github.com/gemaraproj/gemara@v1.3.0

threatcatalog.cue raw

 1// SPDX-License-Identifier: Apache-2.0
 2
 3// Schema lifecycle: experimental | stable | deprecated
 4@status("stable")
 5package gemara
 6
 7import "list"
 8
 9@go(gemara)
10
11// ThreatCatalog describes a set of topically-associated threats
12#ThreatCatalog: {
13	#Catalog
14	metadata: type: "ThreatCatalog"
15
16	// threats is a list of threats defined by this catalog
17	threats?: [#Threat, ...#Threat] @go(Threats)
18
19	if threats != _|_ {
20		_uniqueThreatIds: {for i, t in threats {(t.id): i}}
21		groups: [#Group, ...#Group]
22		let _validGroupIds = [for g in groups {g.id}]
23
24		// Unify the valid ID list with a list.Contains constraint to require each entry's value exists
25		for i, t in threats {
26			_groupValidation: "\(i)": _validGroupIds & list.Contains(t.group)
27		}
28	}
29}
30
31// Threat describes a specifically-scoped opportunity for a negative impact to the organization
32#Threat: {
33	// id allows this entry to be referenced by other elements
34	id: string
35
36	// title describes this threat at a glance
37	title: string
38
39	// description provides a detailed explanation of an opportunity for negative impact
40	description: string
41
42	// group references by id a catalog group that this threat belongs to
43	group: string @go(Group)
44
45	// capabilities documents the relationship between this threat and a system capability
46	capabilities: [#MultiEntryMapping, ...#MultiEntryMapping]
47
48	// vectors documents the relationship between this threat and one or more vectors
49	vectors?: [#MultiEntryMapping, ...#MultiEntryMapping] @go(Vectors)
50
51	// actors describes the relevant internal or external threat actors
52	actors?: [#Actor, ...#Actor]
53}