In this article
- Automatically mark Threats as N/A when nested under an Out Of Scope component
Permissions Required
The following permissions are required to actually create the rule. Other Project permissions are needed in order to see the rule in action.
- DROOLS_CREATION_RULE
- EDIT_RULES
Description
Using the Out Of Scope component is a way to nest components in your project that needn't be threat modeled. For example, you might want to show your web service being accessed by an unmanaged web browser. Including the web browser is necessary for the visual representation, although it lies outside your area of responsibility.
Unfortunately, descendants of the OOS component still have threats associated with them by default.
It is certainly possible to mark these as N/A by hand. It is also possible to use the IriusRisk Drools engine to do so automatically. The rule described below will automatically mark any threat as N/A if:
- It is a descendant of the Out Of Scope component
- It is the the Exposed state
Instructions
- Navigate to the Rules section from the IriusRisk landing page
- Click the ellipsis menu (three dots) and then New Drool (DRL)
- Enter the name _Mark OOS threats N/A
- On the left under Threat context select Threat - Component conditions
- In the text panel on the right, enter the following code:
package com.iriusrisk.drools;
import com.iriusrisk.drools.model.*;
import com.iriusrisk.drools.model.riskpattern.*;
import com.iriusrisk.model.*;
import com.iriusrisk.drools.fact.*;
import com.iriusrisk.factories.DroolsValueConverter;
import com.iriusrisk.utils.EntityWithUDTUtil;
import com.iriusrisk.drools.fact.TagFact;
rule "_Mark OOS Threat N/A"
no-loop
when
$project : ProjectFact()
$component : ComponentFact()
ComponentDefinitionFact(isAParent($component.getParentReferenceIds()) && uniqueId == "out-of-scope")
$threat: ThreatFact(componentReferenceId==$component.componentReferenceId, state== "Expose")
then
insert(new ChangeComponentThreatStateFact($component.getComponentReferenceId(), $threat.getUniqueId(), "Not Applicable", "Component is out-of-scope, so threats are N/A"));
end
- Click Save
From this point on, all relevant threats will be marked N/A whenever rules run, for instance when a threat model is updated.
Comments
0 comments
Please sign in to leave a comment.