From 9265fba1f965d4f905ab8f0612492b40fcdb5a60 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 9 Jul 2025 10:05:00 -0500 Subject: [PATCH 1/4] Initial commit Signed-off-by: Steve Springett --- .../model/cyclonedx-threat-2.0.schema.json | 53 +++++ .../model/cyclonedx-usecase-2.0.schema.json | 203 ++++++++++++++++++ 2 files changed, 256 insertions(+) create mode 100644 schema/2.0/model/cyclonedx-threat-2.0.schema.json create mode 100644 schema/2.0/model/cyclonedx-usecase-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json new file mode 100644 index 00000000..062a8cd5 --- /dev/null +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Threat", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + "riskAttributes": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a threat is realised. These attributes help identify what is at risk, and can also be used to prioritise which attributes are most important to protect for a given application, system, or threat model.", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorised access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } + } + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json new file mode 100644 index 00000000..8a024e24 --- /dev/null +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -0,0 +1,203 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-usecase-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Use Case", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name or title of the use case." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the use case." + }, + "actors": { + "type": ,"array", + "title": "Actors", + "description": "The stakeholders or users who interact with the system in this use case.", + "items": { + "type": "string" + } + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "description": "Conditions that must be true before the use case can be executed.", + "items": { + "type": "string" + } + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "description": "Conditions that will be true after the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "description": "The primary sequence of steps that describe the use case.", + "items": { + "$ref": "#/$defs/step" + } + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "description": "Alternative sequences of steps that may occur in the use case.", + "items": { + "$ref": "#/$defs/flow" + } + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "description": "Error scenarios that may occur during the execution of the use case.", + "items": { + "$ref": "#/$defs/exception" + } + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "description": "Criteria that determine whether the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "notes": { + "type": "array", + "title": "Notes", + "description": "Additional information or comments about the use case.", + "items": { + "type": "string" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/property" + } + } + }, + "$defs": { + "step": { + "type": "object", + "title": "Step", + "description": "A single step in a use case flow.", + "additionalProperties": false, + "properties": { + "number": { + "type": "integer", + "title": "Number", + "description": "The sequence number of the step." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the step." + }, + "actor": { + "type": "string", + "title": "Actor", + "description": "The actor who performs this step." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "A sequence of steps in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the flow." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the flow." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this alternative flow is executed." + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The sequence of steps in the flow.", + "items": { + "$ref": "#/$defs/step" + } + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error scenario in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the exception." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the exception." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this exception occurs." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "How the exception is handled." + } + } + }, + "property": { + "type": "object", + "title": "Property", + "description": "A name-value property.", + "additionalProperties": false, + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + } + } +} From 513ef741ae0e3e19f296cf2d52860a790850e7c9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 23 Jul 2025 10:00:04 -0500 Subject: [PATCH 2/4] Added requirement prototype Signed-off-by: Steve Springett --- .../cyclonedx-requirement-2.0.schema.json | 281 ++++++++++++++++++ 1 file changed, 281 insertions(+) create mode 100644 schema/2.0/model/cyclonedx-requirement-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json new file mode 100644 index 00000000..743f99ec --- /dev/null +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -0,0 +1,281 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-requirement-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Engineering Requirement", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "$defs": { + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + } + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/acceptanceCriterion" + } + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/dependency" + } + }, + "parent": { + "type": "string", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } +} From 83ce9d0284376b58e2ab156a00744e9cfbe5aab9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 2 Sep 2025 21:58:18 -0500 Subject: [PATCH 3/4] Initial checkin of blueprint and threat model support Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 1235 +++++++++++++++++ .../model/cyclonedx-common-2.0.schema.json | 87 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 669 +++++++++ .../model/cyclonedx-threat-2.0.schema.json | 806 ++++++++++- .../2.0/valid-threatmodel-simple-2.0.json | 25 + 5 files changed, 2772 insertions(+), 50 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-blueprint-2.0.schema.json create mode 100644 schema/2.0/model/cyclonedx-risk-2.0.schema.json create mode 100644 tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json new file mode 100644 index 00000000..d8c7dc5d --- /dev/null +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -0,0 +1,1235 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Blueprint", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": ["modelTypes", "methodologies"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "modelTypes": { + "type": "array", + "minItems": 1, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "minItems": 1, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/methodology" + } + }, + "perspectives": { + "type": "array", + "description": "Different viewpoints or perspectives used in the model analysis", + "items": { + "$ref": "#/$defs/perspective" + } + }, + "metadata": { + "$ref": "#/$defs/blueprintMetadata" + }, + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "zones": { + "type": "array", + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "assumptions": { + "type": "array", + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "items": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-usecase-2.0.schema.json" + }, + { + "properties": { + "assets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets involved in this use case" + }, + "flows": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to flows that are part of this use case" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirements implemented by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + }, + "description": "External references related to the blueprint" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + }, + "description": "Additional properties and extensions" + } + }, + "$defs": { + "modelType": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "process", + "deployment", + "network", + "threat", + "risk", + "privacy", + "operational", + "conceptual", + "logical", + "physical", + "behavioral", + "structural" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "dataFlow": "Data flow model showing how data moves through the system", + "process": "Business or system process model", + "deployment": "Deployment or infrastructure model", + "network": "Network topology or connectivity model", + "threat": "Security threat model", + "risk": "Risk assessment model", + "privacy": "Privacy impact assessment model", + "operational": "Operational model", + "conceptual": "High-level conceptual model", + "logical": "Logical system model", + "physical": "Physical infrastructure model", + "behavioral": "System behavior model", + "structural": "System structure model" + } + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom model type name" + }, + "description": { + "type": "string", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "C4", + "UML", + "TOGAF", + "Archimate", + "BPMN", + "DFD", + "ERD", + "4+1", + "Zachman", + "SABSA", + "DODAF", + "MODAF", + "NAF", + "Kruchten", + "IDEF", + "SysML", + "STRIDE", + "PASTA", + "LINDDUN", + "OCTAVE", + "ISO27005", + "NIST", + "FAIR" + ], + "meta:enum": { + "C4": "C4 Model for software architecture", + "UML": "Unified Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "Archimate": "Enterprise architecture modeling language", + "BPMN": "Business Process Model and Notation", + "DFD": "Data Flow Diagrams", + "ERD": "Entity Relationship Diagrams", + "4+1": "4+1 Architectural View Model", + "Zachman": "Zachman Framework", + "SABSA": "Sherwood Applied Business Security Architecture", + "DODAF": "Department of Defense Architecture Framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "Kruchten": "Kruchten's 4+1 View Model", + "IDEF": "Integration Definition Methods", + "SysML": "Systems Modeling Language", + "STRIDE": "Microsoft's threat modeling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "LINDDUN": "Privacy threat modeling methodology", + "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", + "ISO27005": "ISO/IEC 