Merge branch 'main' into feat/meta-on-top

Author: vbakke

CHANGELOG.md

@@ -1,3 +1,18 @@
+# [1.20.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.19.0...v1.20.0) (2025-11-18)
+
+
+### Features
+
+* adopt changes to bat file ([796e1d2](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/796e1d27f682eb27b6de5c4b6c5969119caa5a2e))
+* install dep always ([0761ee3](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/0761ee35da67f843c68cbf413a04d365482ab879))
+
+# [1.19.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.18.0...v1.19.0) (2025-11-17)
+
+
+### Features
+
+* Improved start script ([18d6205](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/18d6205beb02b5c809b95dc15a76c9bcb803eb3d))
+
 # [1.18.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.17.0...v1.18.0) (2025-11-06)
 
 

README.md

@@ -1,14 +1,61 @@
 # OWASP DevSecOps Maturity Model Data
-Data for the OWASP DevSecOps Maturity Model.
+
+This GitHub project ([DevSecOps-MaturityModel-data](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data)) contains the source for the model itself, used by the DSOMM applciation [DevSecOps-MaturityModel](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel). 
+
+The source files include dimensions, activities, descriptions, measures, and other model data used by the application.
+
+
+## Contribution
+
+Contributions that improve the DSOMM model are welcome. Please edit the source files under `src/assets/YAML/default/*` and open a pull request.
+
+
+### Testing
+
+After making changes, generate a new `activities.yaml` and use it in a local DSOMM application to verify there are no technical issues.
+
 
 ## Usage
-To test changes to the yaml-files, please run:
-```bash
-docker run -ti -v $(pwd)/src/assets/YAML/default:/var/www/html/src/assets/YAML/default -v $(pwd)/src/assets/YAML/generated:/var/www/html/src/assets/YAML/generated -v $(pwd)/src/assets/YAML/schema:/var/www/html/src/assets/YAML/schema wurstbrot/dsomm-yaml-generation
 
-# Afterwards, you can use the generated.yaml in a container
-docker  run -v $(pwd)/src/assets/YAML/generated/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
-```
+The script is executed using `docker` (or alternatively `podman`).
+Depending on your platform use either `generateDimensions.bash` (Linux) or `generateDimensions.bat` (Windows). 
+
+1. Clone the repo:
+
+   `git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data.git`
+
+2. Change directory:
+
+   `cd yaml-generation`
+
+3. Install dependencies:
+
+   `./generateDimensions.bash --install`
+
+4. Generate `activities.yaml`:
+
+   `./generateDimensions.bash`
+
+
+
+### Starting a local DSOMM application
+
+To start a local DSOMM instance on http://localhost:8080, run:
+
+   `./generateDimensions.bash --start-dsomm`
+
+
+### Test referenced URLs
+
+To test all URLs referenced by `implementations.yaml` and save results to `url-test-results.txt`, run:
+
+   `./generateDimensions.bash --test-urls`
+
+
+### Using Podman instead of Docker
+
+If you prefer Podman over Docker, set the environement variable `DOCKER_CMD` to `podman`, or edit the script for you operating system.
+
 
 ## Development
 cd yaml-generation
@@ -18,10 +65,14 @@ docker run   -ti -v $(pwd)/yaml-generation:/var/www/html/yaml-generation  -v $(p
 
 ## Credits
 
-* The dimension _Test and Verification_ is based on Christian Schneiders [Security DevOps Maturity Model (SDOMM)](https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html). _Application tests_ and _Infrastructure tests_ are added by Timo Pagel. Also, the sub-dimension _Static depth_ has been evaluated by security experts at [OWASP Stammtisch Hamburg](https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg).
-* The sub-dimension <i>Process</i> has been added after a discussion with [Francois Raynaud](https://www.linkedin.com/in/francoisraynaud/) that reactive activities are missing.
-* Enhancement of my basic translation is performed by [Claud Camerino](https://github.com/clazba).
-* Adding ISO 27001:2017 mapping, [Andre Baumeier](https://github.com/AndreBaumeier).
-* [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md) for providing documentation on different DevSecOps practices which are copied&pasted/ (and adopted) (https://github.com/northdpole, https://github.com/ThunderSon)
-* The requirements from [level 0](https://github.com/AppSecure-nrw/security-belts/blob/master/white/) are based on/copied from [AppSecure NRW](https://appsecure.nrw/)
-* The sub dimension _Test KPI_, _Triage_, _Dynamic depth for app/infra_, _Static depth for app/infra_ and some other vulnerability management activities are based/inspired by [Vulnerability Managment Maturity Model - Cheat Sheet V1.6](TODO FRANCESCO LINK)
+- The "Test and Verification" dimension is based on Christian Schneider's Security DevOps Maturity Model (SDOMM).
+- Application and infrastructure tests were added by Timo Pagel.
+- The "Process" sub-dimension was added after discussion with Francois Raynaud.
+- Translations and edits were contributed by Claud Camerino.
+- ISO 27001:2017 mapping by Andre Baumeier.
+- Other inspirations and contributions are acknowledged in the original README.
+
+
+## License
+
+See the `LICENSE` file in this repository for license details.

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -83,7 +83,7 @@ Build and Deployment:
       usefulness: 4
       level: 1
       dependsOn:
-        - uuid:f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
+        - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ci-cd-tools
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
@@ -182,7 +182,7 @@ Build and Deployment:
         A documented inventory of dependencies used in artifacts like container images and containers
         exists.
       dependsOn:
-        - uuid:83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
+        - 83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
         - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
@@ -249,7 +249,7 @@ Build and Deployment:
       measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically).
       dependsOn:
         - Defined deployment process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       difficultyOfImplementation:
         knowledge: 2
         time: 2

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -103,7 +103,7 @@ Culture and Organization:
       usefulness: 3
       level: 2
       dependsOn:
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -68,7 +68,7 @@ Implementation:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -150,7 +150,7 @@ Implementation:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -182,7 +182,7 @@ Implementation:
       usefulness: 3
       level: 3
       dependsOn:
-        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+        - e7598ac4-b082-4e56-b7df-e2c6b426a5e2
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies

src/assets/YAML/default/InformationGathering/TestKPI.yaml

@@ -90,7 +90,7 @@ Information Gathering:
       usefulness: 3
       level: 2
       dependsOn:
-        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
+        - 8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
       implementation: []
       references:
         samm2:
@@ -151,8 +151,8 @@ Information Gathering:
       usefulness: 3
       level: 4
       dependsOn:
-        - uuid:86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR
-        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches
+        - 86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR
+        - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches
       implementation: []
       references:
         samm2:

src/assets/YAML/default/TestAndVerification/Consolidation.yaml

@@ -21,9 +21,9 @@ Test and Verification:
           - The number of network hops required to reach the asset (recommended)
           - Authentication requirements for access (recommended)
       dependsOn:
-        - uuid:44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher:
-        #- uuid:3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher:
+        #- 3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
       references:
         samm2:
@@ -372,9 +372,9 @@ Test and Verification:
         resources: 2
       usefulness: 2
       dependsOn:
-        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
-        - uuid:6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion
-        - uuid:185d5a74-19dc-4422-be07-44ea35226783 # Office Hours
+        - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
+        - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion
+        - 185d5a74-19dc-4422-be07-44ea35226783 # Office Hours
       level: 3
       description: |-
         For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended.

src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml

@@ -142,7 +142,7 @@ Test and Verification:
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/netassert
       dependsOn:
-        - uuid:4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments
+        - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments
       references:
         samm2:
           - V-ST-A-2

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -159,7 +159,7 @@ Test and Verification:
           - 8.28 # Secure coding
       isImplemented: false
       dependsOn:
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
     Static analysis for all components/libraries:
       uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
       risk: Used components like libraries and legacy applications might have vulnerabilities
@@ -173,7 +173,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation: []
       references:
         samm2:
@@ -209,7 +209,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -244,7 +244,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -277,7 +277,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-A-2
@@ -333,7 +333,7 @@ Test and Verification:
       usefulness: 4
       level: 3
       dependsOn:
-        - uuid:d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
+        - d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cisa-kev
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/epss
@@ -357,8 +357,8 @@ Test and Verification:
       level: 3
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
-        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
@@ -390,7 +390,7 @@ Test and Verification:
       level: 2
       dependsOn:
         - Defined build process
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dependency-che
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack