1// SPDX-License-Identifier: Apache-2.0
2
3// Schema lifecycle: experimental | stable | deprecated
4@status("experimental")
5package gemara
6
7import "list"
8
9@go(gemara)
10
11// A VectorCatalog is a structured collection of documented vectors,
12// serving as a centralized reference for known attack methods and exploitation pathways that may be relevant to a particular domain, framework, or security model.
13
14#VectorCatalog: {
15 #Catalog
16 metadata: type: "VectorCatalog"
17
18 // vectors is a list of attack vectors documented in this catalog
19 vectors?: [#Vector, ...#Vector] @go(Vectors)
20
21 if vectors != _|_ {
22 _uniqueVectorIds: {for i, v in vectors {(v.id): i}}
23 groups: [#Group, ...#Group]
24 let _validGroupIds = [for g in groups {g.id}]
25
26 // Unify the valid ID list with a list.Contains constraint to require each entry's value exists
27 for i, v in vectors {
28 _groupValidation: "\(i)": _validGroupIds & list.Contains(v.group)
29 }
30 if metadata."applicability-groups" != _|_ {
31 let _validApplicabilityIds = [for ag in metadata."applicability-groups" {ag.id}]
32 for i, v in vectors if v.applicability != _|_ {
33 for j, a in v.applicability {
34 _applicabilityValidation: "\(i)-\(j)": _validApplicabilityIds & list.Contains(a)
35 }
36 }
37 }
38 }
39}
40
41// A Vector represents a method, pathway, or technique through which a threat may be realized or an attack may be carried out.
42#Vector: {
43 // id allows this vector to be referenced by other elements
44 id: string
45
46 // title describes the vector
47 title: string
48
49 // description explains how the attack vector works
50 description: string
51
52 // group references by id a catalog group that this vector belongs to
53 group: string @go(Group)
54
55 // applicability specifies the contexts in which this vector can manifest
56 applicability?: [string, ...string] @go(Applicability)
57}