8dfab4ba14
Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme: 1. Semgrep-Regeln (25 Regeln in 5 Dateien): - Logging: Sensitive Daten, Tokens, Debug-Flags - Crypto: MD5/SHA1/DES/ECB, Hardcoded Secrets, Weak Random, TLS - API: Debug-Routes, Exception Leaks, IDOR, Input Validation - Config: Test-Endpoints, CORS, Cookies, Retry - Data: Telemetrie, Cache, Export, Queue, Testdaten 2. CodeQL Query-Specs (5 Briefings): - Sensitive Data → Logs - Sensitive Data → HTTP Response - Tenant Context Loss - Sensitive Data → Telemetry - Cache/Export Leak 3. State-Machine-Tests (10 Testfaelle): - 11 Zustaende, 15 Events, 8 Invarianten - Duplicate Response, Timeout+Late Success, Decline - Invalid Reversal, Cancel, Backend Timeout - Parallel Reversal, Unknown Response, Reconnect - Late Response after Cancel 4. Finding Schema (JSON Schema): - Einheitliches Format fuer alle Engines - control_id, engine, status, confidence, evidence, verdict_text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
66 lines
2.0 KiB
Markdown
66 lines
2.0 KiB
Markdown
# Payment Compliance Pack
|
|
|
|
Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme.
|
|
|
|
## Inhalt
|
|
|
|
### Semgrep-Regeln (25 Regeln)
|
|
|
|
| Datei | Regeln | Controls |
|
|
|-------|--------|----------|
|
|
| `payment_logging.yml` | 5 | LOG-001, LOG-002, LOG-014 |
|
|
| `payment_crypto.yml` | 6 | CRYPTO-001, CRYPTO-008, CRYPTO-009, KEYMGMT-001 |
|
|
| `payment_api.yml` | 5 | API-004, API-005, API-014, API-017 |
|
|
| `payment_config.yml` | 5 | CONFIG-001 bis CONFIG-004 |
|
|
| `payment_data.yml` | 5 | DATA-004, DATA-005, DATA-013, TELEMETRY-001 |
|
|
|
|
### CodeQL-Specs (5 Queries)
|
|
|
|
| Datei | Ziel | Controls |
|
|
|-------|------|----------|
|
|
| `sensitive-data-to-logs.md` | Datenfluss zu Loggern | LOG-001, LOG-002, DATA-013 |
|
|
| `sensitive-data-to-response.md` | Datenfluss in HTTP-Responses | API-009, ERROR-005 |
|
|
| `tenant-context-loss.md` | Mandantenkontext-Verlust | TENANT-001, TENANT-002 |
|
|
| `sensitive-data-to-telemetry.md` | Datenfluss in Telemetrie | TELEMETRY-001, TELEMETRY-002 |
|
|
| `cache-export-leak.md` | Leaks in Cache/Export | DATA-004, DATA-011 |
|
|
|
|
### State-Machine-Tests (10 Testfaelle)
|
|
|
|
| Datei | Inhalt |
|
|
|-------|--------|
|
|
| `terminal_states.md` | 11 Zustaende, 15 Events, Transitions |
|
|
| `terminal_invariants.md` | 8 Invarianten |
|
|
| `terminal_testcases.json` | 10 ausfuehrbare Testfaelle |
|
|
|
|
### Finding-Schema
|
|
|
|
| Datei | Beschreibung |
|
|
|-------|-------------|
|
|
| `finding.schema.json` | JSON Schema fuer Pruefergebnisse |
|
|
|
|
## Ausfuehrung
|
|
|
|
### Semgrep
|
|
|
|
```bash
|
|
semgrep --config payment-compliance-pack/semgrep/ /path/to/source
|
|
```
|
|
|
|
### State-Machine-Tests
|
|
|
|
Die Testfaelle in `terminal_testcases.json` definieren:
|
|
- Ausgangszustand
|
|
- Event-Sequenz
|
|
- Erwarteten Endzustand
|
|
- Zu pruefende Invarianten
|
|
- Gemappte Controls
|
|
|
|
Diese koennen gegen einen Terminal-Adapter oder Simulator ausgefuehrt werden.
|
|
|
|
## Priorisierte Umsetzung
|
|
|
|
1. **Welle 1:** 25 Semgrep-Regeln sofort produktiv
|
|
2. **Welle 2:** 5 CodeQL-Queries fuer Datenfluesse
|
|
3. **Welle 3:** 10 State-Machine-Tests gegen Terminal-Simulator
|
|
4. **Welle 4:** Tender-Mapping (Requirement → Control → Finding → Verdict)
|