diff --git a/docs/tutorials/controls/capabilities.yaml b/docs/tutorials/controls/capabilities.yaml index 0e546bb9..9c9dc4ba 100644 --- a/docs/tutorials/controls/capabilities.yaml +++ b/docs/tutorials/controls/capabilities.yaml @@ -7,7 +7,7 @@ title: Container Management Tool Security Capability Catalog metadata: id: SEC.SLAM.CM.CAP type: CapabilityCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: | Capabilities unique to the container management tool scope; referenced by threats in the SEC.SLAM.CM threat catalog. diff --git a/docs/tutorials/controls/control-catalog-guide.md b/docs/tutorials/controls/control-catalog-guide.md index 78e8e536..4f6d9144 100644 --- a/docs/tutorials/controls/control-catalog-guide.md +++ b/docs/tutorials/controls/control-catalog-guide.md @@ -38,7 +38,7 @@ Declare your control catalog and mapping references. Key fields: |-------------------------------------|--------------------------------------------------------------|-------------------------------------------------------------------------------------------| | `title` | Display name for the control catalog (top-level field) | Human-readable label used in reports and tooling output | | `metadata.type` | Must be `ControlCatalog` | Identifies the artifact kind for validation | -| `metadata.gemara-version` | String (e.g. `1.0.0`) | Declares which Gemara specification version the file conforms to (required in current schema) | +| `metadata.gemara-version` | String (e.g. `1.2.0`) | Declares which Gemara specification version the file conforms to (required in current schema) | | `mapping-references` with `id: CCC` | Optional pointer to CCC or another control/threat catalog | Resolve imported capability and control IDs from the referenced catalog | | `applicability-groups` | List of groups (id, title, description) for when controls apply | Scope assessment requirements by context (e.g., production, CI/CD) so evaluators know when each requirement applies | @@ -51,7 +51,7 @@ title: Container Management Tool Security Control Catalog metadata: id: SEC.SLAM.CM type: ControlCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Control catalog for container management tool security; mitigates threats from the SEC.SLAM.CM threat catalog. version: 1.0.0 author: @@ -245,7 +245,7 @@ title: Container Management Tool Security Control Catalog metadata: id: SEC.SLAM.CM type: ControlCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: | Control catalog for container management tool security; mitigates threats from the SEC.SLAM.CM threat catalog. diff --git a/docs/tutorials/controls/control-catalog.yaml b/docs/tutorials/controls/control-catalog.yaml index 92fe5dad..4592e65f 100644 --- a/docs/tutorials/controls/control-catalog.yaml +++ b/docs/tutorials/controls/control-catalog.yaml @@ -1,5 +1,5 @@ # Container Management Tool Security Control Catalog -# Conforms to Gemara #ControlCatalog (schema tag v1.0.0; see controlcatalog.cue). +# Conforms to Gemara #ControlCatalog (schema tag v1.2.0; see controlcatalog.cue). # See control-catalog-guide.md for the full tutorial and this scenario. title: Container Management Tool Security Control Catalog @@ -7,7 +7,7 @@ title: Container Management Tool Security Control Catalog metadata: id: SEC.SLAM.CM type: ControlCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: | Control catalog for container management tool security; mitigates threats from the SEC.SLAM.CM threat catalog. diff --git a/docs/tutorials/controls/threat-assessment-guide.md b/docs/tutorials/controls/threat-assessment-guide.md index 6941ac57..e95bf0c7 100644 --- a/docs/tutorials/controls/threat-assessment-guide.md +++ b/docs/tutorials/controls/threat-assessment-guide.md @@ -36,7 +36,7 @@ Declare your scope and mapping references for the `ThreatCatalog`. Key fields: |-------|------------|-----| | `title` | Display name for the threat catalog (top-level field) | Human-readable label used in reports and tooling output | | `metadata.type` | Must be `ThreatCatalog` | Identifies the artifact for `#ThreatCatalog` validation | -| `metadata.gemara-version` | String (e.g. `1.0.0`) | Declares which Gemara specification version the file conforms to (required) | +| `metadata.gemara-version` | String (e.g. `1.2.0`) | Declares which Gemara specification version the file conforms to (required) | | `mapping-references` with `id: CCC` | Pointer to the CCC Core catalog release | Resolve imported CCC capability and threat IDs used in `imports` and in each threat's `capabilities` | | `mapping-references` for scope capabilities | Pointer to your `CapabilityCatalog` (see Step 2) | Resolve IDs such as `SEC.SLAM.CM.CAP01` referenced from each threat's `capabilities` | | Top-level `imports` (optional) | List