Biases entries (#416)

TimmyBugcrowd · abhinav-nain · web-flow · commit 206c4b0f0e70 · 2024-07-04T11:35:34.000-04:00
* Biases entries

* Update vulnerability-rating-taxonomy.json

* * Fixing Indentation in JSONs
* Fixing cvss_v3 file
* Adding secure-code-warrior-links.json

* * Fixing mixup of entries in remediation_advice.json

* Adding CVSS Fix

* Modifying tests and Python Upgrade

* Reverting changes

* Fixing CWE Mapping in JSON

---------

Co-authored-by: Abhinav Nain &lt;abhinav.nain@bugcrowd.com&gt;
diff --git a/.github/workflows/validate_artifacts.yml b/.github/workflows/validate_artifacts.yml
@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v1
         with:
-          python-version: 3.7
+          python-version: 3.11
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
diff --git a/.github/workflows/validate_vrt.yml b/.github/workflows/validate_vrt.yml
@@ -9,10 +9,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
-    - name: Set up Python 3.7
+    - name: Set up Python 3.11
       uses: actions/setup-python@v1
       with:
-        python-version: 3.7
+        python-version: 3.11
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,8 @@
-FROM python:3.6
-
-RUN pip install jsonschema GitPython semantic_version
+FROM python:3.11
 
 WORKDIR /tmp/vrt
+ADD . /tmp/vrt
+
+RUN pip install -r lib/requirements.txt
+
 CMD [ "python3", "-B" , "./lib/validate_vrt.py" ]
diff --git a/lib/tests/test_vrt.py b/lib/tests/test_vrt.py
@@ -7,6 +7,8 @@
 
 class TestVrt(unittest.TestCase):
     def setUp(self):
+        print("\n`---{}---`".format(self._testMethodName))
+        self.vrt = utils.get_json(utils.VRT_FILENAME)
         self.mappings = [
             { 'filename': f, 'name': os.path.splitext(os.path.basename(f))[0] }
             for f in glob.glob(utils.MAPPING_DIR + '/**/*.json', recursive=True) if 'schema' not in f
@@ -43,19 +45,22 @@ def test_mapping_schemas(self):
             self.validate_schema(schema_file, mapping['filename'])
 
     def all_vrt_ids_have_mapping(self, mappping_filename, key):
-        vrt = utils.get_json(utils.VRT_FILENAME)
         mapping = utils.get_json(mappping_filename)
         keyed_mapping = utils.key_by_id(mapping['content'])
-        for vrt_id_list in utils.all_id_lists(vrt, include_internal=False):
-            self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key),
-                                'no ' + key + ' mapping for ' + '.'.join(vrt_id_list))
+        for vrt_id_list in utils.all_id_lists(self.vrt, include_internal=False):
+            result = utils.has_mapping(keyed_mapping, vrt_id_list, key)
+            if key == 'cwe' and not result:
+                print('WARNING: no ' + key + ' mapping for ' + '.'.join(vrt_id_list))
+            else:
+                self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key),
+                                    'no ' + key + ' mapping for ' + '.'.join(vrt_id_list))
 
     def test_all_vrt_ids_have_all_mappings(self):
         for mapping in self.mappings:
             self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name'])
 
