# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|snyk|compliancecow|-|This control assesses projects to identify vulnerability issues, capturing detailed data such as CVE IDs and other standardized fields. The results are formatted to ensure consistent and comprehensive reporting of security issues.|

```
RecommendedEvidenceName:
SnykContainerScannerReport
```

**Reference:** <br>
https://docs.snyk.io/ <br>
https://app.snyk.io/  <br>
https://apidocs.snyk.io/

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

## Step 2a: IncludeCriteria and ExcludeCriteria

1.	**Understanding IncludeCriteria and ExcludeCriteria:**
	- `IncludeCriteria` and `ExcludeCriteria` are used to filter projects for analysis.
	- They help in specifying which projects should be included or excluded during the scan.
2.	**Default Values Handling:**
	- If the user does not provide any input for `IncludeCriteria` or `ExcludeCriteria`, default values will be used.
	- The default values ensure that all relevant projects are included unless explicitly excluded.
3.	**Using IncludeCriteria:**
	- Example: `/target/target1/projects/latest/`, `/target/target1/projects/*/`, `/target/*/projects/*/`
	- This will include the specified projects in the scan.
4.	**Using ExcludeCriteria:**
	- Example: `/target/target1/projects/latest/`
	- This will exclude the specified projects from the scan.
5.	**Exact Match Requirement:**
	-	The criteria matching is case-sensitive and requires an exact match unless wildcards are used.
	-	Invalid paths in `ExcludeCriteria` will not affect the valid `IncludeCriteria`.

# Step 2b: API & Flow

  - GET  /rest/self?version=2024-06-10
     - This API endpoint is used for authentication purposes. It verifies the identity of the user making the request.
  - GET /rest/orgs/{org_id}/targets?version=2024-06-10
     - This API endpoint retrieves a list of targets associated with a specific organization.
  - GET  /rest/orgs/{org_id}/projects?target_id={target_id}&version=2024-06-10
     - This API endpoint lists all projects associated with a specific target within an organization.
  - GET  /rest/orgs/{org_id}/issues?version=2024-06-10&scan_item.id={project_id}&scan_item.type=project
     - This API endpoint retrieves issues associated with a specific project within an organization.

# Step 2c: Define the Extended Schema

In [None]:
# List targets using organization id

{
    "id": "bejsfgkqrqw03-40de-91cb-2we234j1f60", # target id
    "type": "target",
    "attributes": {
        "display_name": "repo1", # Repository Name
        "url": null,
        "is_private": true,
        "created_at": "2024-08-23T05:51:53.048Z"
    },
    "relationships": {
        "organization": {
            "data": {
                "type": "organization",
                "id": "6d2c1477-9886-4a95-a65a-3b23m4bcf8"
            }
        },
        "integration": {
            "data": {
                "type": "integration",
                "id": "4234hmb2340-0c8c-4282-8464-3632mn477",
                "attributes": {
                    "integration_type": "acr"
                }
            }
        }
    }
 }

 # List projects using target id and organization id
 {
    "type": "project",
    "id": "6823324md-6567-4402-acb8-eb233244b236d",  # project id
    "meta": {},
    "attributes": {
        "name": "repo1/project1:latest", # targetname:imagename or targetname:imagename:tagname
        "type": "apk",
        "target_file": "",
        "target_reference": "latest",
        "origin": "acr",
        "created": "2024-08-22T09:24:21.900Z",
        "status": "active",
        "business_criticality": [],
        "environment": [],
        "lifecycle": [],
        "tags": [],
        "read_only": false,
        "settings": {
            "recurring_tests": {
                "frequency": "daily"
            },
            "pull_requests": {
                "fail_only_for_issues_with_fix": false
            }
        },
        "build_args": {
            "platform": "linux/amd64"
        }
    },
    "relationships": {
        "organization": {
            "data": {
                "type": "org",
                "id": "6d2c1477-9886-4a95-a65a-3b23m4bcf8"
            },
            "links": {
                "related": "/rest/orgs/6d2c1477-9886-4a95-a65a-3b23m4bcf8"
            }
        },
        "target": {
            "data": {
                "type": "target",
                "id": "bejsfgkqrqw03-40de-91cb-2we234j1f60"
            },
            "links": {
                "related": "/rest/orgs/6d2c1477-9886-4a95-a65a-3b23m4bcf8/targets/bejsfgkqrqw03-40de-91cb-2we234j1f60"
            }
        },
        "importer": {
            "data": {
                "type": "user",
                "id": "43a90ba6-6826-45a6-9b7e-23j4hv23j40"
            },
            "links": {
                "related": "/rest/orgs/6d2c1477-9886-4a95-a65a-3b23m4bcf8/users/43a90ba6-6826-45a6-9b7e-23j4hv23j40"
            }
        }
    }
}

# List issues using project id
{
    "id": "64dfe866-5964-4d1a-95c2-234jb2m34b", #issue id - resource id
    "type": "issue", # resource type
    "attributes": {
        "classes": [
            {
                "id": "CWE-770",
                "source": "CWE",
                "type": "weakness"
            }
        ],
        "coordinates": [
            {
                "is_fixable_manually": false,
                "is_fixable_snyk": false,
                "is_fixable_upstream": false,
                "is_patchable": false,
                "is_pinnable": false,
                "is_upgradeable": false,
                "reachability": "not-applicable",
                "representations": [
                    {
                        "dependency": {
                            "package_name": "golang.org/x/net/http2",
                            "package_version": "v0.13.0"
                        }
                    }
                ]
            }
        ],
        "created_at": "2024-08-22T09:24:08.303Z",
        "effective_severity_level": "high",
        "ignored": false,
        "key": "SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285", # issue key
        "problems": [
            {
                "id": "CVE-2023-45288",  # cveid
                "source": "NVD",
                "type": "vulnerability",
                "updated_at": "2024-08-22T09:24:09.79174Z",
                "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288"
            },
            {
                "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285",
                "source": "SNYK",
                "type": "vulnerability",
                "updated_at": "2024-08-22T09:24:09.79174Z"
            }
        ],
        "risk": {
            "factors": [],
            "score": {
                "model": "v1",
                "value": 375  # risk score
            }
        },
        "status": "open", #isssue status
        "title": "Allocation of Resources Without Limits or Throttling", # issue name
        "type": "package_vulnerability", # issue type
        "updated_at": "2024-08-22T09:24:08.303Z"
    },
    "relationships": {
        "organization": {
            "data": {
                "id": "6d2c1477-9886-4a95-a65a-3b23m4bcf8",
                "type": "organization"
            },
            "links": {
                "related": "/orgs/6d2c1477-9886-4a95-a65a-3b23m4bcf8"
            }
        },
        "scan_item": {
            "data": {
                "id": "6823324md-6567-4402-acb8-eb233244b236d",
                "type": "project"
            },
            "links": {
                "related": "/orgs/6d2c1477-9886-4a95-a65a-3b23m4bcf8/projects/6823324md-6567-4402-acb8-eb233244b236d"
            }
        }
    }
}

# Step 3: Define the Standard Schema

In [None]:
{
    # Meta
    "System": "snyk",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "4cd2b4e62m3-a50f-432m4-b21b-1c62j3h4bee3", # project(image) id
    "ResourceName": "target:project1",  # target(repository):project(image)
    "ResourceType": "image", # [data.type]
    "ResourceLocation": "N/A",
    "ResourceTags": [],
    "ResourceURL": "https://app.snyk.io/org/username/project/4cd2b4e62m3-a50f-432m4-b21b-1c62j3h4bee3", # url/project(image id)

    # Data
    "IssueKey": "SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285", # [data.attributes.key]
    "IssueName": "Allocation of Resources Without Limits or Throttling",  # [data.attributes.title]
    "IssueType": "package_vulnerability", # [data.attributes.type]
    "IssueCreatedDataTime": "2024-08-22T09:24:08.303Z",  # [data.attributes.created_at]
    "IssueStatus": "open", # [data.attributes.status]
    "IsIgnored": False,
    "Representation": [  {
                        "dependency": {
                            "package_name": "golang.org/x/net/http2",
                            "package_version": "v0.13.0"
                        }
                        }
                      ],
    "CVEID": "CVE-2023-45288",  # [data.attributes.problems.id]
    "Severity": "high", # [data.attributes.effective_severity_level]
    "EPSSPercentile": 13.9,
    "RiskScore": 375,  # [data.attributes.risk.score.value]

    # Compliance details
    "ValidationStatusCode": "OPEN_ISSUE_HIGH_SEV_LOW_EPSS",
    "ValidationStatusNotes": "Contains open issues with an EPSS Percentile < 50.",
    "ComplianceStatus": "NON_COMPLIANT",
    "ComplianceStatusReason": "High-risk issues (EPSS < 50) are open, indicating non-compliance.",
    "EvaluatedTime": "2024-08-22T09:24:08.303Z", # [data.attributes.updated_at]

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|IssueKey|IssueName|IssueType|IssueCreatedDataTime|IssueStatus|IsIgnored|Representation|CVEID|Severity|EPSSPercentile|RiskScore|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|snyk|compliancecow|64dfe866-5964-4d1a-95c2-234jb2m34b|target:project1(image)|image|N/A|[]|https://app.snyk.io/org/username/project/4cd2b4e62m3-a50f-432m4-b21b-1c62j3h4bee3#issue-SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285|SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285|AllocationofResourcesWithoutLimitsorThrottling|package_vulnerability|2024-08-22T09:24:08.303Z|open|False|[{"dependency": {"package_name": "golang.org/x/net/http2","package_version": "v0.13.0"}}]|CVE-2023-45288|high|13.9|375|OPEN_ISSUE_HIGH_SEV_LOW_EPSS|Contains open issues with an EPSS Percentile < 50.|NON_COMPLIANT|High-risk issues (EPSS < 50) are open, indicating non-compliance.|2024-08-22T09:24:08.303Z||||



# Step 4: Describe the Compliance Taxonomy

|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|
| OPEN_ISSUE_LOW_SEV_LOW_EPSS  | Contains open issues with an EPSS Percentile < 50.| COMPLIANT| The issues are low-risk (EPSS < 50) and are open, indicating compliance. |
| OPEN_ISSUE_LOW_SEV_MED_EPSS  | Contains open issues with an EPSS Percentile between 50-70.| COMPLIANT| The issues are low-risk (EPSS 50-70) and are open, indicating compliance. |
| OPEN_ISSUE_LOW_SEV_HIGH_EPSS | Contains open issues with an EPSS Percentile between 70-90.| NON_COMPLIANT| The issues are low-risk (EPSS 70-90) and are open, indicating non-compliance. |
| OPEN_ISSUE_LOW_SEV_CRT_EPSS  | Contains open issues with an EPSS Percentile > 90.| NON_COMPLIANT| The issues are low-risk (EPSS > 90) and are open, indicating non-compliance. |
| OPEN_ISSUE_LOW_SEV_NO_EPSS   | Contains open issues with no EPSS Percentile. | COMPLIANT | The issues are low-risk (no EPSS) and are open, indicating compliance.  |
| OPEN_ISSUE_MED_SEV_LOW_EPSS  | Contains open issues with an EPSS Percentile < 50. | COMPLIANT | The issues are medium-risk (EPSS < 50) and are open, indicating compliance. |
| OPEN_ISSUE_MED_SEV_MED_EPSS  | Contains open issues with an EPSS Percentile between 50-70. | COMPLIANT | The issues are medium-risk (EPSS 50-70) and are open, indicating compliance. |
| OPEN_ISSUE_MED_SEV_HIGH_EPSS | Contains open issues with an EPSS Percentile between 70-90. | NON_COMPLIANT | The issues are medium-risk (EPSS 70-90) and are open, indicating non-compliance.  |
| OPEN_ISSUE_MED_SEV_CRT_EPSS  | Contains open issues with an EPSS Percentile > 90. | NON_COMPLIANT | The issues are medium-risk (EPSS > 90) and are open, indicating non-compliance.  |
| OPEN_ISSUE_MED_SEV_NO_EPSS   | Contains open issues with no EPSS Percentile. | COMPLIANT | The issues are medium-risk (no EPSS) and are open, indicating compliance. |
| OPEN_ISSUE_HIGH_SEV_LOW_EPSS	 | Contains open issues with an EPSS Percentile < 50. | NON_COMPLIANT | High-risk issues (EPSS < 50) are open, indicating non-compliance. |
| OPEN_ISSUE_HIGH_SEV_MED_EPSS	 | Contains open issues with an EPSS Percentile between 50-70. | NON_COMPLIANT | High-risk issues (EPSS 50-70) are open, indicating non-compliance. |
| OPEN_ISSUE_HIGH_SEV_HIGH_EPSS	 | Contains open issues with an EPSS Percentile between 70-90. | NON_COMPLIANT | High-risk issues (EPSS 70-90) are open, indicating non-compliance.  |
| OPEN_ISSUE_HIGH_SEV_CRT_EPSS	 | Contains open issues with an EPSS Percentile > 90. | NON_COMPLIANT | High-risk issues (EPSS > 90) are open, indicating non-compliance.  |
| OPEN_ISSUE_HIGH_SEV_NO_EPSS	 | Contains open issues with no EPSS Percentile. | NON_COMPLIANT | High-risk issues (no EPSS) are open, indicating non-compliance.  |
| OPEN_ISSUE_CRT_SEV_LOW_EPSS		 | Contains open issues with an EPSS Percentile < 50. | NON_COMPLIANT | Critical-risk issues (EPSS < 50) are open, indicating non-compliance. |
| OPEN_ISSUE_CRT_SEV_MED_EPSS		 | Contains open issues with an EPSS Percentile between 50-70. | NON_COMPLIANT | Critical-risk issues (EPSS 50-70) are open, indicating non-compliance. |
| OPEN_ISSUE_CRT_SEV_HIGH_EPSS		 | Contains open issues with an EPSS Percentile between 70-90. | NON_COMPLIANT | Critical-risk issues (EPSS 70-90) are open, indicating non-compliance.  |
| OPEN_ISSUE_CRT_SEV_CRT_EPSS		 | Contains open issues with an EPSS Percentile > 90. | NON_COMPLIANT | Critical-risk issues (EPSS > 90) are open, indicating non-compliance.  |
| OPEN_ISSUE_CRT_SEV_NO_EPSS		 | Contains open issues with no EPSS Percentile. | NON_COMPLIANT | Critical-risk issues (no EPSS) are open, indicating non-compliance.  |
| IGNORED_ISSUE  | The vulnerability has been reviewed and intentionally ignored as part of the remediation process, regardless of its EPSS Percentile. | COMPLIANT | The issue is ignored following a review as part of remediation, thus considered compliant. |
| RESOLVED_ISSUE | The vulnerability has been reviewed and resolved as part of the remediation process, regardless of its EPSS Percentile. | COMPLIANT | The issue is resolved following a review as part of remediation, thus considered compliant. |

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# Calculation of Compliance Percentage

TotalCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
CompliantCount = Count of 'COMPLIANT' records

CompliancePCT = (CompliantCount / TotalCount) * 100

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%
NOT_DETERMINED - If no records are found.

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance
N/A

# Step 7: Control Setup Details

| Control Details            |                                   |
|----------------------------|-----------------------------------|
| **RuleName**               |SynkContainerVulnerabilityScanner  |
| **PreRequisiteRuleNames**  |  N/A                              |
| **ExtendedSchemaRuleNames**| N/A                               |
| **ApplicationClassName**   |  snykappconnector                 |
| **PostSynthesizerName**    |             N/A                   |