Collects, analyzes and visualizes metrics.
Prerequisite: Python 3 must be installed.
Steps:
- Clone the repository source-code
- Create a .env file like below
- Run the docker compose file
- Make a virtual environment (venv)
- Make sure all required packages are installed
Example .env file:
GRAFANA_PASSWORD=...
MYSQL_PASSWORD=...
Example on Linux:
git clone https://github.com/sumsumcity/cave.git
cd cave
docker-compose up -d
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Example on Windows:
git clone https://github.com/sumsumcity/cave.git
cd cave
docker-compose up -d
python -m venv .venv
.venv/Scripts/activate
pip install -r requirements.txt
GET Requests
https://developer.atlassian.com/server/jira/platform/rest-apis/
It is not possible to obtain multiple severity levels in one request. The configuration of the severity levels in the validator is therefore very important.
python src/metricvisualizer.py example/config.json
The metrics are from the OWASP DSOVS Framework: https://owasp.org/www-project-devsecops-verification-standard/
https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-005-Software-Composition-Analysis-SCA.md Possible Collectors: contrast_sca-collector, dependabot_sca-collector
https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Securit-Testing-IAST.md Possible Collectors: contrast_iast-collector
https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md Possible Collectors: codeql_sast-collector
https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/DES-002-Threat-Modelling.md Possible Collectors: http-collector (e.g. confluence or other websites)
https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-004-Security-Issues-Tracking.md Possible Collectors: (jira-collector)
To delete all docker volumes to reset everything (even the passwords):
docker volume rm $(docker volume ls -q)
Example for Grafana Dashboard:
SELECT im.*, i.appid, m.name, concat(status, ": ", description) AS detail
FROM items_metrics AS im
JOIN items AS i ON i.itemid = im.itemid
JOIN metrics AS m ON m.metricid = im.metricid
-- WHERE i.type = "app"
-- WHERE date = (SELECT MAX(date) FROM items_metrics)