of `#MultiEntryMapping` rows | Pull CCC (or other) capability/threat entries into this catalog without redefining them | @@ -48,7 +48,7 @@ title: Container Management Tool Security Threat Catalog metadata: id: SEC.SLAM.CM type: ThreatCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Threat catalog for container management tool security assessment version: 1.0.0 author: @@ -97,7 +97,7 @@ title: Container Management Tool Security Capability Catalog metadata: id: SEC.SLAM.CM.CAP type: CapabilityCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: | Capabilities unique to the container management tool scope. version: 1.0.0 @@ -199,7 +199,7 @@ title: Container Management Tool Security Threat Catalog metadata: id: SEC.SLAM.CM type: ThreatCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Threat catalog for container management tool security assessment version: 1.0.0 author: diff --git a/docs/tutorials/controls/threat-catalog.yaml b/docs/tutorials/controls/threat-catalog.yaml index 7054b87b..cfd65c93 100644 --- a/docs/tutorials/controls/threat-catalog.yaml +++ b/docs/tutorials/controls/threat-catalog.yaml @@ -8,7 +8,7 @@ title: Container Management Tool Security Threat Catalog metadata: id: SEC.SLAM.CM type: ThreatCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Threat catalog for container management tool security assessment version: 1.0.0 author: diff --git a/docs/tutorials/guidance/guidance-example.yaml b/docs/tutorials/guidance/guidance-example.yaml index bdda1201..66348762 100644 --- a/docs/tutorials/guidance/guidance-example.yaml +++ b/docs/tutorials/guidance/guidance-example.yaml @@ -1,12 +1,12 @@ # Minimal Secure Software Development Guidance -# Schema: #GuidanceCatalog (github.com/gemaraproj/gemara@v1.0.0). +# Schema: #GuidanceCatalog (github.com/gemaraproj/gemara@v1.2.0). # See guidance-guide.md for the full guide. title: Secure Software Development Guidance metadata: id: ORG.SSD.001 type: GuidanceCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards version: 1.0.0 author: diff --git a/docs/tutorials/guidance/guidance-guide.md b/docs/tutorials/guidance/guidance-guide.md index 86d3ce9e..f70d4995 100644 --- a/docs/tutorials/guidance/guidance-guide.md +++ b/docs/tutorials/guidance/guidance-guide.md @@ -44,7 +44,7 @@ Declare your catalog and, if you will reference external standards, add mapping | `type` | One of Standard, Regulation, Best Practice, Framework (catalog intent) | Required by schema; clarifies intent | | `metadata.id` | Unique identifier for this catalog | Used when other artifacts reference this catalog | | `metadata.type` | Artifact kind (e.g. `GuidanceCatalog`) | Required by schema; identifies the Gemara artifact type | -| `metadata.gemara-version` | Gemara specification version (e.g. `"1.0.0"`) | Required by schema; declares which spec the artifact conforms to | +| `metadata.gemara-version` | Gemara specification version (e.g. `"1.2.0"`) | Required by schema; declares which spec the artifact conforms to | | `metadata.description` | High-level summary of purpose and scope | Required by schema; human-readable catalog summary | | `metadata.author` | Actor responsible for the artifact (`id`, `name`, `type`, …) | Required by schema; identifies ownership or authorship | | `metadata.mapping-references` | Pointers to external standards (e.g., OWASP, NIST) | Optional; resolve IDs used in external Mapping Document on guidelines | @@ -59,7 +59,7 @@ title: Secure Software Development Guidance metadata: id: ORG.SSD.001 type: GuidanceCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards version: 1.0.0 author: @@ -186,7 +186,7 @@ title: Secure Software Development Guidance metadata: id: ORG.SSD.001 type: GuidanceCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards version: 1.0.0 author: diff --git a/docs/tutorials/mapping/mapping-document-guide.md b/docs/tutorials/mapping/mapping-document-guide.md index 2e95b0a8..a144b239 100644 --- a/docs/tutorials/mapping/mapping-document-guide.md +++ b/docs/tutorials/mapping/mapping-document-guide.md @@ -6,7 +6,7 @@ description: Step-by-step guide to creating Gemara-compatible mapping documents ## What This Is -This guide walks through creating a **Mapping Document** using the [Gemara](https://gemara.openssf.org/) project, building on the guidance catalog you created in the [Guidance Catalog Guide](../guidance/guidance-guide). Examples use `gemara-version: "1.0.0-rc.1"` to match the [v1.0.0-rc.1](https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.1) specification release candidate; adjust if you target a different Gemara version. +This guide walks through creating a **Mapping Document** using the [Gemara](https://gemara.openssf.org/) project, building on the guidance catalog you created in the [Guidance Catalog Guide](../guidance/guidance-guide). Examples use `gemara-version: "1.2.0"` to match the [v1.2.0](https://github.com/gemaraproj/gemara/releases/tag/v1.2.0) specification release candidate; adjust if you target a different Gemara version. A mapping document captures the user's intent for how entries in a **source** artifact relate to entries in a **target** artifact. It is the place to express alignment between independently authored catalogs (e.g., your guidance to OWASP, or controls to regulations) in a single, directed way. @@ -66,7 +66,7 @@ metadata: id: SSD-OWASP-MAP-001 version: "1.0.0" type: MappingDocument - gemara-version: "1.0.0-rc.1" + gemara-version: "1.2.0" description: > Maps Secure Software Development Guidance guidelines to OWASP Top 10 categories. Minimal example for tutorials; relationship types are relates-to. @@ -109,7 +109,7 @@ remarks: Guidance guidelines ORG.SSD.GL01–GL03 mapped to OWASP for tutorial us ### Step 3: Define Mappings -Define one or more **mappings**. Each mapping has a **source** string (the source entry’s id) and, unless `relationship` is `no-match`, a non-empty **`targets`** list. Each list element is a **`#MappingTarget`**: at minimum `entry-id`, plus optional `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` for that target. You may also set `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` on the mapping itself when they apply to the whole row (see [mappingdocument.cue](https://github.com/gemaraproj/gemara/blob/main/mappingdocument.cue)). +Define one or more **mappings**. Each mapping has a **source** string (the source entry’s id) and, unless `relationship` is `no-match`, a non-empty **`targets`** list. Each list element is a **`#MappingTarget`**: at minimum `entry-id`, plus optional `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` for that target (see [mappingdocument.cue](https://github.com/gemaraproj/gemara/blob/main/mappingdocument.cue)). | Field | Required | Description | |-----------------------|----------|-----------------------------------------------------------------------------| @@ -117,10 +117,6 @@ Define one or more **mappings**. Each mapping has a **source** string (the sourc | `source` | Yes | Source entry id (string), matching an entry in the source artifact | | `targets` | Yes* | Non-empty list of `{ entry-id: ... }` (and optional per-target fields). Omit only when `relationship` is `no-match` | | `relationship` | Yes | One of `implements`, `implemented-by`, `supports`, `supported-by`, `equivalent`, `subsumes`, `no-match`, `relates-to` | -| `strength` | No | Mapping-level estimate (1–10); per-target `strength` on a `#MappingTarget` overrides where used | -| `confidence-level` | No | `Undetermined`, `Low`, `Medium`, or `High` | -| `applicability` | No | List of group ids (define `applicability-groups` in metadata if used) | -| `rationale` | No | Why this relationship exists | | `remarks` | No | General prose regarding this mapping | **Example (YAML):** Map the three guidelines from the Secure Software Development Guidance (`ORG.SSD.GL01`, `GL02`, `GL03`) to OWASP Top 10 categories (`A06`, `A01`, `A02`): @@ -130,26 +126,26 @@ mappings: - id: GL01-A06 source: ORG.SSD.GL01 relationship: relates-to - strength: 7 - rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. targets: - entry-id: "A06" + strength: 7 + rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. - id: GL02-A01 source: ORG.SSD.GL02 relationship: relates-to - strength: 6 - rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. targets: - entry-id: "A01" + strength: 6 + rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. - id: GL03-A02 source: ORG.SSD.GL03 relationship: relates-to - strength: 6 - rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. targets: - entry-id: "A02" + strength: 6 + rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. ``` For **`no-match`**, omit **`targets`** entirely (the source entry has no counterpart in the target artifact). @@ -180,7 +176,7 @@ Combine metadata, source-reference, target-reference, remarks, and mappings into ```yaml # Secure Software Development Guidance to OWASP Top 10 (tutorial example) # Conforms to Gemara #MappingDocument (mappingdocument.cue). -# gemara-version: v1.0.0-rc.1 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.1 +# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0 # Source guidance catalog: ../guidance/guidance-example.yaml (metadata.id ORG.SSD.001) # entry-type on source-reference / target-reference applies to all entries on that side (#TypedMapping). title: Secure Software Development Guidance to OWASP Top 10 @@ -188,7 +184,7 @@ metadata: id: SSD-OWASP-MAP-001 