27005 Information security risk management", + "NIST": "NIST Risk Management Framework", + "FAIR": "Factor Analysis of Information Risk" + } + }, + "version": { + "type": "string", + "description": "Version of the methodology" + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + } + ] + }, + "perspective": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the perspective" + }, + "type": { + "type": "string", + "enum": [ + "business", + "technical", + "user", + "operational", + "development", + "architectural", + "functional", + "informational", + "contextual", + "conceptual", + "logical", + "physical", + "security", + "compliance", + "risk", + "stakeholder", + "custom" + ], + "meta:enum": { + "business": "Business stakeholder perspective", + "technical": "Technical implementation perspective", + "user": "End user or customer perspective", + "operational": "Operations and maintenance perspective", + "development": "Software development perspective", + "architectural": "System architecture perspective", + "functional": "Functional requirements perspective", + "informational": "Information and data perspective", + "contextual": "Business context perspective", + "conceptual": "High-level conceptual perspective", + "logical": "Logical design perspective", + "physical": "Physical implementation perspective", + "security": "Security perspective", + "compliance": "Regulatory compliance perspective", + "risk": "Risk management perspective", + "stakeholder": "General stakeholder perspective", + "custom": "Custom or other perspective" + } + }, + "name": { + "type": "string", + "description": "Name of the perspective" + }, + "description": { + "type": "string", + "description": "Detailed description of the perspective and its focus" + }, + "role": { + "type": "string", + "description": "The role or persona associated with this perspective" + }, + "objectives": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary objectives or goals from this perspective" + }, + "concerns": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary concerns from this perspective" + }, + "viewpoint": { + "type": "string", + "description": "The architectural viewpoint this perspective represents" + }, + "scope": { + "type": "string", + "description": "The scope of this perspective" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + } + } + }, + "blueprintMetadata": { + "type": "object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was created or last updated" + }, + "authors": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" + }, + "reviewer": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" + }, + "reviewDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was reviewed" + }, + "approver": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" + }, + "approvalDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was approved" + }, + "ordinalVersion": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/validityPeriod" + } + } + }, + "validityPeriod": { + "type": "object", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "format": "date-time", + "description": "When the blueprint becomes valid" + }, + "end": { + "type": "string", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + } + } + }, + "scope": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the scope" + }, + "description": { + "type": "string", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "asset": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the asset" + }, + "componentRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { + "type": "string", + "enum": [ + "component", + "service", + "dataStore", + "data", + "actor", + "process", + "infrastructure", + "device", + "network", + "container", + "function", + "api", + "queue", + "stream", + "system", + "subsystem", + "module", + "interface", + "endpoint", + "resource" + ], + "meta:enum": { + "component": "Software component or application", + "service": "Service or microservice", + "dataStore": "Database, file system, or data repository", + "data": "Data asset or dataset", + "actor": "User, system, or external entity", + "process": "Business or system process", + "infrastructure": "Infrastructure component", + "device": "Physical or IoT device", + "network": "Network segment or resource", + "container": "Container or orchestration unit", + "function": "Serverless function or lambda", + "api": "API endpoint or interface", + "queue": "Message queue or event bus", + "stream": "Data stream or event stream", + "system": "Complete system or application", + "subsystem": "Part of a larger system", + "module": "Software module or package", + "interface": "System interface or contract", + "endpoint": "Service endpoint or URL", + "resource": "Generic resource or artifact" + } + }, + "name": { + "type": "string", + "description": "Name of the asset" + }, + "description": { + "type": "string", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/assetClassification" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Generic attributes or tags for the asset" + }, + "responsibilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "items": { + "$ref": "#/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to use cases that involve this asset" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "$ref": "#/$defs/authorizationType", + "description": "Authorization model used" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "ownership": { + "$ref": "#/$defs/ownership" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "interface": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the interface" + }, + "type": { + "type": "string", + "enum": ["rest", "graphql", "grpc", "soap", "messaging", "file", "database", "cli", "gui", "api", "event", "stream"], + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed" + } + } + }, + "zone": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the zone" + }, + "description": { + "type": "string", + "description": "Description of the zone's characteristics" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "physical", "logical", "deployment", "organizational", "functional", "security"], + "meta:enum": { + "trust": "Security trust zone", + "network": "Network segmentation zone", + "physical": "Physical location or boundary", + "logical": "Logical grouping or boundary", + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "organizational": "Organizational or administrative boundary", + "functional": "Functional grouping", + "security": "Security zone or perimeter" + } + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" + }, + "characteristics": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" + }, + "constraints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "boundary": { + "type": "object", + "required": ["bom-ref", "zones"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the boundary" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "process", "data", "physical", "organizational", "functional"], + "meta:enum": { + "trust": "Trust boundary between different security zones", + "network": "Network boundary or firewall", + "process": "Process or execution boundary", + "data": "Data classification boundary", + "physical": "Physical security boundary", + "organizational": "Organizational boundary", + "functional": "Functional boundary" + } + }, + "zones": { + "type": "array", + "minItems": 2, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "The zones this boundary connects or separates" + }, + "crossingRequirements": { + "$ref": "#/$defs/crossingRequirements" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "crossingRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" + }, + "authorization": { + "$ref": "#/$defs/authorizationType", + "description": "Authorization model at this boundary" + }, + "dataValidation": { + "type": "boolean", + "description": "Whether data is validated when crossing this boundary" + }, + "dataTransformation": { + "type": "boolean", + "description": "Whether data is transformed when crossing this boundary" + }, + "encryption": { + "$ref": "#/$defs/encryptionType", + "description": "Encryption requirements for crossing this boundary" + }, + "logging": { + "type": "boolean", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "description": "Whether crossings are monitored" + }, + "rateLimit": { + "type": "string", + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" + } + } + }, + "flow": { + "type": "object", + "required": ["bom-ref", "name", "source", "destination", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or description of the flow" + }, + "description": { + "type": "string", + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "enum": ["data", "control", "process", "message", "event", "dependency", "interaction"], + "meta:enum": { + "data": "Data or information flow", + "control": "Control or command flow", + "process": "Business process flow", + "message": "Message or communication flow", + "event": "Event or notification flow", + "dependency": "Dependency relationship", + "interaction": "User or system interaction" + } + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the source asset" + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Format of data in the flow" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assumption": { + "type": "object", + "required": ["description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": { + "type": "string", + "description": "The assumption being made" + }, + "category": { + "type": "string", + "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], + "description": "Category of the assumption" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this assumption relates to" + }, + "validity": { + "type": "string", + "enum": ["unknown", "verified", "unverified", "invalid"], + "default": "unknown", + "description": "Whether the assumption has been validated" + }, + "impact": { + "type": "string", + "description": "Impact if this assumption proves false" + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who owns or is responsible for this assumption" + }, + "validationMethod": { + "type": "string", + "description": "How this assumption can be validated" + }, + "validationDate": { + "type": "string", + "format": "date-time", + "description": "When the assumption was last validated" + } + } + }, + "visualization": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "description": "Description of what the visualization shows" + }, + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "sequence", + "state", + "deployment", + "network", + "process", + "useCase", + "component", + "class", + "entity", + "activity", + "collaboration", + "context", + "container", + "code" + ], + "meta:enum": { + "architecture": "System architecture diagram", + "dataFlow": "Data flow diagram (DFD)", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "deployment": "Deployment or infrastructure diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "useCase": "Use case diagram", + "component": "Component diagram", + "class": "Class or object diagram", + "entity": "Entity relationship diagram", + "activity": "Activity or workflow diagram", + "collaboration": "Collaboration diagram", + "context": "Context diagram", + "container": "Container diagram (C4)", + "code": "Code structure diagram" + } + }, + "format": { + "type": "string", + "enum": ["mermaid", "graphviz", "plantuml", "drawio", "svg", "png", "jpeg", "d3", "cytoscape", "visio", "archimate"], + "meta:enum": { + "mermaid": "Mermaid diagram language", + "graphviz": "GraphViz DOT language", + "plantuml": "PlantUML diagram language", + "drawio": "Draw.io/diagrams.net format", + "svg": "Scalable Vector Graphics", + "png": "Portable Network Graphics", + "jpeg": "JPEG image format", + "d3": "D3.js visualization", + "cytoscape": "Cytoscape graph format", + "visio": "Microsoft Visio format", + "archimate": "ArchiMate model format" + } + }, + "content": { + "type": "string", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "enum": ["overview", "high", "medium", "detailed"], + "description": "Level of detail in the visualization" + }, + "perspective": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the perspective this visualization represents" + }, + "elements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to elements shown in this visualization" + }, + "interactive": { + "type": "boolean", + "description": "Whether the visualization is interactive" + }, + "layers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" + }, + "sensitivity": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "#/$defs/dataClassification" + }, + "tier": { + "type": "string", + "enum": ["tier0", "tier1", "tier2", "tier3", "tier4"], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" + } + } + }, + "dataClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "sensitivity": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "handling": { + "type": "string", + "description": "Data handling requirements" + }, + "retention": { + "type": "string", + "description": "Data retention requirements" + }, + "disposal": { + "type": "string", + "description": "Data disposal requirements" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations" + } + } + }, + "ownership": { + "type": "object", + "additionalProperties": false, + "properties": { + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" + }, + "steward": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" + }, + "custodian": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary users of the asset" + } + } + }, + "authenticationType": { + "type": "string", + "enum": [ + "none", + "basic", + "bearer", + "digest", + "certificate", + "apiKey", + "oauth1", + "oauth2", + "openIdConnect", + "saml", + "kerberos", + "ntlm", + "jwt", + "custom" + ], + "description": "Authentication method", + "meta:enum": { + "none": "No authentication required", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "digest": "Digest authentication", + "certificate": "Certificate-based authentication", + "apiKey": "API key authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "openIdConnect": "OpenID Connect authentication", + "saml": "SAML authentication", + "kerberos": "Kerberos authentication", + "ntlm": "NTLM authentication", + "jwt": "JSON Web Token authentication", + "custom": "Custom authentication method" + } + }, + "authorizationType": { + "type": "string", + "enum": ["none", "acl", "rbac", "abac", "mac", "dac", "pbac", "cbac", "custom"], + "description": "Authorization model", + "meta:enum": { + "none": "No authorization controls", + "acl": "Access Control Lists", + "rbac": "Role-Based Access Control", + "abac": "Attribute-Based Access Control", + "mac": "Mandatory Access Control", + "dac": "Discretionary Access Control", + "pbac": "Policy-Based Access Control", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model" + } + }, + "encryptionType": { + "type": "object", + "additionalProperties": false, + "properties": { + "inTransit": { + "type": "boolean", + "description": "Whether data is encrypted in transit" + }, + "atRest": { + "type": "boolean", + "description": "Whether data is encrypted at rest" + }, + "inProcessing": { + "type": "boolean", + "description": "Whether data is encrypted during processing" + } + } + } + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index dfa83ebf..e158505e 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -392,6 +392,12 @@ } } }, + "organizationalEntityOrContact": { + "oneOf": [ + { "$ref": "#/$defs/organizationalEntity" }, + { "$ref": "#/$defs/organizationalContact" } + ] + }, "properties": { "type": "array", "title": "Properties", @@ -458,12 +464,81 @@ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." }, - - - - - - + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "title": "Pre-Defined Phase", + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + { + "title": "Custom Phase", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/lifecycle" + } + }, "commit": { "type": "object", "title": "Commit", diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json new file mode 100644 index 00000000..0e07128f --- /dev/null +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -0,0 +1,669 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Risk", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain" + } + } + }, + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the risk scenario" + }, + "description": { + "type": "string", + "description": "Detailed description of the scenario" + }, + "type": { + "type": "string", + "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], + "meta:enum": { + "threat": "Security threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } + }, + "domain": { + "$ref": "#/$defs/riskDomain" + }, + "category": { + "type": "string", + "description": "Category or classification of the scenario" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to affected assets" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "likelihood": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], + "description": "Likelihood level", + "meta:enum": { + "veryLow": "Very unlikely to occur (< 10%)", + "low": "Unlikely to occur (10-30%)", + "medium": "Possible to occur (30-60%)", + "high": "Likely to occur (60-90%)", + "veryHigh": "Very likely to occur (> 90%)", + "certain": "Will certainly occur (100%)" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "impact": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["negligible", "low", "moderate", "high", "severe", "catastrophic"], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "high": "Significant impact with serious consequences", + "severe": "Severe impact with critical consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" + }, + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" + }, + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" + } + } + }, + "riskScore": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score" + }, + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" + }, + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the mitigation" + }, + "description": { + "type": "string", + "description": "Description of what the mitigation does" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Protective measure", + "practice": "Risk management practice", + "procedure": "Documented procedure" + } + }, + "strategy": { + "type": "string", + "enum": ["prevent", "detect", "respond", "recover"], + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "extreme"], + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } + }, + "addresses": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this mitigation addresses" + }, + "implementedBy": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets that implement this mitigation" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "effectiveness": { + "type": "object", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 100, + "description": "Effectiveness as percentage" + }, + "rating": { + "type": "string", + "enum": ["ineffective", "marginal", "adequate", "good", "excellent"], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } + } + } + }, + "assessment": { + "type": "object", + "required": ["bom-ref", "type", "timestamp"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "type": { + "type": "string", + "enum": ["initial", "periodic", "continuous", "triggered"], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" + }, + "assessor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" + }, + "summary": { + "type": "string", + "description": "Executive summary of the assessment" + }, + "findings": { + "type": "array", + "items": { + "$ref": "#/$defs/finding" + }, + "description": "Specific findings from the assessment" + }, + "overallRisk": { + "$ref": "#/$defs/riskScore", + "description": "Overall risk score/level" + }, + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "finding": { + "type": "object", + "required": ["title", "severity"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "title": { + "type": "string", + "description": "Title