- Overview
- Step 1) Change node used to represent project, templates or libraries
- Step 2) Remove unused attributes from root node
- Step 3) Rename and nodes
- Step 4) Rename and nodes (JUST FOR LIBRARIES)
- Step 5) Rename and nodes
- Step 6) Add node for rules
- Step 7) Add node for rules
- Step 8) Remove attribute asvsVersion
- Step 9) Add attribute uuid to node trustZone
Overview
In the version 4.x of IriusRisk, the structure of the XML files that represents projects, templates or libraries has changed. These changes makes that and XML file generated in version 3.x will be unable to be used in the a version 4.x of IriusRisk.
In this document we are going to explain how can you migrate manually an XML file of a project, template or library generated in a version 3.x of IriusRisk to be compatible with the newer version 4.x.
We have introduced 4 changes and 2 additions in the new XML structure.
These are the steps you have to follow to complete the migration:
-
Step 1) Change node used to represent project, templates or libraries
-
Step 2) Remove unused attributes from root node
-
Step 3) Rename
<udts>
and<udt>
nodes -
Step 4) Rename
<components>
and<component>
nodes JUST FOR LIBRARIES -
Step 5) Rename
<controls>
and<control>
nodes -
Step 6) Add
<conditions>
node for rules -
Step 7) Add
<actions>
node for rules -
Step 8) Remove attribute
asvsVersion
-
Step 9) Add attribute
uuid
to nodetrustZone
Following are the details of each of the steps:
Step 1) Change node used to represent project, templates or libraries
We can represent three different IriusRisk entities with an XML file, they are:
-
projects
-
templates
-
libraries
Previously on version 3
Project
To represent a project you needed to use the node <project>
with the attribute type
set to “STANDARD”
.
<project ref="vcm" name="vcm" revision="1" type="STANDARD" status="OPEN" enabled="true" priority="0" tags="" modelUpdated="2021-08-05 07:59:19" workflowState="" locked="false">
Template
To represent a template you needed to use the node <project>
with the attribute type
set to “TEMPLATE”
.
<project ref="pedro-template" name="pedro template" revision="1" type="TEMPLATE" status="OPEN" enabled="true" priority="0" tags="" workflowState="wfs1">
Library
To represent a template you needed to use the node <project>
with the attribute type
set to “LIBRARY”
.
<project ref="hh-new-lib" name="HH-new-lib" revision="1" type="LIBRARY" status="OPEN" enabled="true" priority="0" tags="">
Now on version 4
Project
To represent a project you need to use the node <project>
.
The attribute type
has to be removed.
<project ref="vcm" name="vcm" tags="" modelUpdated="2021-08-05 07:59:19" workflowState="" locked="false">
Template
To represent a template you need to use the node <template>
.
The attribute type
has to be removed.
<template ref="pedro-template" name="pedro template" tags="">
Library
To represent a library you need to use the node <library>
.
The attribute type
has to be removed.
<library ref="hh-new-lib" name="HH-new-lib" revision="1" tags="">
Step 2) Remove unused attributes from root node
Previously on version 3
We had a collection of attributes that were part of the node <project>
that were never used.
Project
To define a project you needed to use the node <project>
with these attributes:
<project ref="vcm" name="vcm" revision="1" type="STANDARD" status="OPEN" enabled="true" priority="0" tags="" modelUpdated="2021-08-05 07:59:19" workflowState="" locked="false">
Template
To define a project you needed to use the node <project>
with these attributes:
<project ref="pedro-template" name="pedro template" revision="1" type="TEMPLATE" status="OPEN" enabled="true" priority="0" tags="" workflowState="wfs1">
Library
To define a project you needed to use the node <project>
with these attributes:
<project ref="hh-new-lib" name="HH-new-lib" revision="1" type="LIBRARY" status="OPEN" enabled="true" priority="0" tags="">
Now on version 4
Project
To represent a project you have to use the node <project>
and remove these attributes:
-
revision
-
type
-
status
-
enabled
-
priority
<project ref="vcm" name="vcm" tags="" modelUpdated="2021-08-05 07:59:19" workflowState="" locked="false">
Template
To represent a project you have to use the node <template>
and remove these attributes:
-
revision
-
type
-
status
-
enabled
-
priority
-
workflowState
<template ref="pedro-template" name="pedro template" tags="">
Library
To represent a project you have to use the node <library>
and remove these attributes:
-
type
-
status
-
enabled
-
priority
<library ref="hh-new-lib" name="HH-new-lib" revision="1" tags="">
Step 3) Rename <udts>
and <udt>
nodes
Previously on version 3
To represent a custom field you used the node <udt>
and the node <udts>
to represent a collection of custom fields.
<udts>
<udt ref="apr-udt-link" value="value1"/>
</udts>
Now on version 4
The custom fields are represented with the nodes <customField>
and <customFields>
.
You have to search all ocurrences of the nodes <udts>
or <udt>
and replace them for <customFields>
or <customField>
respectively.
<customFields>
<customField ref="apr-udt-link" value="value1"/>
</customFields>
Step 4) Rename <components>
and <component>
nodes (JUST FOR LIBRARIES)
Previously on version 3
To represent the risk patterns of a library you used the nodes<components>
and <component>
.
