github.com/gemaraproj/gemara@v1.3.0

vectorcatalog.cue raw

 1// SPDX-License-Identifier: Apache-2.0
 2
 3// Schema lifecycle: experimental | stable | deprecated
 4@status("experimental")
 5package gemara
 6
 7import "list"
 8
 9@go(gemara)
10
11// A VectorCatalog is a structured collection of documented vectors,
12// serving as a centralized reference for known attack methods and exploitation pathways that may be relevant to a particular domain, framework, or security model.
13
14#VectorCatalog: {
15	#Catalog
16	metadata: type: "VectorCatalog"
17
18	// vectors is a list of attack vectors documented in this catalog
19	vectors?: [#Vector, ...#Vector] @go(Vectors)
20
21	if vectors != _|_ {
22		_uniqueVectorIds: {for i, v in vectors {(v.id): i}}
23		groups: [#Group, ...#Group]
24		let _validGroupIds = [for g in groups {g.id}]
25
26		// Unify the valid ID list with a list.Contains constraint to require each entry's value exists
27		for i, v in vectors {
28			_groupValidation: "\(i)": _validGroupIds & list.Contains(v.group)
29		}
30		if metadata."applicability-groups" != _|_ {
31			let _validApplicabilityIds = [for ag in metadata."applicability-groups" {ag.id}]
32			for i, v in vectors if v.applicability != _|_ {
33				for j, a in v.applicability {
34					_applicabilityValidation: "\(i)-\(j)": _validApplicabilityIds & list.Contains(a)
35				}
36			}
37		}
38	}
39}
40
41// A Vector represents a method, pathway, or technique through which a threat may be realized or an attack may be carried out.
42#Vector: {
43	// id allows this vector to be referenced by other elements
44	id: string
45
46	// title describes the vector
47	title: string
48
49	// description explains how the attack vector works
50	description: string
51
52	// group references by id a catalog group that this vector belongs to
53	group: string @go(Group)
54
55	// applicability specifies the contexts in which this vector can manifest
56	applicability?: [string, ...string] @go(Applicability)
57}