Merge branch 'devsecopsmaturitymodel:main' into main

Author: vbakke

CHANGELOG.md

@@ -1,3 +1,32 @@
+## [1.20.1](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.20.0...v1.20.1) (2025-11-24)
+
+
+### Bug Fixes
+
+* Sort activities by level, within each sub-dimension ([e2aeba7](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/e2aeba77089d21f0e7c5ce5bf6612903efc1938f))
+
+# [1.20.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.19.0...v1.20.0) (2025-11-18)
+
+
+### Features
+
+* adopt changes to bat file ([796e1d2](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/796e1d27f682eb27b6de5c4b6c5969119caa5a2e))
+* install dep always ([0761ee3](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/0761ee35da67f843c68cbf413a04d365482ab879))
+
+# [1.19.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.18.0...v1.19.0) (2025-11-17)
+
+
+### Features
+
+* Improved start script ([18d6205](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/18d6205beb02b5c809b95dc15a76c9bcb803eb3d))
+
+# [1.18.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.17.0...v1.18.0) (2025-11-06)
+
+
+### Features
+
+* update SAMM mapping based on arams feedback ([532bb72](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/532bb72debcd93f98f07dc7d4b28d799da6e155d))
+
 # [1.17.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.16.0...v1.17.0) (2025-09-15)
 
 

README.md

@@ -1,21 +1,72 @@
 # OWASP DevSecOps Maturity Model Data
-Data for the OWASP DevSecOps Maturity Model.
+
+This GitHub project ([DevSecOps-MaturityModel-data](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data)) contains the source for the model itself, used by the DSOMM applciation [DevSecOps-MaturityModel](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel). 
+
+The source files include dimensions, activities, descriptions, measures, and other model data used by the application.
+
+
+## Contribution
+
+Contributions that improve the DSOMM model are welcome. Please edit the source files under `src/assets/YAML/default/*` and open a pull request.
+
+
+### Testing
+
+After making changes, generate a new `activities.yaml` and use it in a local DSOMM application to verify there are no technical issues.
+
 
 ## Usage
-To test changes to the yaml-files, please run:
-```bash
-docker run -ti -v $(pwd)/src/assets/YAML/default:/var/www/html/src/assets/YAML/default -v $(pwd)/src/assets/YAML/generated:/var/www/html/src/assets/YAML/generated -v $(pwd)/src/assets/YAML/schema:/var/www/html/src/assets/YAML/schema wurstbrot/dsomm-yaml-generation
 
-# Afterwards, you can use the generated.yaml in a container
-docker  run -v $(pwd)/src/assets/YAML/generated/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
-```
+The script is executed using `docker` (or alternatively `podman`).
+Depending on your platform use either `generateDimensions.bash` (Linux) or `generateDimensions.bat` (Windows). 
+
+1. Clone the repo:
+
+   `git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data.git`
+
+2. Change directory:
+
+   `cd yaml-generation`
+
+3. Install dependencies:
+
+   `./generateDimensions.bash --install`
+
+4. Generate `activities.yaml`:
+
+   `./generateDimensions.bash`
+
+
+
+### Starting a local DSOMM application
+
+To start a local DSOMM instance on http://localhost:8080, run:
+
+   `./generateDimensions.bash --start-dsomm`
+
+
+### Test referenced URLs
+
+To test all URLs referenced by `implementations.yaml` and save results to `url-test-results.txt`, run:
+
+   `./generateDimensions.bash --test-urls`
+
+
+### Using Podman instead of Docker
+
+If you prefer Podman over Docker, set the environement variable `DOCKER_CMD` to `podman`, or edit the script for you operating system.
+
 
 ## Credits
 
-* The dimension _Test and Verification_ is based on Christian Schneiders [Security DevOps Maturity Model (SDOMM)](https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html). _Application tests_ and _Infrastructure tests_ are added by Timo Pagel. Also, the sub-dimension _Static depth_ has been evaluated by security experts at [OWASP Stammtisch Hamburg](https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg).
-* The sub-dimension <i>Process</i> has been added after a discussion with [Francois Raynaud](https://www.linkedin.com/in/francoisraynaud/) that reactive activities are missing.
-* Enhancement of my basic translation is performed by [Claud Camerino](https://github.com/clazba).
-* Adding ISO 27001:2017 mapping, [Andre Baumeier](https://github.com/AndreBaumeier).
-* [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md) for providing documentation on different DevSecOps practices which are copied&pasted/ (and adopted) (https://github.com/northdpole, https://github.com/ThunderSon)
-* The requirements from [level 0](https://github.com/AppSecure-nrw/security-belts/blob/master/white/) are based on/copied from [AppSecure NRW](https://appsecure.nrw/)
-* The sub dimension _Test KPI_, _Triage_, _Dynamic depth for app/infra_, _Static depth for app/infra_ and some other vulnerability management activities are based/inspired by [Vulnerability Managment Maturity Model - Cheat Sheet V1.6](TODO FRANCESCO LINK)
+- The "Test and Verification" dimension is based on Christian Schneider's Security DevOps Maturity Model (SDOMM).
+- Application and infrastructure tests were added by Timo Pagel.
+- The "Process" sub-dimension was added after discussion with Francois Raynaud.
+- Translations and edits were contributed by Claud Camerino.
+- ISO 27001:2017 mapping by Andre Baumeier.
+- Other inspirations and contributions are acknowledged in the original README.
+
+
+## License
+
+See the `LICENSE` file in this repository for license details.

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -31,7 +31,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
       references:
         samm2:
-          - I-SB-2-A
+          - I-SB-A-2
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -72,7 +72,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-A-1
         iso27001-2017:
           - 12.1.1
           - 14.2.2
@@ -105,14 +105,16 @@ Build and Deployment:
         resources: 2
       usefulness: 3
       level: 2
+      tags:
+        - inventory
       implementation:
          - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-containers
          - $ref: src/assets/YAML/default/implementations.yaml#/implementations/immutable-images
       dependsOn:
         - Defined build process
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-B-1
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -145,7 +147,8 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-B-1
+          - D-TA-A-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -183,7 +186,7 @@ Build and Deployment:
         - Pinning of artifacts
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-A-1
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -210,7 +213,7 @@ Build and Deployment:
         - Defined build process
       references:
         samm2:
-          - I-SB-2-A
+          - I-SB-A-2
         iso27001-2017:
           - 14.2.6
         iso27001-2022:

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -20,7 +20,7 @@ Build and Deployment:
         - Smoke Test
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-3
         iso27001-2017:
           - 17.2.1 # Availability of information processing facilities
           - 12.1.1 # Documented operational procedures
@@ -59,7 +59,7 @@ Build and Deployment:
       level: 2
       references:
         samm2:
-          - O-OM-2-B
+          - O-OM-B-2
         iso27001-2017:
           - 11.2.7
         iso27001-2022:
@@ -83,13 +83,13 @@ Build and Deployment:
       usefulness: 4
       level: 1
       dependsOn:
-        - uuid:f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
+        - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ci-cd-tools
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       references:
         samm2:
-          - I-SD-1-A
+          - I-SD-A-1
         iso27001-2017:
           - 12.1.1
           - 14.2.2
@@ -120,7 +120,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/hashicorp-vault
       references:
         samm2:
-          - I-SD-1-B
+          - I-SD-B-1
         iso27001-2017:
           - 9.4.5
           - 14.2.6
@@ -154,7 +154,7 @@ Build and Deployment:
         - Environment depending configuration parameters (secrets)
       references:
         samm2:
-          - I-SD-2-B
+          - I-SD-B-2
         iso27001-2017:
           - 14.1.3
           - 13.1.3
@@ -182,7 +182,7 @@ Build and Deployment:
         A documented inventory of dependencies used in artifacts like container images and containers
         exists.
       dependsOn:
-        - uuid:83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
+        - 83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
         - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
@@ -196,9 +196,9 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-3-B
-          - I-SB-2-B
-          - I-SB-1-B
+          - I-SB-B-3
+          - I-SB-B-2
+          - I-SB-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -230,7 +230,8 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-1-B
+          - I-SB-B-1
+          - D-TA-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -248,7 +249,7 @@ Build and Deployment:
       measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically).
       dependsOn:
         - Defined deployment process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -261,7 +262,8 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-1-B
+          - I-SB-B-1
+          - D-TA-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -288,7 +290,8 @@ Build and Deployment:
         - Defined deployment process
       references:
         samm2:
-          - I-SD-1-A
+          - I-SD-A-2
+          - I-SD-A-3
         iso27001-2017:
           - 12.5.1
           - 14.2.2
@@ -320,7 +323,8 @@ Build and Deployment:
         - Defined build process
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-2
+          - I-SD-A-3
         iso27001-2017:
           - 14.3.1
           - 14.2.8
@@ -353,7 +357,7 @@ Build and Deployment:
         - Same artifact for environments
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-2
         iso27001-2017:
           - 14.3.1
           - 14.2.8
@@ -387,7 +391,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-A-1
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 14.2.1

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -17,7 +17,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
           - 12.5.1
@@ -58,7 +58,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
           - 14.2.5
@@ -93,7 +93,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -129,7 +129,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/distroless-usage
       references:
         samm2:
-          - I-SB-2
+          - I-SB-B-2
         iso27001-2017:
           - hardening is missing in ISO 27001
           - 14.2.1
@@ -169,7 +169,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -204,7 +204,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sample-concept-1
       references:
         samm2:
-          - O-EM-2-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -237,7 +237,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
       references:
         samm2:
-          - O-EM-2-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022: