1// SPDX-License-Identifier: Apache-2.0
2
3// Schema lifecycle: experimental | stable | deprecated
4@status("stable")
5package gemara
6
7import "list"
8
9@go(gemara)
10
11// ThreatCatalog describes a set of topically-associated threats
12#ThreatCatalog: {
13 #Catalog
14 metadata: type: "ThreatCatalog"
15
16 // threats is a list of threats defined by this catalog
17 threats?: [#Threat, ...#Threat] @go(Threats)
18
19 if threats != _|_ {
20 _uniqueThreatIds: {for i, t in threats {(t.id): i}}
21 groups: [#Group, ...#Group]
22 let _validGroupIds = [for g in groups {g.id}]
23
24 // Unify the valid ID list with a list.Contains constraint to require each entry's value exists
25 for i, t in threats {
26 _groupValidation: "\(i)": _validGroupIds & list.Contains(t.group)
27 }
28 }
29}
30
31// Threat describes a specifically-scoped opportunity for a negative impact to the organization
32#Threat: {
33 // id allows this entry to be referenced by other elements
34 id: string
35
36 // title describes this threat at a glance
37 title: string
38
39 // description provides a detailed explanation of an opportunity for negative impact
40 description: string
41
42 // group references by id a catalog group that this threat belongs to
43 group: string @go(Group)
44
45 // capabilities documents the relationship between this threat and a system capability
46 capabilities: [#MultiEntryMapping, ...#MultiEntryMapping]
47
48 // vectors documents the relationship between this threat and one or more vectors
49 vectors?: [#MultiEntryMapping, ...#MultiEntryMapping] @go(Vectors)
50
51 // actors describes the relevant internal or external threat actors
52 actors?: [#Actor, ...#Actor]
53}