Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(policies): policy determines severity of policy breach #152

Merged
merged 6 commits into from
Nov 23, 2022
Merged

fix(policies): policy determines severity of policy breach #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
83c77a6
fix: remove severity from data categories
elsapet Nov 22, 2022
859b46d
fix: add group UUID to data category when initialising DB
elsapet Nov 22, 2022
cb11aa3
feat: calculate policy breach severity based on data category grouping
elsapet Nov 22, 2022
e57201d
fix: replace data type name with category name
elsapet Nov 22, 2022
a6da5ea
chore: update snapshots
elsapet Nov 22, 2022
2a576b5
fix: include category group name in category
elsapet Nov 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion integration/flags/.snapshots/TestReportFlags-report-policies
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
- result:
- data_type: Physical Address
- category_group: Personal data
filename: users.rb
line_number: "1"
policy_description: Logger leaks detected
Expand Down
100 changes: 100 additions & 0 deletions pkg/classification/db/category_grouping.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"groups": {
"e1d3135b-3c0f-4b55-abce-19f27a26cbb3": "Personal data",
"f6a0c071-5908-4420-bac2-bba28d41223e": "Sensitive data"
},
"category_mapping": {
"dd88aee5-9d40-4ad2-8983-0c791ddec47c": {
"name": "Authenticating",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"8099225c-7e49-414f-aac2-e7045379bb40": {
"name": "Behavioral Information",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"79a36d6e-c5ca-4f61-ba53-0d7ad42cbe5a": {
"name": "Communication",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"b5a3b0fd-dd5c-420d-91ce-dd2dddc8cc38": {
"name": "Computer Device",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"cef587dd-76db-430b-9e18-7b031e1a193b": {
"name": "Contact",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"4eda81b6-1314-47e2-bc4e-59d6024be4f4": {
"name": "Credit History",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"5ab40519-89e8-4e4e-b2ef-2dabc13b352a": {
"name": "Criminal Records",
"group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
},
"c3119d43-0562-48ac-9a8e-7217aa8686b8": {
"name": "Demographic",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"35b94efa-9b67-49b2-abb9-29b6a759a030": {
"name": "Ethnicity",
"group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
},
"e4d1e39a-6380-4da0-9596-642777f1b76d": {
"name": "Family",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"7a794bd6-a6d1-429d-91a2-377acce9e9db": {
"name": "Financial Accounts",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"14124881-6b92-4fc5-8005-ea7c1c09592e": {
"name": "Identification",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"623a4f94-0e23-411e-9bb3-481602f1757d": {
"name": "Knowledge and Belief",
"group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
},
"c6622b62-bc22-4c0c-a2e4-5fc97d99e11a": {
"name": "Location",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"7b1d36e7-46f9-4664-85a2-44fb15fbefd1": {
"name": "Medical and Health",
"group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
},
"ebaa9c6a-8fbf-4e45-85e1-40799dfac414": {
"name": "Personal Ownership",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"94007e1e-57d8-43e8-90f2-246236dc5dde": {
"name": "Physical Characteristic",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"bc536e1e-e0d1-4b88-96d2-a2eaad1620d4": {
"name": "Preference",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"ef613213-a222-4c01-ae38-c3043b68f738": {
"name": "Professional Information",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"e354099e-b80c-47b5-a86c-8d936b520387": {
"name": "Public Life",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"1d4000a7-93ec-4dd5-9f3b-0f2ff7026a0c": {
"name": "Sexual",
"group_uuid": "f6a0c071-5908-4420-bac2-bba28d41223e"
},
"68631dba-5696-4cc0-b6a8-0175ca99a7a2": {
"name": "Social Network",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
},
"deda0a0f-029c-44ee-9cac-9f059866723e": {
"name": "Transactional",
"group_uuid": "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"
}
}
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/authenticating.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Authenticating",
"severity": "critical",
"uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/behavioral_information.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Behavioral Information",
"severity": "high",
"uuid": "8099225c-7e49-414f-aac2-e7045379bb40"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/communication.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Communication",
"severity": "high",
"uuid": "79a36d6e-c5ca-4f61-ba53-0d7ad42cbe5a"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/computer_device.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Computer Device",
"severity": "medium",
"uuid": "b5a3b0fd-dd5c-420d-91ce-dd2dddc8cc38"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/contact.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Contact",
"severity": "high",
"uuid": "cef587dd-76db-430b-9e18-7b031e1a193b"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/credit_history.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Credit History",
"severity": "medium",
"uuid": "4eda81b6-1314-47e2-bc4e-59d6024be4f4"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/criminal_records.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Criminal Records",
"severity": "high",
"uuid": "5ab40519-89e8-4e4e-b2ef-2dabc13b352a"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/demographic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Demographic",
"severity": "medium",
"uuid": "c3119d43-0562-48ac-9a8e-7217aa8686b8"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/ethnicity.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Ethnicity",
"severity": "medium",
"uuid": "35b94efa-9b67-49b2-abb9-29b6a759a030"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/family.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Family",
"severity": "medium",
"uuid": "e4d1e39a-6380-4da0-9596-642777f1b76d"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/financial_accounts.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Financial Accounts",
"severity": "high",
"uuid": "7a794bd6-a6d1-429d-91a2-377acce9e9db"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/identification.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Identification",
"severity": "critical",
"uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/knowledge_and_belief.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Knowledge and Belief",
"severity": "medium",
"uuid": "623a4f94-0e23-411e-9bb3-481602f1757d"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/location.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Location",
"severity": "high",
"uuid": "c6622b62-bc22-4c0c-a2e4-5fc97d99e11a"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/medical_and_health.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Medical and Health",
"severity": "high",
"uuid": "7b1d36e7-46f9-4664-85a2-44fb15fbefd1"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/personal_ownership.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Personal Ownership",
"severity": "high",
"uuid": "ebaa9c6a-8fbf-4e45-85e1-40799dfac414"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/physical_characteristic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Physical Characteristic",
"severity": "high",
"uuid": "94007e1e-57d8-43e8-90f2-246236dc5dde"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/preference.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Preference",
"severity": "medium",
"uuid": "bc536e1e-e0d1-4b88-96d2-a2eaad1620d4"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/professional_information.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Professional Information",
"severity": "high",
"uuid": "ef613213-a222-4c01-ae38-c3043b68f738"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/public_life.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Public Life",
"severity": "high",
"uuid": "e354099e-b80c-47b5-a86c-8d936b520387"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/sexual.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Sexual",
"severity": "high",
"uuid": "1d4000a7-93ec-4dd5-9f3b-0f2ff7026a0c"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/social_network.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Social Network",
"severity": "medium",
"uuid": "68631dba-5696-4cc0-b6a8-0175ca99a7a2"
}
1 change: 0 additions & 1 deletion pkg/classification/db/data_categories/transactional.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"metadata": { "version": "1.0" },
"name": "Transactional",
"severity": "high",
"uuid": "deda0a0f-029c-44ee-9cac-9f059866723e"
}
31 changes: 28 additions & 3 deletions pkg/classification/db/db.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ var dataTypeClassificationPatternsDir embed.FS
//go:embed known_person_object_patterns
var knownPersonObjectPatternsDir embed.FS