of the finding" + }, + "description": { + "type": "string", + "description": "Detailed description of the finding" + }, + "severity": { + "$ref": "#/$defs/severity" + }, + "relatedScenarios": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Scenarios related to this finding" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this finding" + }, + "remediation": { + "type": "string", + "description": "Recommended remediation" + }, + "status": { + "type": "string", + "enum": ["open", "inProgress", "resolved", "accepted"], + "meta:enum": { + "open": "Finding is open and unaddressed", + "inProgress": "Remediation is in progress", + "resolved": "Finding has been resolved", + "accepted": "Risk has been accepted" + } + } + } + }, + "priority": { + "type": "string", + "enum": ["none", "low", "medium", "high", "critical"], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Severity level", + "meta:enum": { + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" + } + }, + "criticality": { + "type": "string", + "enum": ["minimal", "low", "moderate", "high", "critical"], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" + } + }, + "dataSensitivity": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted", "secret"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 062a8cd5..51d3173e 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -1,52 +1,770 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/cyclonedx-threat-2.0.schema.json", - "type": "null", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "object", "title": "CycloneDX Transparency Expression Language: Threat", "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "$defs": { - "riskAttributes": { - "type": "string", - "description": "A classification of security and privacy attributes that represent potential impact areas when a threat is realised. These attributes help identify what is at risk, and can also be used to prioritise which attributes are most important to protect for a given application, system, or threat model.", - "enum": [ - "accountability", - "authentication", - "authorization", - "authenticity", - "availability", - "compliance", - "confidentiality", - "connectivity", - "control", - "data_subject_rights", - "integrity", - "minimisation", - "non-repudiation", - "possession", - "privacy", - "purpose_limitation", - "transparency", - "utility" - ], - "meta:enum": { - "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", - "authentication": "Verifying the identity of users, devices, or systems before granting access.", - "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", - "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", - "availability": "Ensuring systems, data, and services are accessible and operational when needed.", - "compliance": "Adherence to applicable laws, regulations, policies, and standards.", - "confidentiality": "Preventing unauthorised access to or disclosure of information.", - "connectivity": "Maintaining secure and reliable communication between systems or components.", - "control": "Enabling individuals to manage how their personal data is used and shared.", - "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", - "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", - "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", - "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", - "possession": "Ensuring control or custody over data or assets, regardless of ownership.", - "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", - "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", - "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", - "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/attackPatternReference" + }, + "weakness": { + "$ref": "#/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } + } + } + ] + }, + "threatActor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier of the threat actor" + }, + "description": { + "type": "string", + "description": "Description of the threat actor" + }, + "type": { + "type": "string", + "enum": ["individual", "group", "organization", "nation-state", "unknown"], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" + }, + "profile": { + "$ref": "#/$defs/threatActorProfile" + }, + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" + }, + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { + "type": "string", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } + }, + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "capability": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "significant", "advanced"], + "description": "Overall capability level" + }, + "intent": { + "type": "string", + "enum": ["accidental", "opportunistic", "targeted", "persistent"], + "description": "Intent level" + }, + "resources": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "description": "Resource availability" + }, + "accessLevel": { + "type": "string", + "enum": ["none", "external", "internal", "privileged", "physical"], + "description": "Level of access to target systems" + }, + "skillSet": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific skills possessed" + } + } + }, + "attackVector": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["network", "adjacent", "local", "physical"], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } + }, + "complexity": { + "type": "string", + "enum": ["low", "high"], + "description": "Attack complexity" + }, + "privileges": { + "type": "string", + "enum": ["none", "low", "high"], + "description": "Privileges required" + }, + "userInteraction": { + "type": "string", + "enum": ["none", "required"], + "description": "User interaction requirement" + }, + "scope": { + "type": "string", + "enum": ["unchanged", "changed"], + "description": "Scope impact" + } + } + }, + "attackPattern": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "severity": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/severity" + }, + "likelihood": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Likelihood of this pattern being used" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/technique" + }, + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" + } + } + }, + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } + }, + "weakness": { + "type": "object", + "required": ["bom-ref"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" + }, + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": ["pillar", "class", "base", "variant", "compound"], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": ["primary", "resultant", "indirect"], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": ["trivial", "easy", "moderate", "difficult", "impractical"], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" + } + } + }, + "weaknessReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "weaknessRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to weakness" + }, + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { + "type": "string", + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["theoretical", "proof-of-concept", "functional", "weaponized"], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } + }, + "complexity": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "very-high"], + "description": "Complexity to exploit" + }, + "skillRequired": { + "type": "string", + "enum": ["none", "basic", "intermediate", "advanced", "expert"], + "description": "Skill level required" + }, + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { + "type": "string", + "description": "Estimated time to develop exploit" + }, + "reliability": { + "type": "string", + "enum": ["unreliable", "occasional", "reliable", "highly-reliable"], + "description": "Reliability of exploitation" + }, + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of compromise" + }, + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" + }, + "behavioral": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Behavioral indicators" + }, + "signatures": { + "type": "array", + "items": { + "$ref": "#/$defs/signature" + }, + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": ["type", "value"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["yara", "snort", "regex", "hash", "behavior"], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" + }, + "confidence": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Confidence level of detection" + } + } + }, + "ttp": { + "type": "object", + "additionalProperties": false, + "properties": { + "tactic": { + "type": "string", + "description": "High-level tactic" + }, + "technique": { + "$ref": "#/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" + } + } + }, + "tool": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Tool name" + }, + "type": { + "type": "string", + "enum": ["exploit", "scanner", "fuzzer", "proxy", "framework", "custom"], + "description": "Type of tool" + }, + "version": { + "type": "string", + "description": "Tool version" + }, + "capabilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted sectors or industries" + }, + "regions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted geographic regions" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" + } + } + }, + "detectionMethod": { + "type": "object", + "required": ["method"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["static-analysis", "dynamic-analysis", "penetration-test", "code-review", "architecture-review", "automated-scan"], + "description": "Detection method type" + }, + "description": { + "type": "string", + "description": "Description of the detection method" + }, + "effectiveness": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Effectiveness of the method" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools that implement this method" + } + } + }, + "securityPolicy": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Policy name" + }, + "type": { + "type": "string", + "enum": ["access-control", "data-protection", "network-security", "application-security", "operational-security", "compliance"], + "description": "Type