feature: unified advisor context; different keycloak inventories;

advisors/example-advisor/context/CTX_external-attackers.yaml → advisors/context/CTX_external-attacker.yaml

@@ -2,6 +2,7 @@ sets:
   - name: external attacker
     category: external threat
     score: 3.0
+    notes: An adversary may attempt to attack the system from remote. The adversary may modify / reconfigure existing code or introduce code from remote.
     min:
       - amount: 1
         keywords:

advisors/windows11-advisor/context/CTX_information-disclosure.yaml → advisors/context/CTX_information-disclosure.yaml

@@ -2,6 +2,7 @@ sets:
   - name: information disclosure
     category: confidentiality threat
     score: 2.0
+    notes: Confidential or restricted information may be exposed to an adversary. The adversary gains unauthorized access.
     min:
       - amount: 1
         keywords:
@@ -10,10 +11,17 @@ sets:
           - leaking credential
           - leaked credential
           - leaked credentials
+          - leaking secret
+          - leaked secret
+          - leaked secrets
           - credential leak
           - credentials leak
-          - exposed credantial
+          - exposed credential
           - credential exposed
           - credentials exposed
           - readable by unauthorized
           - readable by unauthorised
+          - information leak
+          - privacy leak
+          - data leak
+          - data leakage

advisors/openssl-1.1-advisor/context/CTX_malicious-content.yaml → advisors/context/CTX_malicious-content.yaml

@@ -2,6 +2,7 @@ sets:
   - name: malicious content
     category: integrity threat
     score: 3.0
+    notes: An adversary may attempt to inject executable code or drafted messages to destabilize or compromise the system.
     min:
       - amount: 1
         keywords:
@@ -13,5 +14,8 @@ sets:
           - XML External Entity Injection
           - XML Entity Expansion
           - XXE
-          - specifically crafted request
-          - specifically crafted conent
+          - crafted request
+          - crafted content
+          - crafted document
+          - crafted PDF
+          - crafted HTML

advisors/openssl-3.0-advisor/context/CTX_privilege-escalation.yaml → advisors/context/CTX_privilege-escalation.yaml

@@ -2,6 +2,7 @@ sets:
   - name: privilege escalation
     category: general threat
     score: 3.0
+    notes: An adversary may gain further privileges and gain unauthorized access to the system or services.
     min:
       - amount: 1
         keywords:

advisors/openssl-1.1-advisor/context/CTX_request-forgery.yaml → advisors/context/CTX_request-forgery.yaml

@@ -2,6 +2,7 @@ sets:
   - name: request forgery
     category: external threat
     score: 2.0
+    notes: An adversary may attempt to gain access to information and spoof a user.
     min:
       - amount: 1
         keywords:

advisors/openssl-3.0-advisor/context/CTX_resource-exemption.yaml → advisors/context/CTX_resource-exemption.yaml

@@ -1,6 +1,7 @@
 sets:
   - name: resource exemption
     category: external threat
+    notes: An adversary may attempt to exhaust resources of the system compromising performance objectives and availability.
     score: 1.0
     min:
       - amount: 1

advisors/keycloak-advisor/pom.xml

@@ -13,9 +13,11 @@
     <packaging>jar</packaging>
 
     <properties>
-        <input.inventory>${project.basedir}/inventory/ae-example-keycloak-25.0.0.xlsx</input.inventory>
+        <version.selector>24.0.5</version.selector>
 
-        <dashboard.title>Keycloak</dashboard.title>
+        <input.inventory>${project.basedir}/inventory/keycloak-extractor-inventory-${version.selector}.xlsx</input.inventory>
+
+        <dashboard.title>Keycloak ${version.selector}</dashboard.title>
         <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
         <dashboard.footer>Demo Dashboard for Keycloak</dashboard.footer>
     </properties>
@@ -30,7 +32,7 @@
                 <groupId>org.metaeffekt.core</groupId>
                 <artifactId>ae-inventory-maven-plugin</artifactId>
             </plugin>
-            <!-- FIXME: fix plugins; remove configuration on project level -->
+            <!-- FIXME: fix plugins (do not apply on poms); remove configuration on project level -->
             <plugin>
                 <groupId>com.metaeffekt.artifact.analysis</groupId>
                 <artifactId>ae-inventory-enrichment-plugin</artifactId>

advisors/selected-component-advisor/context/CTX_external-attackers.yaml → advisors/keycloak-contextualized-advisor/context/CTX_external-attacker.yaml