version: "1.0.0" type: MappingDocument - gemara-version: "1.0.0-rc.1" + gemara-version: "1.2.0" description: > Maps Secure Software Development Guidance guidelines to OWASP Top 10 categories. Minimal example for tutorials; relationship types are relates-to. @@ -218,26 +214,26 @@ mappings: - id: GL01-A06 source: ORG.SSD.GL01 relationship: relates-to - strength: 7 - rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. targets: - entry-id: "A06" + strength: 7 + rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. - id: GL02-A01 source: ORG.SSD.GL02 relationship: relates-to - strength: 6 - rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. targets: - entry-id: "A01" + strength: 6 + rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. - id: GL03-A02 source: ORG.SSD.GL03 relationship: relates-to - strength: 6 - rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. targets: - entry-id: "A02" + strength: 6 + rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. ``` **Validate** from the repo root against the checked-in example: diff --git a/docs/tutorials/mapping/mapping-document.yaml b/docs/tutorials/mapping/mapping-document.yaml index a0bb0baf..8c28d80d 100644 --- a/docs/tutorials/mapping/mapping-document.yaml +++ b/docs/tutorials/mapping/mapping-document.yaml @@ -1,13 +1,13 @@ # Secure Software Development Guidance to OWASP Top 10 (tutorial example) # Conforms to Gemara #MappingDocument (mappingdocument.cue). -# gemara-version: v1.0.0-rc.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.0 +# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0 # Source guidance catalog: ../guidance/guidance-example.yaml (metadata.id ORG.SSD.001) # entry-type on source-reference / target-reference applies to all entries on that side (#TypedMapping). title: Secure Software Development Guidance to OWASP Top 10 metadata: id: SSD-OWASP-MAP-001 type: MappingDocument - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: > Maps Secure Software Development Guidance guidelines to OWASP Top 10 categories. Minimal example for tutorials; relationship types are relates-to. @@ -38,26 +38,23 @@ mappings: - id: GL01-A06 source: ORG.SSD.GL01 relationship: relates-to - strength: 7 - rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. targets: - entry-id: "A06" + strength: 7 rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components. - id: GL02-A01 source: ORG.SSD.GL02 relationship: relates-to - strength: 6 - rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. targets: - entry-id: "A01" + strength: 6 rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control. - id: GL03-A02 source: ORG.SSD.GL03 relationship: relates-to - strength: 6 - rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. targets: - entry-id: "A02" + strength: 6 rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures. diff --git a/docs/tutorials/policy/policy-example.yaml b/docs/tutorials/policy/policy-example.yaml index d46cb90e..ff477ca3 100644 --- a/docs/tutorials/policy/policy-example.yaml +++ b/docs/tutorials/policy/policy-example.yaml @@ -1,11 +1,11 @@ # Information Security Policy for Cloud and Web Applications (Layer 3) -# Conforms to Gemara #Policy (policy.cue). Validate: cue vet -c -d '#Policy' github.com/gemaraproj/gemara@v1.0.0 this-file.yaml +# Conforms to Gemara #Policy (policy.cue). Validate: cue vet -c -d '#Policy' github.com/gemaraproj/gemara@v1 this-file.yaml # Aligned to threat-assessment-guide scope (SEC.SLAM.CM) and policy guide. title: "Information Security Policy for Cloud and Web Applications" metadata: id: "org-policy-001" type: Policy - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Policy for cloud and web application security; references control catalogs." version: "1.0.0" author: diff --git a/docs/tutorials/policy/policy-guide.md b/docs/tutorials/policy/policy-guide.md index b53ed2f4..763a8068 100644 --- a/docs/tutorials/policy/policy-guide.md +++ b/docs/tutorials/policy/policy-guide.md @@ -28,7 +28,7 @@ Set `title` and `metadata` (see [metadata.cue](https://github.com/gemaraproj/gem | `title` | Display name for the policy (top-level) | Human-readable label in reports and tooling | | `metadata.id` | Unique identifier for this policy | Used when other documents reference this policy | | `metadata.type` | Must be `Policy` | Required by schema; identifies the artifact kind | -| `metadata.gemara-version` | Gemara specification version (e.g. `"1.0.0"`) | Required by schema; should match the module tag you pass to `cue vet` | +| `metadata.gemara-version` | Gemara specification version (e.g. `"1.2.0"`) | Required by schema; should match the module tag you pass to `cue vet` | | `metadata.description` | High-level summary of the policy's purpose and scope | Required by schema; clarifies intent | | `metadata.author` | Actor (id, name, type) primarily responsible for this policy | Required by schema; identifies the author | | `metadata.version` | Version identifier (e.g. `"1.0.0"`) | Optional; supports versioning and references | @@ -43,7 +43,7 @@ title: "Information Security Policy for Cloud and Web Applications" metadata: id: "org-policy-001" type: Policy - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Policy for cloud and web application security; references control catalogs." version: "1.0.0" author: @@ -229,7 +229,7 @@ title: "Information Security Policy for Cloud and Web Applications" metadata: id: "org-policy-001" type: Policy - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Policy for cloud and web application security; references control catalogs." version: "1.0.0" author: diff --git a/docs/tutorials/policy/risk-catalog-example.yaml b/docs/tutorials/policy/risk-catalog-example.yaml index 6824ea65..5b644944 100644 --- a/docs/tutorials/policy/risk-catalog-example.yaml +++ b/docs/tutorials/policy/risk-catalog-example.yaml @@ -1,12 +1,12 @@ # Organization Risk Catalog for Cloud and Container Workloads (Layer 3) # Conforms to Gemara #RiskCatalog (riskcatalog.cue). -# gemara-version: v1.0.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0 +# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0 # Risks drawn from Threat Assessment Guide: CCC (CCC.Core.TH14) and SEC.SLAM.CM (SEC.SLAM.CM.THR01). title: "Organization Risk Catalog for Cloud and Container Workloads" metadata: id: "org-risk-catalog-001" type: RiskCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog." version: "1.0.0" author: diff --git a/docs/tutorials/policy/risk-catalog-guide.md b/docs/tutorials/policy/risk-catalog-guide.md index ff44fb95..ecbfc333 100644 --- a/docs/tutorials/policy/risk-catalog-guide.md +++ b/docs/tutorials/policy/risk-catalog-guide.md @@ -6,7 +6,7 @@ description: Step-by-step guide to creating Gemara-compatible risk catalogs ## What This Is -This guide walks through creating a **Risk Catalog** using the [Gemara](https://gemara.openssf.org/) project. The document conforms to `#RiskCatalog` in [riskcatalog.cue](https://github.com/gemaraproj/gemara/blob/main/riskcatalog.cue) and the published [Risk Catalog schema](https://gemara.openssf.org/schema/riskcatalog.html). Examples use `gemara-version: "1.0.0"` to match the [v1.0.0](https://github.com/gemaraproj/gemara/releases/tag/v1.0.0) specification release; adjust if you target a different Gemara version. +This guide walks through creating a **Risk Catalog** using the [Gemara](https://gemara.openssf.org/) project. The document conforms to `#RiskCatalog` in [riskcatalog.cue](https://github.com/gemaraproj/gemara/blob/main/riskcatalog.cue) and the published [Risk Catalog schema](https://gemara.openssf.org/schema/riskcatalog.html). Examples use `gemara-version: "1.2.0"` to match the [v1.2.0](https://github.com/gemaraproj/gemara/releases/tag/v1.2.0) specification release; adjust if you target a different Gemara version. **The basic idea:** A Risk Catalog is a structured list of **[risks](../../model/02-definitions.html#risk)** that might affect an organization, system, or service. You organize them into **groups** (schema type `#RiskCategory`) that express how much risk you are willing to carry ( risk appetite) and optionally cap how bad a single risk in that group can be (**max-severity**). Each risk has an assessed **severity** and can point to Layer 2 **[threats](../../model/02-definitions.html#threat)** so mitigations and policies stay traceable to threat catalogs. Optionally, **`rank`** records a total order among risks in this catalog (for example when several share the same severity); see Step 2. @@ -43,7 +43,7 @@ title: "Organization Risk Catalog for Cloud and Container Workloads" metadata: id: "org-risk-catalog-001" type: RiskCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog." version: "1.0.0" author: @@ -182,13 +182,13 @@ A complete, schema-valid example is in [risk-catalog-example.yaml](risk-catalog- ```yaml # Organization Risk Catalog for Cloud and Container Workloads (Layer 3) # Conforms to Gemara #RiskCatalog (riskcatalog.cue). -# gemara-version: v1.0.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0 +# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0 # Risks drawn from Threat Assessment Guide: CCC (CCC.Core.TH14) and SEC.SLAM.CM (SEC.SLAM.CM.THR01). title: "Organization Risk Catalog for Cloud and Container Workloads" metadata: id: "org-risk-catalog-001" type: RiskCatalog - gemara-version: "1.0.0" + gemara-version: "1.2.0" description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog." version: "1.0.0" author: