Merge pull request #57 from vbakke/feat/tidy-uuid-prefix

Removed dependsOn 'uuid:' prefix

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -83,7 +83,7 @@ Build and Deployment:
       usefulness: 4
       level: 1
       dependsOn:
-        - uuid:f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
+        - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ci-cd-tools
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
@@ -182,7 +182,7 @@ Build and Deployment:
         A documented inventory of dependencies used in artifacts like container images and containers
         exists.
       dependsOn:
-        - uuid:83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
+        - 83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
         - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
@@ -249,7 +249,7 @@ Build and Deployment:
       measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically).
       dependsOn:
         - Defined deployment process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       difficultyOfImplementation:
         knowledge: 2
         time: 2

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -103,7 +103,7 @@ Culture and Organization:
       usefulness: 3
       level: 2
       dependsOn:
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -68,7 +68,7 @@ Implementation:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -150,7 +150,7 @@ Implementation:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -182,7 +182,7 @@ Implementation:
       usefulness: 3
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies

src/assets/YAML/default/InformationGathering/TestKPI.yaml

@@ -90,7 +90,7 @@ Information Gathering:
       usefulness: 3
       level: 2
       dependsOn:
-        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
+        - 8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
       implementation: []
       references:
         samm2:
@@ -151,8 +151,8 @@ Information Gathering:
       usefulness: 3
       level: 4
       dependsOn:
-        - uuid:86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR
-        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches
+        - 86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR
+        - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches
       implementation: []
       references:
         samm2:

src/assets/YAML/default/TestAndVerification/Consolidation.yaml

@@ -21,9 +21,9 @@ Test and Verification:
           - The number of network hops required to reach the asset (recommended)
           - Authentication requirements for access (recommended)
       dependsOn:
-        - uuid:44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher:
-        #- uuid:3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher:
+        #- 3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
       references:
         samm2:
@@ -372,9 +372,9 @@ Test and Verification:
         resources: 2
       usefulness: 2
       dependsOn:
-        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
-        - uuid:6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion
-        - uuid:185d5a74-19dc-4422-be07-44ea35226783 # Office Hours
+        - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
+        - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion
+        - 185d5a74-19dc-4422-be07-44ea35226783 # Office Hours
       level: 3
       description: |-
         For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended.

src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml

@@ -142,7 +142,7 @@ Test and Verification:
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/netassert
       dependsOn:
-        - uuid:4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments
+        - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments
       references:
         samm2:
           - V-ST-A-2

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -159,7 +159,7 @@ Test and Verification:
           - 8.28 # Secure coding
       isImplemented: false
       dependsOn:
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
     Static analysis for all components/libraries:
       uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
       risk: Used components like libraries and legacy applications might have vulnerabilities
@@ -173,7 +173,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation: []
       references:
         samm2:
@@ -209,7 +209,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -244,7 +244,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -277,7 +277,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -333,7 +333,7 @@ Test and Verification:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
+        - d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cisa-kev
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/epss
@@ -357,8 +357,8 @@ Test and Verification:
       level: 3
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
-        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
@@ -390,7 +390,7 @@ Test and Verification:
       level: 2
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dependency-che
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack

yaml-generation/generateDimensions.php

@@ -4,16 +4,6 @@
 
 $errorMsg = array();
 $implementationReferenceFile = "src/assets/YAML/default/implementations.yaml";
-$metadata = readYaml("src/assets/YAML/meta.yaml");
-
-$teams = $metadata["teams"];
-if (sizeof($teams) == 0) {
-    echo "Warning: No teams defined";
-}
-$teamsImplemented = array();
-foreach ($teams as $team) {
-    $teamsImplemented[$team] = false;
-}
 
 $files = glob("src/assets/YAML/default/*/*.yaml");
 $dimensions = array();
@@ -67,12 +57,12 @@
 
         foreach ($elements as $activityName => $activity) {
             if (!array_key_exists("level", $activity)) {
-                array_push($errorMsg,"Missing 'level' attribute in activity: $activityName");
+                array_push($errorMsg,"Missing 'level' attribute in activity: '$activityName'");
 	        }
 
             // echo "$subdimension | $activityName\n";
             if (!array_key_exists("uuid", $activity)) {
-                array_push($errorMsg, "$activityName is missing an uuid in $dimension");
+                array_push($errorMsg, "'$activityName' is missing an uuid in '$dimension'");
             } else {
                 $uuid = $dimensionsAggregated[$dimension][$subdimension][$activityName]["uuid"];
                 $tmp_activityName = getActivityNameByUuid($uuid, $dimensionsAggregated);
@@ -89,75 +79,47 @@
             if (!array_key_exists("tags", $activity)) {
                 $dimensionsAggregated[$dimension][$subdimension][$activityName]["tags"] = ["none"];
             }
-            if (!array_key_exists("teamsImplemented", $activity)) {
-                $dimensionsAggregated[$dimension][$subdimension][$activityName]["teamsImplemented"] = array();
-            }
-            $evidenceImplemented = array();
-            if (array_key_exists("teamsEvidence", $activity) && is_array($activity["teamsEvidence"]) && IS_IMPLEMENTED_WHEN_EVIDENCE) {
-                foreach ($activity["teamsEvidence"] as $team => $evidenceForTeam) {
-                    if(!is_string($activity["teamsEvidence"][$team])) {
-                        echo "teamsEvidence for team $team in $activityName is not a string, ignoring";
-                        continue;
-                    }
-                    if (strlen($activity["teamsEvidence"][$team]) > 0) {
-                        $evidenceImplemented[$team] = true;
-                    } else {
-                        echo "Warning: '$activityName -> evidence -> $team' has no evidence set but should have";
-                    }
-                }
-            }
-            $dimensionsAggregated[$dimension][$subdimension][$activityName]["teamsImplemented"] =
-                array_merge(
-                    $teamsImplemented,
-                    $dimensionsAggregated[$dimension][$subdimension][$activityName]["teamsImplemented"],
-                    $evidenceImplemented
-                );
-            if (!array_key_exists("openCRE", $activity["references"])) {
-                $dimensionsAggregated[$dimension][$subdimension][$activityName]["references"]["openCRE"] = array();
-                $dimensionsAggregated[$dimension][$subdimension][$activityName]["references"]["openCRE"][] = "https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/" . $subdimension . "/" . $dimensionsAggregated[$dimension][$subdimension][$activityName]["uuid"];
-            }
-            // can be removed in 2025
             if (array_key_exists("isImplemented", $activity)) {
                 unset($dimensionsAggregated[$dimension][$subdimension][$activityName]["isImplemented"]);
             }
             if (array_key_exists("evidence", $activity)) {
                 unset($dimensionsAggregated[$dimension][$subdimension][$activityName]["evidence"]);
             }
             if (array_key_exists("dependsOn", $activity)) {
-                foreach($activity['dependsOn'] as $index => $dependsOn) {
-                    if(!is_string($dependsOn)) {
-                        array_push($errorMsg, "The 'dependsOn' is not a string '" . json_encode($dependsOn) . "' (in $activityName)");
+                foreach($activity['dependsOn'] as $index => $dependsOnName) {
+                    if(!is_string($dependsOnName)) {
+                        array_push($errorMsg, "The 'dependsOn' is not a string '" . json_encode($dependsOnName) . "' (in $activityName)");
                         continue;
                     } 
 
-                    // Swap uuids with activity name
+                    // Load dependsOnName and dependsOnUuid, depending on actual content
                     $uuidRegExp = "/(uuid:)?\s*([0-9a-f]{6,}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{6,})/";
-                    if (preg_match($uuidRegExp, $dependsOn, $matches)) {
+                    if (preg_match($uuidRegExp, $dependsOnName, $matches)) {
                         $dependsOnUuid = $matches[2];
-                        $dependsOn = getActivityNameByUuid($dependsOnUuid, $dimensionsAggregated);
-                        if (is_null($dependsOn)) {
-                            array_push($errorMsg,"DependsOn non-existing activity uuid: $dependsOnUuid  (in activity: $activityName)");
-                        } else if ($matches[1] == "") {
-                            echo "WARNING: DependsOn is not prefixed by 'uuid:' for $dependsOnUuid (in activity: $activityName)\n";
-                        } 
-                        
-                        // echo "exchanged $dependsOnUuid with name $dependsOnActivityName\n";
-                        $dimensionsAggregated[$dimension][$subdimension][$activityName]["dependsOn"][$index] = $dependsOn;
-                        
+                        $dependsOnName = getActivityNameByUuid($dependsOnUuid, $dimensionsAggregated);
+                        if (is_null($dependsOnName)) {
+                            array_push($errorMsg,"DependsOn non-existing activity uuid: $dependsOnUuid  (in activity: '$activityName')");
+                        } else if ($matches[1] != "") {
+                            echo "WARNING: DependsOn is prefixed by deprecated 'uuid:' for $dependsOnUuid (in activity: '$activityName'). Use activity name, or the uuid only\n";
+                        }                         
                     } else {
-                        if (is_null(getUuidByActivityName($dependsOn, $dimensionsAggregated))) {
-                            array_push($errorMsg,"DependsOn non-existing activity: '$dependsOn' (in activity: $activityName)");
+                        $dependsOnUuid = getUuidByActivityName($dependsOnName, $dimensionsAggregated);
+                        if (is_null(getUuidByActivityName($dependsOnName, $dimensionsAggregated))) {
+                            array_push($errorMsg,"DependsOn non-existing activity: '$dependsOnName' (in activity: $activityName)");
                         }
                     }
+                    // Trick emit_yaml() to have uuid plus a comment in a string. Removed in post-processing below.
+                    $dimensionsAggregated[$dimension][$subdimension][$activityName]["dependsOn"][$index] = "{ $dependsOnUuid  # $dependsOnName }";
+                    
 
                     // Build dependency graph
                     if (!array_key_exists($activityName, $activityIndex)) {
                         $activityIndex[$activityName] = count($activityIndex);
                     }
-                    if (!array_key_exists($dependsOn, $activityIndex)) {
-                        $activityIndex[$dependsOn] = count($activityIndex);
+                    if (!array_key_exists($dependsOnName, $activityIndex)) {
+                        $activityIndex[$dependsOnName] = count($activityIndex);
                     }
-                    array_push_item_to($dependencies, $activityIndex[$dependsOn], $activityIndex[$activityName]);
+                    array_push_item_to($dependencies, $activityIndex[$dependsOnName], $activityIndex[$activityName]);
 
                 }
             }
@@ -195,6 +157,15 @@
 
 // Store generated data
 $dimensionsString = yaml_emit($dimensionsAggregated);
+
+// Post-process to convert quoted UUID comments to inline comments
+// Pattern: `- '{ uuid #comment }'` becomes: `- uuid #comment`
+$dimensionsString = preg_replace(
+    "/^(\s+- )'{\s*([0-9a-f-]+)\s+(#[^'}]*)\s*}'$/m",
+    "$1$2 $3",
+    $dimensionsString
+);
+
 $targetGeneratedFile = getcwd() . "/src/assets/YAML/generated/generated.yaml";
 echo "\nStoring to $targetGeneratedFile\n";
 file_put_contents($targetGeneratedFile, $dimensionsString);