| ... | ... | @@ -23,10 +23,20 @@ docker stop dependability-toolbox |
|
|
|
|
|
|
|
### Quantitative Security Assessment Service
|
|
|
|
|
|
|
|
The Quantitative Security Assessment web service allows the user to evaluate the internal security level of software applications written in Java, C, and C++ programming languages. This is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP GET request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
|
|
|
|
|
|
|
|
|
|
|
|
| Parameter | Description | Required | Valid Inputs |
|
|
|
|
|:------------:|:---------------------------------------------------------------:|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
|
|
|
|
| project | The URL of the software project that should be analyzed. | Yes | Any valid URL that points to an existing online Git repository (e.g., GitHub, GitLab, Bitbucket, etc.). |
|
|
|
|
| language | The programming language of the software project that needs to be analyzed. | Yes | One of the following string values: : <br/>·“java” if the selected software project is written in Java programming language. <br/> ·“cpp” if the selected software project is written in C/C++ programming language. <br/> Default value is "java". |
|
|
|
|
| inspection | If the model will return the detailed results of the analysis or not. | No | One of the following string values: [‘yes’, ‘no’].<br>Default value is ‘no'. |
|
|
|
|
|
|
|
|
It should be noted that in case that the selected software project is private (i.e., proprietary), the credentials of the user need to be provided to the submitted request in the form of a Basic Authentication header. In order to ensure confidentiality, HTTPS is used for the cases of the private projects.
|
|
|
|
|
|
|
|
The output of the Quantitative Security Assessment web service is a JSON file containing the security assessment report, which includes the security index, the security scores of the model properties and characteristics, and the detailed static analysis results (provided that the user selected “yes” in the “inspection” parameter). The inspection parameter is very useful as it allows the selection of the level of detail of the produced security assessment report based on the user needs. The produced reports are usually very long especially for very large projects, since they contain the raw results, which are long lists of static analysis alerts. By setting the value of this parameter to ”no”, only the security index and the scores of the properties and the characteristics of the model are presented, leading to the production of much more lightweight security assessment reports.
|
|
|
|
|
|
|
|
For better understanding, an example is presented in the following demonstrating how the Quantitative Security Assessment web service can be invoked through a curl command for assessing the security of a software project. In the given example, a simple HelloWorld Java Project that it is available on GitHub is used.
|
|
|
|
|
|
|
|
|
|
|
|
|
