search

eclipse-tractusx / sig-security

Apache License 2.0
0 stars 6 forks source link

[Security Assessment] PURIS R24.03 #59

Closed tom-rm-meyer-ISST closed 6 months ago

tom-rm-meyer-ISST commented 7 months ago

Security Assessment Request for Eclipse Tractus-X

Component/Feature

PURIS (Business Application)

Reason

Preparational Assesment was for R23.12 (see PR)

Scope

Same as previously

Timeline

I won't be available between 2024-02-08 and 2024-02-15.

Meetings early in the morning similar to last time are fine. (e.g. tomorrow or wednesday 7 o'clock, Friday 2024-02-16 7.15 o'clock)

szymonkowalczykzf commented 7 months ago

Thanks for notification Tom. I will schedule a meeting for Friday 2024-02-16 7.15 o'clock.

Enjoy the holidays. Cheers ;)

szymonkowalczykzf commented 7 months ago

Data Flow Diagram PURIS

Below diagram was designed with purpose to pull it with the security assessment documentation crated by Kristian

I just wanted to let you know that I have finished the diagram. I will request for a pull once Kristian's security assessment file will be merged into the repo.

Please feel free to review the diagram and let me know in case I would have to make some changes.

flowchart TD
    A(Customer \n Human User) 
    A2(Puris Endpoint App \n Data Provider \n Out of Scope)
    A3(EDC \n Eclipse Data Space Components Connector \n C-X Member \n Out of Scope)

    B(EDC \n ECLIPSE DataSpace Components Connector \n C-X Operator \n Out of Scope)

    C(Vue User Interface)

    D6(Master Data Controller \n Exposed for external system based on API Keys \n Out of scope)
    D7(Product Measures Visualization \n Just visualization of the data \n Out of scope - Not yet developped)

    D(Stock View Controller)
    D2(EDC View Controller)
    D3(Data Request Controller)
    D4(Data Response Controller)
    D5[(PostgreSQL DB \n Main Database)]

    A-->|Main functionality is possibility to view & manage stocks with Business Partners. \n Enter stock information manually. \n View the Supply Dashboard to check a supply situation between Partner & Customer \n for Partner and Supplier. \n HTTPS Protocol|C
    A2-->|Providing Customer data on stocks & supplies \n HTTPS Protocol|A3

    C-->|Read & Write access|D
    C-->|Read access|D2

    A3-->|View Data \n Negotiate Contracts \n Initialize & Perform Data Transfers \n HTTPS Protocol|B

    D-->|Data Read & Write \n TCP9092|D5
    D3-->|Data Read & Write \n TCP9092|D5

    D4-->|Data Read & Write \n TCP9092|D5

    D3-->|Forwarding Data Response \n HTTPS Protocol|B

    B-->|Forwarding Data Requests \n HTTPS Protocol|D3
    B-->|List catalog negotiations and transfers \n Read Access \n HTTPS Protocol|D2

    B<-->|Forwarding Data Response \n HTTPS Protocol|D4

    subgraph Internet Boundary
    A

        subgraph Customer Environment

         A2
         A3

         end

end

subgraph Catena - X Environment

B

    subgraph PURIS Product 

        subgraph PURIS Product - View Frontend
         C
         end

         subgraph PURIS Product - Java Backend
         D6
         D7
         D2
         D3
         D
         D5
         D4
          end

    end

    end
szymonkowalczykzf commented 6 months ago

Assessment completed and documented in the GitHub Repo for PURIS Product. Closing the task.