From 280549f629e45580aa8d7f074a7b755ea4d74558 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Fri, 13 Dec 2024 12:41:17 -0600 Subject: [PATCH 1/8] Security Controls Action Documentation --- docs/actions/security-controls.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/actions/security-controls.md diff --git a/docs/actions/security-controls.md b/docs/actions/security-controls.md new file mode 100644 index 0000000..9a3333b --- /dev/null +++ b/docs/actions/security-controls.md @@ -0,0 +1,20 @@ +# Semantic Conventions for `security-control` Actions + +Used when span name is `security-control`. + + +| Attribute | Type | Description | Examples | Requirement Level | +|---------------------------|---|--------------------------------------------------------------|-----------------------------------------|-------------------| +| `security.control.method` | string | The method of the custom security control. | `com.Acme.OldSecurity.DoLegacySecurity` | Required | +| `security.control.name` | string | The name of the custom security control. | `My Custom Security Control ` | Optional | +| `security.control.rules` | string | The rules applicable to the custom security control. | `reflected-xss`; `path-traversal` | Recommended | +| `security.control.type` | string | The custom security control type. | `sanitizer`; `validator` | Optional | + +`security.control.type` MUST be one of the following: + +| Value | Description | +|---------------------|-----------------| +| `sanitizer` | Sanitizer | +| `input-validator` | Input Validator | +| `regex-validator` | Regex Validator | + From 58c75bdffa0a42ad997bee98a45aa6173bcc1f5c Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 09:59:06 -0600 Subject: [PATCH 2/8] PR Fixes --- CHANGELOG.md | 11 +++++++++++ model/metrics/contrast-actions.yaml | 3 +++ schema-next.yaml | 1 + 3 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cc8d43..daf71d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,17 @@ ### Fixes +## v0.4.0 (2024-12-17) + +### Breaking + +### Features + +- add definitions for custom security control actions. + ([#8](https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/pull/8)) + +### Fixes + ## v0.3.0 (2024-03-06) ### Breaking diff --git a/model/metrics/contrast-actions.yaml b/model/metrics/contrast-actions.yaml index fb9b922..0222633 100644 --- a/model/metrics/contrast-actions.yaml +++ b/model/metrics/contrast-actions.yaml @@ -49,6 +49,9 @@ groups: - id: ognl-execution value: "ognl-execution" brief: "Object-Graph Navigation Language expression execution." + - id: security-control + value: "security-control" + brief: "Custom security controls defined by the user." - id: attributes.contrast.action.metric extends: attributes.contrast.actions diff --git a/schema-next.yaml b/schema-next.yaml index 64626c4..7c78d3a 100644 --- a/schema-next.yaml +++ b/schema-next.yaml @@ -2,6 +2,7 @@ file_format: 1.1.0 schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/next/next versions: next: + 0.4.0: 0.3.0: 0.2.0: 0.1.0: From 0dcb41e610d3fa1bdef75fe80604b397ffc291b0 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 10:19:57 -0600 Subject: [PATCH 3/8] PR Fixes --- docs/actions/security-controls.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/actions/security-controls.md b/docs/actions/security-controls.md index 9a3333b..3fe8cfc 100644 --- a/docs/actions/security-controls.md +++ b/docs/actions/security-controls.md @@ -3,12 +3,12 @@ Used when span name is `security-control`. -| Attribute | Type | Description | Examples | Requirement Level | -|---------------------------|---|--------------------------------------------------------------|-----------------------------------------|-------------------| +| Attribute | Type | Description | Examples | Requirement Level | +|---------------------------|---|--------------------------------------------------------------|---------------------------------------|-------------------| | `security.control.method` | string | The method of the custom security control. | `com.Acme.OldSecurity.DoLegacySecurity` | Required | -| `security.control.name` | string | The name of the custom security control. | `My Custom Security Control ` | Optional | +| `security.control.name` | string | The name of the custom security control. | "My Custom Security Control" | Optional | | `security.control.rules` | string | The rules applicable to the custom security control. | `reflected-xss`; `path-traversal` | Recommended | -| `security.control.type` | string | The custom security control type. | `sanitizer`; `validator` | Optional | +| `security.control.type` | string | The custom security control type. | `sanitizer`; `validator` | Optional | `security.control.type` MUST be one of the following: From 17a417ee220420356e69db47a086c996d9fee057 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 10:27:48 -0600 Subject: [PATCH 4/8] PR --- schemas/0.4.0 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 schemas/0.4.0 diff --git a/schemas/0.4.0 b/schemas/0.4.0 new file mode 100644 index 0000000..bda2742 --- /dev/null +++ b/schemas/0.4.0 @@ -0,0 +1,7 @@ +file_format: 1.1.0 +schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/v0.3.0/0.3.0 +versions: + 0.4.0: + 0.3.0: + 0.2.0: + 0.1.0: From 37554e0bd090280990735ab876e9c81992fd98d4 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 10:47:09 -0600 Subject: [PATCH 5/8] workflow tings --- .gitignore | 1 + ...curity-controls.md => security-control.md} | 0 model/trace/contrast-actions.yml | 46 +++++++++++++++++-- schemas/0.4.0 | 2 +- 4 files changed, 43 insertions(+), 6 deletions(-) rename docs/actions/{security-controls.md => security-control.md} (100%) diff --git a/.gitignore b/.gitignore index 9350043..0a51743 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .idea/ node_modules/ *.iml +internal/tools/bin/ diff --git a/docs/actions/security-controls.md b/docs/actions/security-control.md similarity index 100% rename from docs/actions/security-controls.md rename to docs/actions/security-control.md diff --git a/model/trace/contrast-actions.yml b/model/trace/contrast-actions.yml index 5c1c27e..9c0a404 100644 --- a/model/trace/contrast-actions.yml +++ b/model/trace/contrast-actions.yml @@ -191,16 +191,52 @@ groups: "#{20 - 1}", "'Just a string value'.substring(5)" ] + - id: contrast.action.span.el-execution type: span extends: attributes.contrast.code-exec brief: > Describes attributes for Contrast Action span of type el-execution. The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. - - id: contrast.action.span.ognl-execution - extends: attributes.contrast.code-exec + + - id: contrast.action.span.security-control type: span brief: > - Describes attributes for Contrast Action span of type ognl-execution. OGNL stands for Object-Graph Navigation Language. - It is an expression language for getting and setting properties of Java objects, plus other extras such as list projection - and selection and lambda expressions. You use the same expression for both getting and setting the value of a property. + Describes attributes for Contrast Action span of type security-control. + attributes: + - id: method + brief: > + The method of the custom security control. + requirement_level: required + examples: [ com.Acme.OldSecurity.DoLegacySecurity ] + type: string + - id: name + brief: > + The name of the custom security control. + requirement_level: optional + examples: [ "My Custom Security Control" ] + type: string + - id: rules + brief: > + The rules applicable to the custom security control. + requirement_level: recommended + examples: [ reflected-xss; path-traversal ] + type: string + - id: type + brief: > + The custom security control type. + requirement_level: optional + examples: [ sanitizer; input-validator ] + type: + allow_custom_values: false + members: + - id: sanitizer + value: sanitizer + brief: Sanitizer + - id: input-validator + value: input-validator + brief: Input Validator + - id: regex-validator + value: regex-validator + brief: Regex Validator + diff --git a/schemas/0.4.0 b/schemas/0.4.0 index bda2742..018cb00 100644 --- a/schemas/0.4.0 +++ b/schemas/0.4.0 @@ -1,5 +1,5 @@ file_format: 1.1.0 -schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/v0.3.0/0.3.0 +schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/v0.4.0/0.4.0 versions: 0.4.0: 0.3.0: From 2a97c355532cbf2b8261f5bf7d752cd9ed3b0455 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 10:49:51 -0600 Subject: [PATCH 6/8] workflow tings --- docs/actions/security-control.md | 4 ++-- model/trace/contrast-actions.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/actions/security-control.md b/docs/actions/security-control.md index 3fe8cfc..f6a0dec 100644 --- a/docs/actions/security-control.md +++ b/docs/actions/security-control.md @@ -6,9 +6,9 @@ Used when span name is `security-control`. | Attribute | Type | Description | Examples | Requirement Level | |---------------------------|---|--------------------------------------------------------------|---------------------------------------|-------------------| | `security.control.method` | string | The method of the custom security control. | `com.Acme.OldSecurity.DoLegacySecurity` | Required | -| `security.control.name` | string | The name of the custom security control. | "My Custom Security Control" | Optional | +| `security.control.name` | string | The name of the custom security control. | "My Custom Security Control" | Recommended | | `security.control.rules` | string | The rules applicable to the custom security control. | `reflected-xss`; `path-traversal` | Recommended | -| `security.control.type` | string | The custom security control type. | `sanitizer`; `validator` | Optional | +| `security.control.type` | string | The custom security control type. | `sanitizer`; `validator` | Recommended | `security.control.type` MUST be one of the following: diff --git a/model/trace/contrast-actions.yml b/model/trace/contrast-actions.yml index 9c0a404..e17686a 100644 --- a/model/trace/contrast-actions.yml +++ b/model/trace/contrast-actions.yml @@ -213,7 +213,7 @@ groups: - id: name brief: > The name of the custom security control. - requirement_level: optional + requirement_level: recommended examples: [ "My Custom Security Control" ] type: string - id: rules @@ -225,7 +225,7 @@ groups: - id: type brief: > The custom security control type. - requirement_level: optional + requirement_level: recommended examples: [ sanitizer; input-validator ] type: allow_custom_values: false From ced25f2643115488ff45450a1368eaa1f6a3963b Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 11:03:09 -0600 Subject: [PATCH 7/8] workflo fix --- model/trace/contrast-actions.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/model/trace/contrast-actions.yml b/model/trace/contrast-actions.yml index e17686a..64c3548 100644 --- a/model/trace/contrast-actions.yml +++ b/model/trace/contrast-actions.yml @@ -239,4 +239,3 @@ groups: - id: regex-validator value: regex-validator brief: Regex Validator - From 3d7be8b12143dfdc85e47bc61ba1ef56ddcf83f1 Mon Sep 17 00:00:00 2001 From: Meghan Ammentorp Date: Tue, 17 Dec 2024 14:01:45 -0600 Subject: [PATCH 8/8] oops --- model/trace/contrast-actions.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/model/trace/contrast-actions.yml b/model/trace/contrast-actions.yml index 64c3548..953d6d6 100644 --- a/model/trace/contrast-actions.yml +++ b/model/trace/contrast-actions.yml @@ -199,6 +199,14 @@ groups: Describes attributes for Contrast Action span of type el-execution. The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. + - id: contrast.action.span.ognl-execution + extends: attributes.contrast.code-exec + type: span + brief: > + Describes attributes for Contrast Action span of type ognl-execution. OGNL stands for Object-Graph Navigation Language. + It is an expression language for getting and setting properties of Java objects, plus other extras such as list projection + and selection and lambda expressions. You use the same expression for both getting and setting the value of a property. + - id: contrast.action.span.security-control type: span brief: >