of security policy" + }, + "description": { + "type": "string", + "description": "Policy description" + }, + "requirements": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" + }, + "enforcement": { + "type": "string", + "enum": ["mandatory", "recommended", "optional"], + "description": "Enforcement level" + }, + "appliesTo": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this policy applies to" + }, + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" + } + } + }, + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-blueprint-2.0.schema.json#/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": ["untrusted", "semi-trusted", "trusted", "highly-trusted"], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] + }, + "boundarySecurityRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authenticationStrength": { + "type": "string", + "enum": ["none", "weak", "moderate", "strong", "very-strong"], + "description": "Required authentication strength" + }, + "authorizationGranularity": { + "type": "string", + "enum": ["coarse", "medium", "fine", "very-fine"], + "description": "Authorization granularity required" + }, + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { + "type": "string", + "enum": ["none", "basic", "detailed", "comprehensive"], + "description": "Level of auditing required" + }, + "dataValidationRules": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Data validation rules at boundary" + } } } } diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json new file mode 100644 index 00000000..88724de3 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "metadata": { + + }, + "threatModel": { + // References the threat model schema + "modelTypes": [{"type": "threat"}], + "methodologies": [{"type": "STRIDE"}], + "domains": [{"type": "security"}], + + // Blueprint elements + "assets": [...], + "zones": [...], + "boundaries": [...], + "flows": [...], + + // Threat-specific elements + "scenarios": [...], + "threatActors": [...], + "mitigations": [...], + "assessments": [...] + } +} \ No newline at end of file From f4d10d4b8ee55e9b694869754bb8bee9d812edab Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 29 Oct 2025 09:54:28 -0500 Subject: [PATCH 4/4] Adding threat models Signed-off-by: steve.springett --- .../cyclonedx-2.0-prototype.json | 71 + .../hashicorp-vault-threat-model.json | 1258 +++++++++++++++++ 2 files changed, 1329 insertions(+) create mode 100644 tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json create mode 100644 tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json new file mode 100644 index 00000000..e36ec28a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json @@ -0,0 +1,71 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "blueprints": [ + { + "bom-ref": "blueprint-1", + "blueprintMetadata":{ + "timestamp": "2025-09-12T15:42:30Z", + "authors": [], + "reviewers": [], + "reviewDate": "2025-09-03", + "approvers": [], + "approvalDate": "2025-09-12", + "ordinalVersion": "1.0", + "lifecycles": [ + { + "phase": "operations" + } + ], + "validityPeriod": { + "start": "", + "end": "", + "reviewFrequency": "P3M" + } + }, + "modelTypes": [ + "threat", + "dataFlow", + "logical" + ], + "methodologies": [ + "STRIDE", + "LINDDUN" + ], + "perspectives": [ + { + "bom-ref": "perspective-1", + "type": "security", + "name": "", + "role": "Security Architect", + "objectives": [], + "concerns": [], + "viewpoint": "" + ], + "scope": { + "bom-ref": "scope-1", + "name": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "$comment": "Business criticality, data sensitivity, and tier are defined on the individual assets. Exposure is not defined yet.", + "boundaries": [], + "includedComponents": [], + "excludedComponents": [] + + }, + "visualizations": [ + + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://developer.hashicorp.com/vault/docs" + }, + { + "type": "vcs", + "url": "https://github.com/hashicorp/vault" + } + ] + } + } + ] + } \ No newline at end of file diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json new file mode 100644 index 00000000..d549195a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json @@ -0,0 +1,1258 @@ +{ + "$schema": "https://github.com/OWASP/www-project-threat-model-library/blob/v1.0.1/threat-model.schema.json", + "version": "1.0", + "scope": { + "title": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "business_criticality": "high", + "data_sensitivity": [ + "biz", + "cred", + "pii" + ], + "exposure": "internal", + "tier": "mission_critical" + }, + "description": "Enterprise secrets management and cryptographic services for applications and operators.", + "frozen": false, + "release_docs_link": "https://developer.hashicorp.com/vault/docs", + "reviewed_at": "2025-09-03", + "repo_link": "https://github.com/hashicorp/vault", + "diagrams": [ + { + "title": "AWS Deployment with K8s and a load balancer","type": "mermaid", + "source": "flowchart LR; AU[\"App User\"]; DEV[\"Developer\"]; PE[\"Platform Engineer\"]; APP1[\"Client Application (App 1)\"]; CLI[\"Vault CLI / API Client\"]; subgraph VPC[\"Internal AWS VPC\"]; direction LR; VPN[\"VPN Gateway (AWS SSO)\"]; LB[\"AWS Load Balancer\"]; subgraph EKS[\"EKS Cluster\"]; direction TB; APISERVER[\"Kubernetes API Server\"]; subgraph NS[\"K8s Namespace: vault\"]; direction LR; SVC[\"K8s Service: vault-internal\"]; SVC_EP[\"Service Endpoint\"]; subgraph VAULT[\"Vault HA Deployment (StatefulSet)\"]; direction LR; V1[\"Vault Pod 1 (Active)\"]; V2[\"Vault Pod 2 (Standby)\"]; V3[\"Vault Pod 3 (Standby)\"]; API[\"Vault API (:8200)\"]; AUTH[\"Vault Auth Methods\"]; SE[\"Vault Secret Engines\"]; AUDDEV[\"Vault Audit Devices\"]; subgraph RAFT[\"Integrated Storage (Raft :8201 mTLS)\"]; R1[\"Raft Peer (Pod 1)\"]; R2[\"Raft Peer (Pod 2)\"]; R3[\"Raft Peer (Pod 3)\"]; end; end; end; end; KMS[\"Vault Auto-Unseal (Cloud KMS)\"]; end; AU -->|Login/API| APP1; APP1 -- \"TLS :8200\" --> LB; DEV -->|\"VPN + AWS SSO\"| VPN; PE -->|\"VPN + AWS SSO\"| VPN; DEV -->|\"Uses Vault CLI\"| CLI; PE -->|\"Uses Vault CLI\"| CLI; CLI -->|\"Tunnel via VPN\"| VPN; VPN -->|\"Forward to VPC\"| LB; CLI -- \"TLS :8200 (via VPN)\" --> LB; VPN -. \"kubectl (AWS SSO)\" .-> APISERVER; LB -->|\"TLS :8200\"| SVC_EP; SVC_EP --> V1; SVC_EP --> V2; SVC_EP --> V3; V1 --- API; V2 --- API; V3 --- API; API --> AUTH; API --> SE; API --> AUDDEV; V1 --- R1; V2 --- R2; V3 --- R3; R1 <-->|\"Raft :8201 mTLS\"| R2; R1 <-->|\"Raft :8201 mTLS\"| R3; R2 <-->|\"Raft :8201 mTLS\"| R3; VAULT -. \"Auto-Unseal\" .-> KMS;" + } + ], + "trust_zones": [ + { + "symbolic_name": "public", + "title": "Public Internet Zone", + "description": "External clients and actors including applications, CI/CD pipelines, and operators that connect to Vault over TLS (8200)." + }, + { + "symbolic_name": "aws-vpc", + "title": "Internal AWS VPC", + "description": "Private AWS VPC hosting the EKS cluster and load balancer. Provides network isolation and segmentation for Vault components." + }, + { + "symbolic_name": "eks-cluster", + "title": "EKS Cluster Zone", + "description": "Amazon EKS cluster providing the orchestration environment for Vault pods and services." + }, + { + "symbolic_name": "k8s-namespace-vault", + "title": "Vault Kubernetes Namespace", + "description": "Dedicated Kubernetes namespace (`vault`) that contains the Vault StatefulSet, Service, and Raft integrated storage peers." + } + ], + "trust_boundaries": [ + { + "trust_zone_a": "public-internet", + "trust_zone_b": "aws-vpc", + "access_control_methods": [ + "acl", + "rbac" + ], + "authentication_methods": [ + "public_key", + "token", + "sso" + + ] + }, + { + "trust_zone_a": "aws-vpc", + "trust_zone_b": "eks-cluster", + "access_control_methods": [ + "rbac", + "acl" + ], + "authentication_methods": [ + "public_key" + ] + }, + { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault", + "access_control_methods": [ + "rbac", + "acl", + "mac" + ], + "authentication_methods": [ + "token" + ] + } + ], + "actors": [ + { + "symbolic_name": "platform-engineer", + "title": "Platform Engineer", + "description": "Responsible for deploying, operating, and maintaining the Vault cluster. Manages HA configuration, upgrades, storage backends, and operational tasks like initialization, unseal, and monitoring.", + "type": "engineer", + "permissions": "Deploy and upgrade Vault; configure Raft or Consul storage; perform initialization and unseal operations; enable/disable auth and secrets engines; monitor health and performance.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "developer", + "title": "Application Developer", + "description": "A developer who builds and maintains applications that consume secrets from Vault. In this scenario, developers also have access to the Kubernetes cluster where Vault is deployed, as well as Vault audit logs. This gives them significant power to access, modify, and observe secret-related operations.", + "type": "engineer", + "permissions": "Push and retrieve secrets; configure application roles for development; read Vault audit logs; access the Kubernetes cluster including the Vault namespace, which may allow tampering with Vault pods, services, or Raft storage.", + "trust_zone": "aws-vpc" + }, + + { + "symbolic_name": "app-user", + "title": "End User of Client Application", + "description": "An end user (internal employee or external customer) who interacts with an application that relies on Vault for secrets management or cryptographic operations.", + "type": "user", + "permissions": "Indirect access to Vault-protected resources through the client application; cannot interact with Vault directly.", + "trust_zone": "public" + } + ], + "components": [ + { + "symbolic_name": "client-app-1", + "title": "Client Application (App 1)", + "description": "External application that end users interact with. Relies on Vault for secrets or cryptographic operations.", + "trust_zone": "public-internet" + }, + { + "symbolic_name": "vpn-gateway", + "title": "VPN Gateway", + "description": "Provides secure entry for engineers and developers into the AWS VPC hosting Vault.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "aws-lb", + "title": "AWS Load Balancer", + "description": "DMZ load balancer that forwards client requests over TLS to the Vault Kubernetes Service endpoint.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "eks-cluster", + "title": "Amazon EKS Cluster", + "description": "Managed Kubernetes control plane and worker nodes that run the Vault namespace.", + "trust_zone": "eks-cluster" + }, + { + "symbolic_name": "k8s-service-vault-internal", + "title": "Kubernetes Service: vault-internal", + "description": "Cluster-internal service endpoint that routes traffic from the AWS Load Balancer to Vault pods.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-ha-statefulset", + "title": "Vault HA Deployment (StatefulSet)", + "description": "Vault pods (1 active leader, 2 standbys) running in high availability mode and exposing the Vault API.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-auth-methods", + "title": "Vault Authentication Methods", + "description": "Pluggable authentication backends (e.g., AppRole, Kubernetes, AWS IAM, OIDC) that validate identities and issue scoped Vault tokens.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-secret-engines", + "title": "Vault Secret Engines", + "description": "Pluggable backends for secrets management and cryptographic operations, including KV, PKI, Transit, Database, and dynamic secrets engines.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-audit-devices", + "title": "Vault Audit Devices", + "description": "Configured audit sinks (file, syslog, socket, etc.) that record all requests and responses for security and compliance monitoring.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-cli", + "title": "Vault CLI / API Client", + "description": "The Vault command-line interface and HTTP API used by engineers and automation tools to interact with Vault.", + "trust_zone": "public-internet-client-zone", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-auto-unseal", + "title": "Vault Auto-Unseal (Cloud KMS Integration)", + "description": "Integration with external Key Management Services (AWS KMS, GCP KMS, Azure Key Vault) to automate the unseal process.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-api", + "title": "Vault API", + "description": "The HTTP API exposed by Vault pods on port 8200. Provides entry points to authentication methods, secret engines, and application endpoints.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + } + ], + "data_stores": [ + { + "symbolic_name": "vault-raft-storage", + "title": "Vault Integrated Storage (Raft)", + "description": "Embedded Raft storage peers that persist encrypted Vault data. Provides replication and consensus across Vault pods.", + "type": "key_value", + "vendor": "HashiCorp", + "product": "Vault Raft Storage", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-audit-logs", + "title": "Vault Audit Logs", + "description": "Audit device output streams (file, syslog, socket) that contain records of every Vault request and response for compliance and monitoring.", + "type": "object", + "vendor": "HashiCorp", + "product": "Vault Audit Devices", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "cloud-kms", + "title": "Cloud KMS for Auto-Unseal", + "description": "External Key Management Service used by Vault for auto-unseal operations and master key encryption.", + "type": "key_value", + "vendor": "AWS", + "product": "AWS KMS", + "trust_zone": "aws-vpc" + } + ], + "data_sets": [ + { + "symbolic_name": "vault-secrets", + "title": "Vault Stored Secrets", + "description": "Static and dynamic secrets stored and managed within Vault, including credentials, API keys, and tokens. Encrypted at rest within the Raft storage backend.", + "placements": [ + { + "data_store": "vault-raft-storage", + "encrypted": true + } + ], + "record_count": 5000, + "data_sensitivity": [ + "cred", + "pii", + "biz" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-audit-records", + "title": "Vault Audit Log Records", + "description": "Detailed records of Vault API requests and responses, containing metadata on who accessed what, when, and how.", + "placements": [ + { + "data_store": "vault-audit-logs", + "encrypted": false + } + ], + "record_count": 1000000, + "data_sensitivity": [ + "biz", + "pii" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-unseal-keys", + "title": "Vault Master Key and Unseal Keys", + "description": "Key shares or cloud KMS-encrypted master keys used for unsealing Vault and securing the root of trust.", + "placements": [ + { + "data_store": "cloud-kms", + "encrypted": true + } + ], + "record_count": 5, + "data_sensitivity": [ + "cred" + ], + "access_control_methods": [ + "acl", + "rbac" + ] + } + ], + "data_flows": [ + { + "symbolic_name": "developer-to-cli", + "title": "Developer to Vault CLI", + "description": "Developer issues commands to the local Vault CLI binary, which acts as the client interface to Vault.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "platform-engineer-to-cli", + "title": "Platform Engineer to Vault CLI", + "description": "Platform Engineer issues commands to the local Vault CLI binary for managing Vault operations and configurations.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "app-user-to-client-app", + "title": "App User to Client Application", + "description": "An end user interacts with the client-facing application, which relies on Vault for secrets or cryptographic operations.", + "source": { + "type": "actor", + "object": "app-user" + }, + "destination": { + "type": "component", + "object": "client-app-1" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "client-app-to-aws-lb", + "title": "Client Application to AWS Load Balancer", + "description": "Client Application (App 1) sends requests to Vault via the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "client-app-1" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "cli-to-vpn", + "title": "Vault CLI to VPN Gateway", + "description": "Vault CLI tunnels traffic through the VPN Gateway, which enforces AWS SSO before allowing access into the VPC.", + "source": { + "type": "component", + "object": "vault-cli" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vpn-to-aws-lb", + "title": "VPN Gateway to AWS Load Balancer", + "description": "VPN Gateway forwards authenticated engineer traffic (AWS SSO) into the VPC, delivering Vault CLI/API requests to the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "vpn-gateway" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "aws-lb-to-eks", + "title": "AWS Load Balancer to EKS Cluster", + "description": "The Load Balancer forwards TLS :8200 traffic into the EKS cluster.", + "source": { + "type": "component", + "object": "aws-lb" + }, + "destination": { + "type": "component", + "object": "eks-cluster" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "k8s-service-to-vault-ha", + "title": "Kubernetes Service to Vault HA StatefulSet", + "description": "The Service load balances requests to Vault pods.", + "source": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "destination": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "eks-cluster-to-k8s-service", + "title": "EKS Cluster to Kubernetes Service (vault-internal)", + "description": "EKS networking routes traffic internally to the cluster Service endpoint for Vault.", + "source": { + "type": "component", + "object": "eks-cluster" + }, + "destination": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-vault-api", + "title": "Vault Pod to Vault API", + "description": "Requests arriving at a Vault pod are handled by the Vault API listener on :8200.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-api" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-auth", + "title": "Vault API to Auth Methods", + "description": "Login requests (/auth/*) dispatched to configured authentication backends.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-auth-methods" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-secrets", + "title": "Vault API to Secret Engines", + "description": "Secret read/write and cryptographic operations routed to secrets engines.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-secret-engines" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-audit", + "title": "Vault API to Audit Devices", + "description": "Vault writes request/response metadata to audit devices (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-audit-devices" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-core-to-raft", + "title": "Vault Core to Raft Storage", + "description": "Vault Core persists encrypted state via the storage barrier into Integrated Storage (Raft).", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-auto-unseal", + "title": "Vault to Auto-Unseal Integration", + "description": "Vault contacts the Cloud KMS integration to decrypt master key material during startup/unseal.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-auto-unseal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Audit devices append structured records to the audit log store.", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "auto-unseal-to-cloud-kms", + "title": "Auto-Unseal to Cloud KMS", + "description": "Auto-unseal integration calls Cloud KMS to decrypt the master key material.", + "source": { + "type": "component", + "object": "vault-auto-unseal" + }, + "destination": { + "type": "data_store", + "object": "cloud-kms" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "developer-to-vpn", + "title": "Developer to VPN (AWS SSO)", + "description": "Developer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "platform-engineer-to-vpn", + "title": "Platform Engineer to VPN (AWS SSO)", + "description": "Platform Engineer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "vault-audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Vault pods (audit devices) write structured audit records to the audit log store (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-developer", + "title": "Developer reads Vault Audit Logs", + "description": "Developer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-platform-engineer", + "title": "Platform Engineer reads Vault Audit Logs", + "description": "Platform Engineer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage", + "title": "Developer reads Raft Storage", + "description": "Developer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage-platform-engineer", + "title": "Platform Engineer reads Raft Storage", + "description": "Platform Engineer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + } + ], + "assumptions": [ + { + "description": "All communication between clients, load balancers, Kubernetes services, and Vault pods occurs over TLS (8200).", + "validity": "confirmed" + }, + { + "description": "Vault Raft storage is encrypted at rest by the Vault barrier, and requires master key material (from KMS or Shamir unseal) for decryption.", + "validity": "confirmed" + }, + { + "description": "Vault pods run inside a dedicated Kubernetes namespace with RBAC, NetworkPolicies, and IAM roles scoped to the namespace.", + "validity": "confirmed" + }, + { + "description": "VPN gateway enforces AWS SSO authentication for Developers and Platform Engineers before they can access the AWS VPC and EKS cluster.", + "validity": "confirmed" + }, + { + "description": "Cloud KMS (AWS KMS) keys used for auto-unseal are properly scoped and only accessible by Vault service accounts.", + "validity": "confirmed" + }, + { + "description": "Audit devices are configured and cannot be disabled without privileged administrator actions.", + "validity": "confirmed" + }, + { + "description": "Developers and Platform Engineers with kubectl access could bypass the Vault API to access logs and storage directly, introducing insider risk.", + "validity": "confirmed" + }, + { + "description": "Raft replication between Vault pods uses mutual TLS on port 8201 with certificate pinning/verification.", + "validity": "confirmed" + }, + { + "description": "VPN Gateway enforces AWS SSO (MFA) for Developers and Platform Engineers before access to the VPC and EKS control plane.", + "validity": "confirmed" + }, + { + "description": "EKS API access requires VPN + SSO and is logged; direct Internet access to the cluster or nodes is blocked.", + "validity": "confirmed" + } + ], + "threat_personas": [ + { + "symbolic_name": "darius", + "title": "Darius the Compromised / Malicious Developer", + "description": "An insider developer whose account or workstation is compromised (or who has turned malicious). Has kubectl access to the EKS cluster and can read Vault audit logs and pod files. Could exfiltrate secrets, tamper with Raft storage, or disable/modify logging.", + "is_person": true, + "skill_level": "engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "high" + }, + { + "symbolic_name": "sofia", + "title": "Sofia the Rogue Platform Engineer", + "description": "An insider with elevated privileges over Vault’s deployment, networking, and storage backends. Capable of modifying StatefulSets, Service configurations, or intercepting API traffic.", + "is_person": true, + "skill_level": "expert_engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "low" + }, + { + "symbolic_name": "li-wei", + "title": "Li Wei the External Attacker", + "description": "An attacker on the public Internet attempting to exploit misconfigurations, weak authentication methods, or exposed APIs to gain unauthorized access to Vault.", + "is_person": true, + "skill_level": "script_kid", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "giovanni", + "title": "Giovanni the Curious Administrator", + "description": "A well-meaning but overcurious administrator who inspects Vault audit logs or Raft storage beyond their intended duties, creating insider risk without direct malicious intent.", + "is_person": true, + "skill_level": "insider", + "access_level": "admin", + "malicious_intent": false, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "alejandra", + "title": "Alejandra the OC-Sponsored Operator", + "description": "An operator working on behalf of organized crime (ransomware/credential resale). Skilled at exploiting exposed services, social engineering, and purchasing insider access; targets Vault to harvest credentials and secrets for monetization.", + "is_person": true, + "skill_level": "oc_sponsored", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "high" + } + ], + "threats": [ + { + "symbolic_name": "insider-exfiltrate-secrets-via-kubectl", + "title": "Insider exfiltrates secrets and configuration via kubectl (pod exec / file copy)", + "description": "A developer or platform engineer with kubectl access execs into Vault pods or mounts pod volumes to read Raft storage files and configuration, allowing exfiltration of encrypted state and metadata which can be used for offline attacks or tampering.", + "threat_persona": "darius", + "event": "unauthorized data exfiltration / tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 284, + "cwe_title": "Improper Access Control" + }, + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "insider-read-tamper-audit-logs", + "title": "Insider reads or tampers with audit logs", + "description": "An actor with cluster access directly reads Vault audit files or streams pod logs (kubectl logs). They can exfiltrate sensitive audit trails, or delete/modify logs to remove traces of malicious activity.", + "threat_persona": "darius", + "event": "information disclosure / evidence tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "rogue-platform-tamper-ha-config", + "title": "Rogue platform engineer tampers with Vault deployment to cause DoS or capture secrets", + "description": "A platform engineer modifies StatefulSet, Service, or network rules (or injects sidecars) to disrupt Vault availability (DoS), redirect traffic to a malicious endpoint, or capture secrets in transit.", + "threat_persona": "sofia", + "event": "denial of service / credential capture / traffic interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 210, + "capec_title": "Abuse Existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 732, + "cwe_title": "Incorrect Permission Assignment for Critical Resource" + }, + { + "cwe_id": 269, + "cwe_title": "Improper Privilege Management" + } + ] + }, + { + "symbolic_name": "compromised-workload-abuse-auth", + "title": "Compromised workload abuses auth (Kubernetes/AppRole/IAM) to exfiltrate secrets and access various services with these secrets", + "description": "A compromised application or CI job uses stolen credentials, stolen service account tokens, or abused auth bindings to obtain Vault tokens, then reads secrets or requests dynamic credentials beyond its intended scope.", + "threat_persona": "li-wei", + "event": "unauthorized secret access", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 555, + "capec_title": "Remote Services with Stolen Credentials" + } + ], + "weaknesses": [ + { + "cwe_id": 287, + "cwe_title": "Improper Authentication" + }, + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "exposed-raft-port-remote-attack", + "title": "Exposed Raft/consensus ports allow remote access to storage", + "description": "If Raft ports (8201) or the pod network are exposed outside the cluster/VPC, an attacker could discover services, attempt to join/replicate, extract data, or cause cluster instability.", + "threat_persona": "li-wei", + "event": "confidentiality breach / data exfiltration / cluster compromise", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 310, + "capec_title": "Scanning for Vulnerable Software" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "lb-tls-mitm-or-termination-misconfig", + "title": "TLS termination/misconfiguration at Load Balancer leads to MITM or credential leak", + "description": "If the AWS Load Balancer is misconfigured (terminates TLS without re-encrypting, or uses an untrusted certificate), an attacker or compromised LB control plane could intercept or tamper with Vault API traffic.", + "threat_persona": "alejandra", + "event": "man-in-the-middle / data interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 117, + "capec_title": "Interception" + } + ], + "weaknesses": [ + { + "cwe_id": 295, + "cwe_title": "Improper Certificate Validation" + } + ] + }, + { + "symbolic_name": "vault-availability-failure", + "title": "Loss of availability of secret material due to failure", + "description": "Failures in cluster nodes, Raft replication, or storage can cause Vault to become unavailable, preventing applications from retrieving secrets or performing cryptographic operations.", + "threat_persona": "sofia", + "event": "denial of service / loss of availability", + "sources": [ + "failure" + ], + "attack_mechanisms": [ + { + "capec_id": 125, + "capec_title": "Flooding" + } + ], + "weaknesses": [ + { + "cwe_id": 400, + "cwe_title": "Uncontrolled Resource Consumption" + }, + { + "cwe_id": 664, + "cwe_title": "Improper Control of a Resource Through its Lifetime" + } + ] + }, + { + "symbolic_name": "misconfigured-policies-excess-privilege", + "title": "Over-permissive Vault policies allow lateral movement or secret theft", + "description": "Misconfigured Vault policies or overly-broad role bindings grant principals capabilities they don't need (e.g., wildcard admin policies), enabling actors to list/read secrets or create tokens for escalation.", + "threat_persona": "giovanni", + "event": "unauthorized access / privilege escalation", + "sources": [ + "human_error" + ], + "attack_mechanisms": [ + { + "capec_id": 212, + "capec_title": "Abuse existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + } + ] + } + ], + "controls": [ + { + "symbolic_name": "restrict-k8s-rbac", + "title": "Restrict Kubernetes RBAC for developers and engineers", + "description": "Limit Kubernetes RoleBindings/ClusterRoleBindings so that developers and engineers cannot exec into Vault pods, read pod volumes, or access Raft storage directly. Only platform engineers should have restricted administrative access under break-glass conditions.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "pod-security-policies", + "title": "Apply Pod Security Standards / OPA Gatekeeper", + "description": "Use Kubernetes Pod Security Standards (restricted profile) or OPA/Gatekeeper policies to prevent privileged containers and block direct volume mounts that would expose Raft data to kubectl exec or copy commands.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "audit-kubectl-commands", + "title": "Audit kubectl exec and cp usage", + "description": "Enable Kubernetes audit logging to track all kubectl exec and copy commands. Send logs to a SIEM for real-time detection of suspicious access attempts.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs" + + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "vault-multiple-audit-devices", + "title": "Configure multiple Vault audit devices", + "description": "Enable at least two Vault audit devices (e.g., file and syslog). Even if one sink is tampered with or deleted, other sinks continue to capture activity.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "immutable-storage-for-audit", + "title": "Store Vault audit logs in immutable storage", + "description": "Use append-only storage (e.g., WORM S3 buckets or immutable syslog servers) for Vault audit logs so they cannot be deleted or modified retroactively.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "deployment-change-control", + "title": "Require change control for Vault deployment manifests", + "description": "Enforce code review and approval workflows (e.g., GitOps, Infrastructure as Code pipelines) for changes to Vault StatefulSets, Services, and ConfigMaps. Prevent direct kubectl edits in production.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "k8s-admission-controls", + "title": "Apply Kubernetes admission controls for Vault workloads", + "description": "Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Vault pods (no sidecars, no privilege escalation, no host networking) and reject unauthorized changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "monitor-k8s-config-changes", + "title": "Monitor and alert on Kubernetes configuration changes", + "description": "Enable auditing of Kubernetes API server for changes to StatefulSets, Services, and ConfigMaps in the Vault namespace. Send to SIEM for alerting on unexpected changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "constrain-auth-methods", + "title": "Constrain Vault authentication methods", + "description": "Configure Vault auth methods (AppRole, Kubernetes, IAM) with least privilege. Require role bindings to be tightly scoped (limited CIDRs, bounded service accounts, short-lived tokens).", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "short-lived-tokens", + "title": "Use short-lived Vault tokens and dynamic secrets", + "description": "Configure Vault roles and policies to issue ephemeral tokens and dynamic credentials that automatically expire, limiting impact of stolen tokens.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "bind-secrets-to-identity", + "title": "Bind secrets tightly to workload identity", + "description": "Restrict Vault roles to specific Kubernetes service accounts, IAM roles, or AppRoles. Enforce identity binding so compromised workloads cannot escalate or impersonate others.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "restrict-raft-network-access", + "title": "Restrict Raft port access to Vault cluster nodes only", + "description": "Use Kubernetes NetworkPolicies and AWS Security Groups to restrict port 8201 so only Vault pods can communicate with each other. Block all external or client access to Raft traffic.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "raft-mtls-cert-validation", + "title": "Enforce mutual TLS for Raft replication", + "description": "Require Vault nodes to authenticate Raft peers with mTLS certificates. Configure strict certificate validation and rotation to prevent unauthorized Raft peers from joining the cluster.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "monitor-raft-consensus-health", + "title": "Monitor Raft consensus health", + "description": "Enable monitoring and alerting on Raft replication status, quorum health, and node membership changes. Detect anomalies that may indicate tampering or external Raft join attempts.", + "threats": [ + "exposed-raft-port-remote-attack", + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "end-to-end-strong-tls", + "title": "Enforce end-to-end TLS from clients to Vault pods. Enforce TLS versions (1.2+), secure cipher suites, and valid CA-signed certificates. Disable weak ciphers and enforce certificate pinning where possible.", + "description": "Configure the AWS Load Balancer for TCP passthrough (no TLS termination), or ensure re-encryption is used with trusted server certificates so traffic is encrypted all the way to Vault pods.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "monitor-lb-config", + "title": "Monitor and alert on Load Balancer TLS configuration changes", + "description": "Continuously check AWS Load Balancer TLS configuration (e.g., via AWS Config or Security Hub). Alert if TLS termination is enabled unexpectedly or insecure parameters are set.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "multi-az-deployment", + "title": "Deploy Vault cluster across multiple Availability Zones", + "description": "Distribute Vault pods and Raft peers across multiple AWS Availability Zones to ensure quorum and service availability during AZ-level outages.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "raft-backup-snapshots", + "title": "Enable automated Raft snapshots and backup", + "description": "Configure regular Raft snapshots and store them securely outside the Vault cluster (e.g., S3 with encryption) to recover state in case of catastrophic failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "critical" + }, + { + "symbolic_name": "auto-unseal-ha", + "title": "Use redundant Cloud KMS for auto-unseal", + "description": "Configure Vault auto-unseal with multiple KMS providers (or highly available KMS setup) to avoid dependency on a single point of failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "health-checks-and-restarts", + "title": "Enable health checks and automated restarts for Vault pods", + "description": "Configure Kubernetes liveness/readiness probes for Vault pods and enable automated restart policies to recover from node/pod failures quickly.", + "threats": [ + "vault-availability-failure" + ], + "status": "active", + "priority": "high" + }, + { + "symbolic_name": "policy-review-process", + "title": "Implement Vault policy review and approval workflow", + "description": "Establish a mandatory peer-review or automated validation process for Vault policies before deployment. Reject policies that include wildcards or grant admin-level capabilities unnecessarily.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "least-privilege-defaults", + "title": "Adopt least-privilege defaults for Vault roles", + "description": "Use policy templates and default role definitions that start with no privileges. Require explicit justification and approval for each added capability.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "policy-linter", + "title": "Automated linting of Vault policies", + "description": "Introduce static analysis (policy linter) to detect dangerous constructs in Vault policies (e.g., wildcards, overly broad paths, admin capabilities) before deployment.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "low" + } + ], + "risks": [ + { + "symbolic_name": "insider-abuse-of-kubernetes-access", + "title": "Insider abuse of Kubernetes access to exfiltrate or tamper with secrets", + "description": "Developers or platform engineers with kubectl access may exec into Vault pods, read Raft storage files, or tamper with Vault audit logs, leading to loss of confidentiality and accountability.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "likelihood": "possible", + "impact": "severe", + "impact_description": "Could result in full compromise of Vault data, bypassing of audit logs, and erosion of operational trust.", + "score": 15, + "level": "high" + }, + { + "symbolic_name": "workload-auth-abuse", + "title": "Compromised workloads abusing Vault authentication", + "description": "A compromised workload (application, CI/CD job) can abuse Kubernetes, AppRole, or IAM auth to escalate privileges and extract secrets beyond intended scope.", + "threats": [ + "compromised-workload-abuse-auth", + "misconfigured-policies-excess-privilege" + ], + "likelihood": "unlikely", + "impact": "severe", + "impact_description": "Widespread credential exposure or lateral movement into other systems and services.", + "score": 10, + "level": "medium" + }, + { + "symbolic_name": "network-exposure-and-mitm", + "title": "Network exposure or misconfiguration leading to interception or Raft compromise", + "description": "If Raft ports (8201) are exposed or TLS is misconfigured at the load balancer, attackers could eavesdrop, tamper with traffic, or attempt to join the Raft cluster.", + "threats": [ + "exposed-raft-port-remote-attack", + "lb-tls-mitm-or-termination-misconfig" + ], + "likelihood": "rare", + "impact": "severe", + "impact_description": "Interception of secrets or compromise of Vault cluster integrity.", + "score": 5, + "level": "medium" + }, + { + "symbolic_name": "vault-availability-risk", + "title": "Loss of Vault availability", + "description": "Failures in Raft consensus, node crashes, or dependency outages (e.g., KMS auto-unseal) could make Vault unavailable, preventing applications from retrieving secrets.", + "threats": [ + "vault-availability-failure" + ], + "likelihood": "unlikely", + "impact": "major", + "impact_description": "Applications relying on Vault could experience outages and service disruption.", + "score": 10, + "level": "high" + } + ] +} \ No newline at end of file