<components>
<component ref="untrusted-data-received" name="Untrusted Data: Received" desc="Untrusted or tainted data is received.">
<tags/>
...
</component>
</components>
Now on version 4
The risk patterns are represented with the nodes <riskPattern>
and <riskPatterns>
.
You have to search all ocurrences of the nodes <components>
or <component>
and replace them for <riskPatterns>
or <riskPattern>
respectively.
<riskPatterns>
<riskPattern ref="untrusted-data-received" name="Untrusted Data: Received" desc="Untrusted or tainted data is received.">
<tags/>
...
</riskPattern>
</riskPatterns>
Step 5) Rename <controls>
and <control>
nodes
Previously on version 3
To represent countermeasures you used <control>
node and <controls>
nodes to represent a collection of countermeasures.
<controls>
<control ref='CWE-285' name='Apply access controls to segregate user data' issueId='' platform=''
cost='0' risk='100' state='Recommended' owner='admin' library='' source='RULES'>
<desc>Description</desc>
<implementations/>
...
</control>
</controls>
Now on version 4
The countermeasures are represented by the nodes <countermeasure>
and <countermeasures>
.
You have to search all ocurrences of the nodes <controls>
or <control>
and replace them for <countermeasures>
or <countermeasure>
respectively.
<countermeasures>
<countermeasure ref='CWE-285' name='Apply access controls to segregate user data' issueId='' platform=''
cost='0' risk='100' state='Recommended' owner='admin' library='' source='RULES'>
<desc>Description</desc>
<implementations/>
...
</countermeasure>
</countermeasures>
Step 6) Add <conditions>
node for rules
Previously on version 3
A rule could have a set of conditions that were included as an array directly within the node <rule>
.
<rule name="Q: Cardholder Data - All - Credit Card - Stored - Which elements - *" module="component" generatedByGui="true">
<condition name="CONDITION_QUESTION" field="id" value="Credit Card DataStored" />
<condition name="CONDITION_QUESTION_GROUP_EXISTS" field="id" value="pci.stored.group" />
...
</rule>
Now on version 4
The conditions must be grouped within a node <conditions>
and that node must be included in the node <rule>
.
You have to search all groups of nodes <condition>
and create a new node <conditions>
to group them.
<rule name="Q: Cardholder Data - All - Credit Card - Stored - Which elements - *" module="component" generatedByGui="true">
<conditions>
<condition name="CONDITION_QUESTION" field="id" value="Credit Card DataStored" />
<condition name="CONDITION_QUESTION_GROUP_EXISTS" field="id" value="pci.stored.group" />
</conditions>
...
</rule>
Step 7) Add <actions>
node for rules
Previously on version 3
A rule could have a set of actions that were included as an array directly within the node <rule>
.
<rule name="Q: Cardholder Data - All - Credit Card - Stored - Which elements - *" module="component" generatedByGui="true">
...
<action project="" value="pci.stored.cvv2_::_CAV2 / CVC2 / CVV2 / CID_::_The 3 or 4 digit value on the front or back of the card" name="INSERT_QUESTION" />
<action project="" value="pci.stored.pan_::_Primary Account Number (PAN)_::_" name="INSERT_QUESTION" />
</rule>
Now on version 4
The actions must be grouped within a node <actions>
and that node must be included in the node <rule>
.
You have to search all groups of nodes <action>
and create a new node <actions>
to group them.
<rule name="Q: Cardholder Data - All - Credit Card - Stored - Which elements - *" module="component" generatedByGui="true">
...
<actions>
<action project="" value="pci.stored.cvv2_::_CAV2 / CVC2 / CVV2 / CID_::_The 3 or 4 digit value on the front or back of the card" name="INSERT_QUESTION" />
<action project="" value="pci.stored.pan_::_Primary Account Number (PAN)_::_" name="INSERT_QUESTION" />
</actions>
</rule>
Step 8) Remove attribute asvsVersion
Previously on version 3
On <component>
nodes there was an attribute called asvsVersion
.
<component ref="web-service" name="Web Service" desc="This component represents a web service." library="" parentComponentRef="" componentDefinitionRef="" asvsVersion="4">
<tags/>
<questions/>
Now on version 4
The attribute asvsVersion
has been removed from node <component>
.
You have to search all ocurrences of the attribute asvsVersion
in <component>
nodes and remove them.
<component ref="web-service" name="Web Service" desc="This component represents a web service." library="" parentComponentRef="" componentDefinitionRef="">
<tags/>
<questions/>
Step 9) Add attribute uuid
to node trustZone
Previously on version 3
On <trustZone>
nodes (in project
/ trustZones
) there was the attributes ref
and name
:
<trustZone ref="d5440aca-c8bc-44f2-ac93-137d8511ea88" name="tz1"/>
Now on version 4
Now, we have the new required attribute uuid
.
The value for this attribute will be the same that the ref
attribute.
<trustZone ref="d5440aca-c8bc-44f2-ac93-137d8511ea88" uuid="d5440aca-c8bc-44f2-ac93-137d8511ea88" name="tz1"/>
Comments
0 comments
Please sign in to leave a comment.