//go:embed category_grouping.json
var categoryGroupingFile embed.FS

type DefaultDB struct {
Recipes []Recipe
DataTypes []DataType
Expand Down Expand Up @@ -59,9 +62,15 @@ type DataType struct {
}

type DataCategory struct {
Name string `json:"name" yaml:"name"`
UUID string `json:"uuid" yaml:"uuid"`
Severity string `json:"severity" yaml:"severity"`
Name string `json:"name" yaml:"name"`
UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"`
GroupUUID string `json:"group_uuid,omitempty" yaml:"group_uuid,omitempty"`
GroupName string `json:"group_name,omitempty" yaml:"group_name,omitempty"`
}

type DataCategoryGrouping struct {
Groups map[string]string `json:"groups"`
CategoryMapping map[string]DataCategory `json:"category_mapping"`
}

type ObjectType string
Expand Down Expand Up @@ -144,6 +153,18 @@ func defaultRecipes() []Recipe {
func defaultDataCategories() []DataCategory {
dataCategories := []DataCategory{}

categoryGroupingJson, err := categoryGroupingFile.ReadFile("category_grouping.json")
if err != nil {
handleError(err)
}

var dataCategoryGrouping DataCategoryGrouping
rawBytes := []byte(categoryGroupingJson)
err = json.Unmarshal(rawBytes, &dataCategoryGrouping)
if err != nil {
handleError(err)
}

files, err := dataCategoriesDir.ReadDir("data_categories")
if err != nil {
handleError(err)
Expand All @@ -162,6 +183,10 @@ func defaultDataCategories() []DataCategory {
handleError(err)
}

categoryFromMapping := dataCategoryGrouping.CategoryMapping[dataCategory.UUID]
dataCategory.GroupUUID = categoryFromMapping.GroupUUID
dataCategory.GroupName = dataCategoryGrouping.Groups[categoryFromMapping.GroupUUID]

dataCategories = append(dataCategories, dataCategory)
}

Expand Down
30 changes: 28 additions & 2 deletions pkg/commands/process/settings/policies/logger_leaks.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ package bearer.logger_leaks

import future.keywords

sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e"
personal_data_group_uuid := "e1d3135b-3c0f-4b55-abce-19f27a26cbb3"

result[item] {
some detector in input.dataflow.risks
detector.detector_id == input.policy_id
Expand All @@ -10,14 +13,37 @@ result[item] {

some category in input.data_categories
category.uuid == data_type.category_uuid
category.group_uuid == sensitive_data_group_uuid

location = data_type.locations[_]
item := {
"policy_id": input.policy_id,
"policy_name": input.policy_name,
"policy_description": input.policy_description,
"severity": "critical",
"category_group": category.group_name,
"filename": location.filename,
"line_number": location.line_number
}
}

result[item] {
some detector in input.dataflow.risks
detector.detector_id == input.policy_id

data_type = detector.data_types[_]

some category in input.data_categories
category.uuid == data_type.category_uuid
category.group_uuid == personal_data_group_uuid

location = data_type.locations[_]
item := {
"policy_id": input.policy_id,
"policy_name": input.policy_name,
"data_type": data_type.name,
"severity": category.severity,
"policy_description": input.policy_description,
"severity": "high",
"category_group": category.group_name,
"filename": location.filename,
"line_number": location.line_number
}
Expand Down