@@ -2,6 +2,7 @@ sets:
   - name: external attacker
     category: external threat
     score: 3.0
+    notes: An adversary may attempt to attack the system from remote. The adversary may modify / reconfigure existing code or introduce code from remote.
     min:
       - amount: 1
         keywords:

advisors/example-advisor/context/CTX_information-disclosure.yaml → advisors/keycloak-contextualized-advisor/context/CTX_information-disclosure.yaml

@@ -2,6 +2,7 @@ sets:
   - name: information disclosure
     category: confidentiality threat
     score: 2.0
+    notes: Confidential or restricted information may be exposed to an adversary. The adversary gains unauthorized access.
     min:
       - amount: 1
         keywords:
@@ -10,10 +11,17 @@ sets:
           - leaking credential
           - leaked credential
           - leaked credentials
+          - leaking secret
+          - leaked secret
+          - leaked secrets
           - credential leak
           - credentials leak
-          - exposed credantial
+          - exposed credential
           - credential exposed
           - credentials exposed
           - readable by unauthorized
           - readable by unauthorised
+          - information leak
+          - privacy leak
+          - data leak
+          - data leakage

advisors/openssl-3.0-advisor/context/CTX_malicious-content.yaml → advisors/keycloak-contextualized-advisor/context/CTX_malicious-content.yaml

@@ -2,6 +2,7 @@ sets:
   - name: malicious content
     category: integrity threat
     score: 3.0
+    notes: An adversary may attempt to inject executable code or drafted messages to destabilize or compromise the system.
     min:
       - amount: 1
         keywords:
@@ -13,5 +14,8 @@ sets:
           - XML External Entity Injection
           - XML Entity Expansion
           - XXE
-          - specifically crafted request
-          - specifically crafted conent
+          - crafted request
+          - crafted content
+          - crafted document
+          - crafted PDF
+          - crafted HTML

advisors/openssl-1.1-advisor/context/CTX_privilege-escalation.yaml → advisors/keycloak-contextualized-advisor/context/CTX_privilege-escalation.yaml

@@ -2,6 +2,7 @@ sets:
   - name: privilege escalation
     category: general threat
     score: 3.0
+    notes: An adversary may gain further privileges and gain unauthorized access to the system or services.
     min:
       - amount: 1
         keywords:

advisors/openssl-3.0-advisor/context/CTX_request-forgery.yaml → advisors/keycloak-contextualized-advisor/context/CTX_request-forgery.yaml

@@ -2,6 +2,7 @@ sets:
   - name: request forgery
     category: external threat
     score: 2.0
+    notes: An adversary may attempt to gain access to information and spoof a user.
     min:
       - amount: 1
         keywords:

advisors/example-advisor/context/CTX_resource-exemption.yaml → advisors/keycloak-contextualized-advisor/context/CTX_resource-exemption.yaml

@@ -1,7 +1,7 @@
 sets:
   - name: resource exemption
     category: external threat
-    notes: The adversary may attempt to exhaust resources of the application service by injecting foreign log messages.
+    notes: An adversary may attempt to exhaust resources of the system compromising performance objectives and availability.
     score: 1.0
     min:
       - amount: 1

advisors/keycloak-contextualized-advisor/pom.xml

@@ -15,7 +15,7 @@
     <properties>
         <input.inventory>${project.basedir}/inventory/ae-example-keycloak-25.0.0.xlsx</input.inventory>
 
-        <dashboard.title>Keycloak</dashboard.title>
+        <dashboard.title>Keycloak 25.0.0</dashboard.title>
         <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
         <dashboard.footer>Demo Dashboard for Keycloak</dashboard.footer>
     </properties>

advisors/openssl-1.1-advisor/assessment/README.md

@@ -1,8 +1,3 @@
 # Vulnerability Assessment
 
 The `assessment` folder container yaml files that contain context-specific assessment information.
-
-The example uses an assessment of CVE-2021-44228 (here as an applicable vulnerability) and CVE-2021-45046 as 
-vulnerability that is not applicable, because the affected MDC feature is not used in this context.
-
-The example is artifical and meant to illustrate the different options for vulnerability assessment.

advisors/openssl-3.0-advisor/assessment/README.md

@@ -1,8 +1,3 @@
 # Vulnerability Assessment
 
 The `assessment` folder container yaml files that contain context-specific assessment information.
-
-The example uses an assessment of CVE-2021-44228 (here as an applicable vulnerability) and CVE-2021-45046 as 
-vulnerability that is not applicable, because the affected MDC feature is not used in this context.
-
-The example is artifical and meant to illustrate the different options for vulnerability assessment.