f54dfa",
+  "name": "Credit History",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/criminal_records.json b/pkg/classification/db/data_categories/criminal_records.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "a997f160-35ba-495d-8fe3-4ea546a4beee",
+  "name": "Criminal Records",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/demographic.json b/pkg/classification/db/data_categories/demographic.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "57880e92-e6f8-48a9-9b05-e3ebc4dbe919",
+  "name": "Demographic",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/ethnicity.json b/pkg/classification/db/data_categories/ethnicity.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "d4191777-ed6b-4aa7-bd3f-e9b4130baa99",
+  "name": "Ethnicity",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/family.json b/pkg/classification/db/data_categories/family.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "478b57e8-bfe5-474e-8dad-8581da06475d",
+  "name": "Family",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/financial_accounts.json b/pkg/classification/db/data_categories/financial_accounts.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "b1740ff1-64c1-453e-ba80-91d238b0692e",
+  "name": "Financial Accounts",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/identification.json b/pkg/classification/db/data_categories/identification.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "f72d3ea0-d7a2-4279-8686-59da3780c211",
+  "name": "Identification",
+  "severity": "critical"
+}
diff --git a/pkg/classification/db/data_categories/knowledge_and_belief.json b/pkg/classification/db/data_categories/knowledge_and_belief.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "5ca4d3b7-8500-4b42-9357-f555b006fd30",
+  "name": "Knowledge and Belief",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/location.json b/pkg/classification/db/data_categories/location.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "75b53b6a-2257-4be7-b3b1-1f4b0367e3f7",
+  "name": "Location",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/medical_and_health.json b/pkg/classification/db/data_categories/medical_and_health.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "0fbee18e-4d96-4d8e-b8f6-bc5b04bba2f3",
+  "name": "Medical and Health",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/personal_ownership.json b/pkg/classification/db/data_categories/personal_ownership.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "df05de69-b59b-4d11-8d58-71a51b1102f8",
+  "name": "Personal Ownership",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/physical_characteristic.json b/pkg/classification/db/data_categories/physical_characteristic.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "9555eb1f-f18d-47aa-b081-7513258fe039",
+  "name": "Physical Characteristic",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/preference.json b/pkg/classification/db/data_categories/preference.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "6fac9d01-6831-47ea-a4e1-94f62e963e45",
+  "name": "Preference",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/professional_information.json b/pkg/classification/db/data_categories/professional_information.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "f04418cb-14d9-4739-938e-2cc0666cd0cf",
+  "name": "Professional Information",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/public_life.json b/pkg/classification/db/data_categories/public_life.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "2951ab57-8c24-4123-932f-e24608fb8c2d",
+  "name": "Public Life",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/sexual.json b/pkg/classification/db/data_categories/sexual.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "1825df39-1aeb-4c96-9e0a-cdbbcde8d792",
+  "name": "Sexual",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/data_categories/social_network.json b/pkg/classification/db/data_categories/social_network.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "dee7b0c2-74cd-4632-8a59-87b25a875835",
+  "name": "Social Network",
+  "severity": "medium"
+}
diff --git a/pkg/classification/db/data_categories/transactional.json b/pkg/classification/db/data_categories/transactional.json
@@ -0,0 +1,6 @@
+{
+  "metadata": { "version": "1.0" },
+  "uuid": "aee749bc-ec52-49c8-9603-3620eff0a165",
+  "name": "Transactional",
+  "severity": "high"
+}
diff --git a/pkg/classification/db/db.go b/pkg/classification/db/db.go
@@ -16,6 +16,9 @@ var recipesDir embed.FS
 //go:embed data_types
 var dataTypesDir embed.FS
 
+//go:embed data_categories
+var dataCategoriesDir embed.FS
+
 //go:embed data_type_classification_patterns
 var dataTypeClassificationPatternsDir embed.FS
 
@@ -25,6 +28,7 @@ var knownPersonObjectPatternsDir embed.FS
 type DefaultDB struct {
 	Recipes                        []Recipe
 	DataTypes                      []DataType
+	DataCategories                 []DataCategory
 	DataTypeClassificationPatterns []DataTypeClassificationPattern
 	KnownPersonObjectPatterns      []KnownPersonObjectPattern
 }
@@ -54,6 +58,12 @@ type DataType struct {
 	UUID             string `json:"uuid"`
 }
 
+type DataCategory struct {
+	Name     string `json:"name"`
+	Severity string `json:"severity"`
+	UUID     string `json:"uuid"`
+}
+
 type ObjectType string
 
 var KnownObject ObjectType = "known"
@@ -98,6 +108,7 @@ func Default() DefaultDB {
 	return DefaultDB{
 		Recipes:                        defaultRecipes(),
 		DataTypes:                      dataTypes,
+		DataCategories:                 defaultDataCategories(),
 		DataTypeClassificationPatterns: defaultDataTypeClassificationPatterns(dataTypes),
 		KnownPersonObjectPatterns:      defaultKnownPersonObjectPatterns(dataTypes),
 	}
@@ -130,6 +141,33 @@ func defaultRecipes() []Recipe {
 	return recipes
 }
 
+func defaultDataCategories() []DataCategory {
+	dataCategories := []DataCategory{}
+
+	files, err := dataCategoriesDir.ReadDir("data_categories")
+	if err != nil {
+		handleError(err)
+	}
+
+	for _, file := range files {
+		val, err := dataCategoriesDir.ReadFile("data_categories/" + file.Name())
+		if err != nil {
+			handleError(err)
+		}
+
+		var dataCategory DataCategory
+		rawBytes := []byte(val)
+		err = json.Unmarshal(rawBytes, &dataCategory)
+		if err != nil {
+			handleError(err)
+		}
+
+		dataCategories = append(dataCategories, dataCategory)
+	}
+
+	return dataCategories
+}
+
 func defaultDataTypes() []DataType {
 	dataTypes := []DataType{}
 

diff --git a/pkg/commands/process/settings/policies.yml b/pkg/commands/process/settings/policies.yml
@@ -1,9 +1,9 @@
 logger_leaks:
-  message: "Logger leaks detected"
-  level: "warning"
+  description: "Logger leaks detected"
+  name: "Logger leaks"
+  id: "detect_ruby_logger"
   query: |
-    level = data.bearer.logger_leaks.level
-    locations = data.bearer.logger_leaks.locations
+    result = data.bearer.logger_leaks.result
   modules:
     - path: policies/logger_leaks.rego
       name: bearer.logger_leaks
diff --git a/pkg/commands/process/settings/policies/logger_leaks.rego b/pkg/commands/process/settings/policies/logger_leaks.rego
@@ -2,16 +2,23 @@ package bearer.logger_leaks
 
 import future.keywords
 
-default level := "none"
+result[item] {
+    some detector in input.dataflow.risks
+    detector.detector_id == input.policy_id
 
+    data_type = detector.data_types[_]
 
-locations[location] {
-    some detector in input.risks
-    detector.detector_id == "detect_ruby_logger"
-    location = detector.data_types[_].locations[_]
-}
+    some category in input.data_categories
+    category.name == data_type.category
 
-level = "warning" if {
-    count(locations) > 0
+    location = data_type.locations[_]
+    item := {
+        "policy_description": input.policy_description,
+        "policy_id": input.policy_id,
+        "policy_name": input.policy_name,
+        "data_type": data_type.name,
+        "severity": category.severity,
+        "filename": location.filename,
+        "line_number": location.line_number
+    }
 }
-
diff --git a/pkg/commands/process/settings/settings.go b/pkg/commands/process/settings/settings.go
@@ -21,15 +21,18 @@ type Config struct {
 
 type policyLevel string
 
-var LevelMedium = "medium"
-var LevelWarning = "warning"
 var LevelCritical = "critical"
+var LevelHigh = "high"
+var LevelMedium = "medium"
+var LevelLow = "low"
 
 type Policy struct {
-	Query   string
-	Message string
-	Modules []*PolicyModule
-	Level   policyLevel
+	Query       string
+	Name        string
+	Id          string
+	Description string
+	Modules     []*PolicyModule
+	Level       policyLevel
 }
 
 type PolicyModule struct {

diff --git a/pkg/report/output/dataflow/risks/risks.go b/pkg/report/output/dataflow/risks/risks.go
@@ -20,8 +20,9 @@ type detectorHolder struct {
 	datatypes map[string]*datatypeHolder // group detectors by detectorName
 }
 type datatypeHolder struct {
-	name  string
-	files map[string]*fileHolder // group files by filename
+	name     string
+	category string
+	files    map[string]*fileHolder // group files by filename
 }
 type fileHolder struct {
 	name       string
@@ -42,14 +43,14 @@ func (holder *Holder) AddSchema(detection detections.Detection) error {
 	}
 
 	if classification.Decision.State == classify.Valid {
-		holder.addDatatype(string(detection.DetectorType), classification.DataType.DataCategoryName, detection.Source.Filename, *detection.Source.LineNumber)
+		holder.addDatatype(string(detection.DetectorType), classification.DataType.DataCategoryName, classification.DataType.DefaultCategory, detection.Source.Filename, *detection.Source.LineNumber)
 	}
 
 	return nil
 }
 
 // addDatatype adds detector to hash list and at the same time blocks duplicates
-func (holder *Holder) addDatatype(ruleName string, datatypeName string, fileName string, lineNumber int) {
+func (holder *Holder) addDatatype(ruleName string, datatypeName string, datatypeCategory string, fileName string, lineNumber int) {
 	// create detector entry if it doesn't exist
 	if _, exists := holder.detectors[ruleName]; !exists {
 		holder.detectors[ruleName] = detectorHolder{
@@ -62,8 +63,9 @@ func (holder *Holder) addDatatype(ruleName string, datatypeName string, fileName
 	// create datatype entry if it doesn't exist
 	if _, exists := detector.datatypes[datatypeName]; !exists {
 		detector.datatypes[datatypeName] = &datatypeHolder{
-			name:  datatypeName,
-			files: make(map[string]*fileHolder),
+			name:     datatypeName,
+			category: datatypeCategory,
+			files:    make(map[string]*fileHolder),
 		}
 	}
 
@@ -102,6 +104,7 @@ func (holder *Holder) ToDataFlow() []types.RiskDetector {
 
 			constructedDatatype := types.RiskDatatype{
 				Name:      datatype.name,
+				Category:  datatype.category,
 				Stored:    stored,
 				Locations: make([]types.RiskLocation, 0),
 			}

diff --git a/pkg/report/output/dataflow/types/risks.go b/pkg/report/output/dataflow/types/risks.go
@@ -7,6 +7,7 @@ type RiskDetector struct {
 
 type RiskDatatype struct {
 	Name      string         `json:"name"`
+	Category  string         `json:"category"`
 	Stored    bool           `json:"stored"`
 	Locations []RiskLocation `json:"locations"`
 }