Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/tutorials/controls/capabilities.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ title: Container Management Tool Security Capability Catalog
metadata:
id: SEC.SLAM.CM.CAP
type: CapabilityCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: |
Capabilities unique to the container management tool scope; referenced by
threats in the SEC.SLAM.CM threat catalog.
Expand Down
6 changes: 3 additions & 3 deletions docs/tutorials/controls/control-catalog-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ Declare your control catalog and mapping references. Key fields:
|-------------------------------------|--------------------------------------------------------------|-------------------------------------------------------------------------------------------|
| `title` | Display name for the control catalog (top-level field) | Human-readable label used in reports and tooling output |
| `metadata.type` | Must be `ControlCatalog` | Identifies the artifact kind for validation |
| `metadata.gemara-version` | String (e.g. `1.0.0`) | Declares which Gemara specification version the file conforms to (required in current schema) |
| `metadata.gemara-version` | String (e.g. `1.2.0`) | Declares which Gemara specification version the file conforms to (required in current schema) |
| `mapping-references` with `id: CCC` | Optional pointer to CCC or another control/threat catalog | Resolve imported capability and control IDs from the referenced catalog |
| `applicability-groups` | List of groups (id, title, description) for when controls apply | Scope assessment requirements by context (e.g., production, CI/CD) so evaluators know when each requirement applies |

Expand All @@ -51,7 +51,7 @@ title: Container Management Tool Security Control Catalog
metadata:
id: SEC.SLAM.CM
type: ControlCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Control catalog for container management tool security; mitigates threats from the SEC.SLAM.CM threat catalog.
version: 1.0.0
author:
Expand Down Expand Up @@ -245,7 +245,7 @@ title: Container Management Tool Security Control Catalog
metadata:
id: SEC.SLAM.CM
type: ControlCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: |
Control catalog for container management tool security; mitigates threats
from the SEC.SLAM.CM threat catalog.
Expand Down
4 changes: 2 additions & 2 deletions docs/tutorials/controls/control-catalog.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Container Management Tool Security Control Catalog
# Conforms to Gemara #ControlCatalog (schema tag v1.0.0; see controlcatalog.cue).
# Conforms to Gemara #ControlCatalog (schema tag v1.2.0; see controlcatalog.cue).
# See control-catalog-guide.md for the full tutorial and this scenario.

title: Container Management Tool Security Control Catalog

metadata:
id: SEC.SLAM.CM
type: ControlCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: |
Control catalog for container management tool security; mitigates threats
from the SEC.SLAM.CM threat catalog.
Expand Down
8 changes: 4 additions & 4 deletions docs/tutorials/controls/threat-assessment-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ Declare your scope and mapping references for the `ThreatCatalog`. Key fields:
|-------|------------|-----|
| `title` | Display name for the threat catalog (top-level field) | Human-readable label used in reports and tooling output |
| `metadata.type` | Must be `ThreatCatalog` | Identifies the artifact for `#ThreatCatalog` validation |
| `metadata.gemara-version` | String (e.g. `1.0.0`) | Declares which Gemara specification version the file conforms to (required) |
| `metadata.gemara-version` | String (e.g. `1.2.0`) | Declares which Gemara specification version the file conforms to (required) |
| `mapping-references` with `id: CCC` | Pointer to the CCC Core catalog release | Resolve imported CCC capability and threat IDs used in `imports` and in each threat's `capabilities` |
| `mapping-references` for scope capabilities | Pointer to your `CapabilityCatalog` (see Step 2) | Resolve IDs such as `SEC.SLAM.CM.CAP01` referenced from each threat's `capabilities` |
| Top-level `imports` (optional) | List of `#MultiEntryMapping` rows | Pull CCC (or other) capability/threat entries into this catalog without redefining them |
Expand All @@ -48,7 +48,7 @@ title: Container Management Tool Security Threat Catalog
metadata:
id: SEC.SLAM.CM
type: ThreatCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Threat catalog for container management tool security assessment
version: 1.0.0
author:
Expand Down Expand Up @@ -97,7 +97,7 @@ title: Container Management Tool Security Capability Catalog
metadata:
id: SEC.SLAM.CM.CAP
type: CapabilityCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: |
Capabilities unique to the container management tool scope.
version: 1.0.0
Expand Down Expand Up @@ -199,7 +199,7 @@ title: Container Management Tool Security Threat Catalog
metadata:
id: SEC.SLAM.CM
type: ThreatCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Threat catalog for container management tool security assessment
version: 1.0.0
author:
Expand Down
2 changes: 1 addition & 1 deletion docs/tutorials/controls/threat-catalog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ title: Container Management Tool Security Threat Catalog
metadata:
id: SEC.SLAM.CM
type: ThreatCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Threat catalog for container management tool security assessment
version: 1.0.0
author:
Expand Down
4 changes: 2 additions & 2 deletions docs/tutorials/guidance/guidance-example.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# Minimal Secure Software Development Guidance
# Schema: #GuidanceCatalog (github.com/gemaraproj/gemara@v1.0.0).
# Schema: #GuidanceCatalog (github.com/gemaraproj/gemara@v1.2.0).
# See guidance-guide.md for the full guide.

title: Secure Software Development Guidance
metadata:
id: ORG.SSD.001
type: GuidanceCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards
version: 1.0.0
author:
Expand Down
6 changes: 3 additions & 3 deletions docs/tutorials/guidance/guidance-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Declare your catalog and, if you will reference external standards, add mapping
| `type` | One of Standard, Regulation, Best Practice, Framework (catalog intent) | Required by schema; clarifies intent |
| `metadata.id` | Unique identifier for this catalog | Used when other artifacts reference this catalog |
| `metadata.type` | Artifact kind (e.g. `GuidanceCatalog`) | Required by schema; identifies the Gemara artifact type |
| `metadata.gemara-version` | Gemara specification version (e.g. `"1.0.0"`) | Required by schema; declares which spec the artifact conforms to |
| `metadata.gemara-version` | Gemara specification version (e.g. `"1.2.0"`) | Required by schema; declares which spec the artifact conforms to |
| `metadata.description` | High-level summary of purpose and scope | Required by schema; human-readable catalog summary |
| `metadata.author` | Actor responsible for the artifact (`id`, `name`, `type`, …) | Required by schema; identifies ownership or authorship |
| `metadata.mapping-references` | Pointers to external standards (e.g., OWASP, NIST) | Optional; resolve IDs used in external Mapping Document on guidelines |
Expand All @@ -59,7 +59,7 @@ title: Secure Software Development Guidance
metadata:
id: ORG.SSD.001
type: GuidanceCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards
version: 1.0.0
author:
Expand Down Expand Up @@ -186,7 +186,7 @@ title: Secure Software Development Guidance
metadata:
id: ORG.SSD.001
type: GuidanceCatalog
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards
version: 1.0.0
author:
Expand Down
38 changes: 17 additions & 21 deletions docs/tutorials/mapping/mapping-document-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ description: Step-by-step guide to creating Gemara-compatible mapping documents

## What This Is

This guide walks through creating a **Mapping Document** using the [Gemara](https://gemara.openssf.org/) project, building on the guidance catalog you created in the [Guidance Catalog Guide](../guidance/guidance-guide). Examples use `gemara-version: "1.0.0-rc.1"` to match the [v1.0.0-rc.1](https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.1) specification release candidate; adjust if you target a different Gemara version.
This guide walks through creating a **Mapping Document** using the [Gemara](https://gemara.openssf.org/) project, building on the guidance catalog you created in the [Guidance Catalog Guide](../guidance/guidance-guide). Examples use `gemara-version: "1.2.0"` to match the [v1.2.0](https://github.com/gemaraproj/gemara/releases/tag/v1.2.0) specification release candidate; adjust if you target a different Gemara version.

A mapping document captures the user's intent for how entries in a **source** artifact relate to entries in a **target** artifact. It is the place to express alignment between independently authored catalogs (e.g., your guidance to OWASP, or controls to regulations) in a single, directed way.

Expand Down Expand Up @@ -66,7 +66,7 @@ metadata:
id: SSD-OWASP-MAP-001
version: "1.0.0"
type: MappingDocument
gemara-version: "1.0.0-rc.1"
gemara-version: "1.2.0"
description: >
Maps Secure Software Development Guidance guidelines to OWASP Top 10
categories. Minimal example for tutorials; relationship types are relates-to.
Expand Down Expand Up @@ -109,18 +109,14 @@ remarks: Guidance guidelines ORG.SSD.GL01–GL03 mapped to OWASP for tutorial us

### Step 3: Define Mappings

Define one or more **mappings**. Each mapping has a **source** string (the source entry’s id) and, unless `relationship` is `no-match`, a non-empty **`targets`** list. Each list element is a **`#MappingTarget`**: at minimum `entry-id`, plus optional `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` for that target. You may also set `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` on the mapping itself when they apply to the whole row (see [mappingdocument.cue](https://github.com/gemaraproj/gemara/blob/main/mappingdocument.cue)).
Define one or more **mappings**. Each mapping has a **source** string (the source entry’s id) and, unless `relationship` is `no-match`, a non-empty **`targets`** list. Each list element is a **`#MappingTarget`**: at minimum `entry-id`, plus optional `strength`, `confidence-level`, `applicability`, `rationale`, and `remarks` for that target (see [mappingdocument.cue](https://github.com/gemaraproj/gemara/blob/main/mappingdocument.cue)).

| Field | Required | Description |
|-----------------------|----------|-----------------------------------------------------------------------------|
| `id` | Yes | Unique identifier for this mapping |
| `source` | Yes | Source entry id (string), matching an entry in the source artifact |
| `targets` | Yes* | Non-empty list of `{ entry-id: ... }` (and optional per-target fields). Omit only when `relationship` is `no-match` |
| `relationship` | Yes | One of `implements`, `implemented-by`, `supports`, `supported-by`, `equivalent`, `subsumes`, `no-match`, `relates-to` |
| `strength` | No | Mapping-level estimate (1–10); per-target `strength` on a `#MappingTarget` overrides where used |
| `confidence-level` | No | `Undetermined`, `Low`, `Medium`, or `High` |
| `applicability` | No | List of group ids (define `applicability-groups` in metadata if used) |
| `rationale` | No | Why this relationship exists |
| `remarks` | No | General prose regarding this mapping |

**Example (YAML):** Map the three guidelines from the Secure Software Development Guidance (`ORG.SSD.GL01`, `GL02`, `GL03`) to OWASP Top 10 categories (`A06`, `A01`, `A02`):
Expand All @@ -130,26 +126,26 @@ mappings:
- id: GL01-A06
source: ORG.SSD.GL01
relationship: relates-to
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.
targets:
- entry-id: "A06"
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.

- id: GL02-A01
source: ORG.SSD.GL02
relationship: relates-to
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.
targets:
- entry-id: "A01"
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.

- id: GL03-A02
source: ORG.SSD.GL03
relationship: relates-to
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
targets:
- entry-id: "A02"
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
```

For **`no-match`**, omit **`targets`** entirely (the source entry has no counterpart in the target artifact).
Expand Down Expand Up @@ -180,15 +176,15 @@ Combine metadata, source-reference, target-reference, remarks, and mappings into
```yaml
# Secure Software Development Guidance to OWASP Top 10 (tutorial example)
# Conforms to Gemara #MappingDocument (mappingdocument.cue).
# gemara-version: v1.0.0-rc.1 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.1
# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0
# Source guidance catalog: ../guidance/guidance-example.yaml (metadata.id ORG.SSD.001)
# entry-type on source-reference / target-reference applies to all entries on that side (#TypedMapping).
title: Secure Software Development Guidance to OWASP Top 10
metadata:
id: SSD-OWASP-MAP-001
version: "1.0.0"
type: MappingDocument
gemara-version: "1.0.0-rc.1"
gemara-version: "1.2.0"
description: >
Maps Secure Software Development Guidance guidelines to OWASP Top 10
categories. Minimal example for tutorials; relationship types are relates-to.
Expand Down Expand Up @@ -218,26 +214,26 @@ mappings:
- id: GL01-A06
source: ORG.SSD.GL01
relationship: relates-to
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.
targets:
- entry-id: "A06"
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.

- id: GL02-A01
source: ORG.SSD.GL02
relationship: relates-to
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.
targets:
- entry-id: "A01"
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.

- id: GL03-A02
source: ORG.SSD.GL03
relationship: relates-to
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
targets:
- entry-id: "A02"
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
```

**Validate** from the repo root against the checked-in example:
Expand Down
13 changes: 5 additions & 8 deletions docs/tutorials/mapping/mapping-document.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Secure Software Development Guidance to OWASP Top 10 (tutorial example)
# Conforms to Gemara #MappingDocument (mappingdocument.cue).
# gemara-version: v1.0.0-rc.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.0.0-rc.0
# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0
# Source guidance catalog: ../guidance/guidance-example.yaml (metadata.id ORG.SSD.001)
# entry-type on source-reference / target-reference applies to all entries on that side (#TypedMapping).
title: Secure Software Development Guidance to OWASP Top 10
metadata:
id: SSD-OWASP-MAP-001
type: MappingDocument
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: >
Maps Secure Software Development Guidance guidelines to OWASP Top 10
categories. Minimal example for tutorials; relationship types are relates-to.
Expand Down Expand Up @@ -38,26 +38,23 @@ mappings:
- id: GL01-A06
source: ORG.SSD.GL01
relationship: relates-to
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.
targets:
- entry-id: "A06"
strength: 7
rationale: Immutable image references support supply chain integrity; OWASP A06 covers vulnerable and outdated components.

- id: GL02-A01
source: ORG.SSD.GL02
relationship: relates-to
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.
targets:
- entry-id: "A01"
strength: 6
rationale: Branch protection reduces unauthorized code changes; OWASP A01 covers broken access control.

- id: GL03-A02
source: ORG.SSD.GL03
relationship: relates-to
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
targets:
- entry-id: "A02"
strength: 6
rationale: VPN on untrusted networks protects data in transit; OWASP A02 covers cryptographic failures.
4 changes: 2 additions & 2 deletions docs/tutorials/policy/policy-example.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Information Security Policy for Cloud and Web Applications (Layer 3)
# Conforms to Gemara #Policy (policy.cue). Validate: cue vet -c -d '#Policy' github.com/gemaraproj/gemara@v1.0.0 this-file.yaml
# Conforms to Gemara #Policy (policy.cue). Validate: cue vet -c -d '#Policy' github.com/gemaraproj/gemara@v1 this-file.yaml
# Aligned to threat-assessment-guide scope (SEC.SLAM.CM) and policy guide.
title: "Information Security Policy for Cloud and Web Applications"
metadata:
id: "org-policy-001"
type: Policy
gemara-version: "1.0.0"
gemara-version: "1.2.0"
description: "Policy for cloud and web application security; references control catalogs."
version: "1.0.0"
author:
Expand Down
Loading
Loading