     def only_map_valid_ids(self, mapping_filename):
-        vrt_ids = utils.all_id_lists(utils.get_json(utils.VRT_FILENAME))
+        vrt_ids = utils.all_id_lists(self.vrt)
         mapping_ids = utils.all_id_lists(utils.get_json(mapping_filename))
         for id_list in mapping_ids:
             self.assertIn(id_list, vrt_ids, 'invalid id in ' + mapping_filename + ' - ' + '.'.join(id_list))
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -447,6 +447,63 @@
         }
       ]
     },
+    {
+      "id": "data_biases",
+      "children": [
+        {
+          "id": "representation_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+        },
+        {
+          "id": "pre_existing_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+        }
+      ]
+    },
+    {
+      "id": "algorithmic_biases",
+      "children": [
+        {
+          "id": "processing_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+        },
+        {
+          "id": "aggregation_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+        }
+      ]
+    },
+    {
+      "id": "societal_biases",
+      "children": [
+        {
+          "id": "confirmation_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+        },
+        {
+          "id": "systemic_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+        }
+      ]
+    },
+    {
+      "id": "misinterpretation_biases",
+      "children": [
+        {
+          "id": "context_ignorance",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+        }
+      ]
+    },
+    {
+      "id": "developer_biases",
+      "children": [
+        {
+          "id": "implicit_bias",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
+        }
+      ]
+    },
     {
       "id": "sensitive_data_exposure",
       "children": [
@@ -828,31 +885,31 @@
       ]
     },
     {
-    "id": "physical_security_issues",
-    "children": [
-      {
-        "id": "bypass_of_physical_access_control",
-        "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
-      },
-      {
-        "id": "weakness_in_physical_access_control",
-        "children": [
-          {
-            "id": "cloneable_key",
-            "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
-          },
-          {
-            "id": "master_key_identification",
-            "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
-          },
-          {
-            "id": "commonly_keyed_system",
-            "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
-          }
-        ]
-      }
-    ]
-  },
+      "id": "physical_security_issues",
+      "children": [
+        {
+          "id": "bypass_of_physical_access_control",
+          "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+        },
+        {
+          "id": "weakness_in_physical_access_control",
+          "children": [
+            {
+              "id": "cloneable_key",
+              "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+            },
+            {
+              "id": "master_key_identification",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+            },
+            {
+              "id": "commonly_keyed_system",
+              "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "insecure_os_firmware",
       "children": [
@@ -873,7 +930,7 @@
             }
           ]
         },
-       {
+        {
           "id": "weakness_in_firmware_updates",
           "children": [
             {
@@ -889,54 +946,54 @@
               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
             }
           ]
-        },      
-  {
-    "id": "kiosk_escape_or_breakout",
-    "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
-  },
-  {
-    "id": "poorly_configured_disk_encryption",
-    "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-  },
-  {
-    "id": "shared_credentials_on_storage",
-    "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
-  },
-  {
-    "id": "over_permissioned_credentials_on_storage",
-    "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
-  },
-  {
-    "id": "local_administrator_on_default_environment",
-    "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
-  },
-  {
-    "id": "poorly_configured_operating_system_security",
-    "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
-  },
-  {
-    "id": "recovery_of_disk_contains_sensitive_material",
-    "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-  },
-  {
-    "id": "failure_to_remove_sensitive_artifacts_from_disk",
-    "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-  },
-  {
-    "id": "data_not_encrypted_at_rest",
-    "children": [
-      {
-        "id": "non_sensitive",
-        "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
-      },
-      {
-        "id": "sensitive",
-        "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-      }
-    ]
-  } 
- ]
-},
+        },
+        {
+          "id": "kiosk_escape_or_breakout",
+          "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
+        },
+        {
+          "id": "poorly_configured_disk_encryption",
+          "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "id": "shared_credentials_on_storage",
+          "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+        },
+        {
+          "id": "over_permissioned_credentials_on_storage",
+          "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+        },
+        {
+          "id": "local_administrator_on_default_environment",
+          "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        },
+        {
+          "id": "poorly_configured_operating_system_security",
+          "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
+        },
+        {
+          "id": "recovery_of_disk_contains_sensitive_material",
+          "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "id": "failure_to_remove_sensitive_artifacts_from_disk",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+        },
+        {
+          "id": "data_not_encrypted_at_rest",
+          "children": [
+            {
+              "id": "non_sensitive",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+            },
+            {
+              "id": "sensitive",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "cryptographic_weakness",
       "children": [
diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
@@ -751,6 +751,68 @@
     {
       "id": "indicators_of_compromise",
       "cwe": null
+    },
+    {
+      "id": "data_biases",
+      "cwe": null,
+      "children": [
+        {
+          "id": "representation_bias",
+          "cwe": null
+        },
+        {
+          "id": "pre_existing_bias",
+          "cwe": null
+        }
+      ]
+    },
+    {
+      "id": "algorithmic_biases",
+      "cwe": null,
+      "children": [
+        {
+          "id": "processing_bias",
+          "cwe": null
+        },
+        {
+          "id": "aggregation_bias",
+          "cwe": null
+        }
+      ]
+    },
+    {
+      "id": "societal_biases",
+      "cwe": null,
+      "children": [
+        {
+          "id": "confirmation_bias",
+          "cwe": null
+        },
+        {
+          "id": "systemic_bias",
+          "cwe": null
+        }
+      ]
+    },
+    {
+      "id": "misinterpretation_biases",
+      "cwe": null,
+      "children": [
+        {
+          "id": "context_ignorance",
+          "cwe": null
+        }
+      ]
+    },
+    {
+      "id": "developer_biases",
+      "cwe": null,
+      "children": [
+        {
+          "id": "implicit_bias",
+          "cwe": null
+        }
+      ]
     }
   ]
 }
diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
diff --git a/third-party-mappings/remediation_training/secure-code-warrior-links.json b/third-party-mappings/remediation_training/secure-code-warrior-links.json
diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
