In this article
- Automatically mark counter-measures as N/A when nested under an Out Of Scope component
The following permissions are required to actually create the rule. Other Project permissions are needed in order to see the rule in action.
Using the Out Of Scope component is a way to nest components in your project that needn't be threat modeled. For example, you might want to show your web service being accessed by an unmanaged web browser. Including the web browser is necessary for the visual representation, although it lies outside your area of responsibility.
Unfortunately, descendants of the OOS component still have threats associated with them by default.
It is certainly possible to mark these as N/A by hand. It is also possible to use the IriusRisk Drools engine to do so automatically. The rule described below will automatically mark any threat as N/A if:
- It is a descendant of the Out Of Scope component
- It is the the Exposed state
- Navigate to the Rules section from the IriusRisk landing page
- Select the Drools tab
- Click New Rule
- On the right under RULES DETAILS, choose the module threatComponent
- Under Resource name, enter the rule name (here, _Mark OOS Threat N/A)
- Under Content, enter the following code:
rule "_Mark OOS Threat N/A"
$project : ProjectFact()
$component : ComponentFact()
ComponentDefinitionFact(isAParent($component.getParentReferenceIds()) && uniqueId == "out-of-scope")
$threat: ThreatFact(componentReferenceId==$component.componentReferenceId, state== "Expose")
insert(new ChangeComponentThreatStateFact($component.getComponentReferenceId(), $threat.getUniqueId(), "Not Applicable", "Component is out-of-scope, so threats are N/A"));
- Click Save
At this point, all relevant threats will be marked N/A whenever rules run, for instance when a threat model is updated.