hindsightsoftware · michaelcychan · Jun 5, 2024 · Jun 4, 2024 · Jun 4, 2024 · Jun 5, 2024
diff --git a/.coauthor/config.yaml b/.coauthor/config.yaml
@@ -0,0 +1,66 @@
+Company: michaelcychan-org
+Application: Example SaMD
+ProductDescription: |
+  This is an example application for Coauthor Demo.
+  Coauthor is your Compliance Assist . Coauthor continually monitors your Software Development tools (GitHub) and technical file for compliance issues against IEC 62304 and highlights them in real-time to the software development team or QA/RA manager.
+Market:
+  - EU
+  - UK
+SoftwareClassification:
+  Questions:
+    HazardousSituationPossible: false
+  SafetyClass: A
+  Rationale: |
+    This is a class A rationale
+    This is a class A rationale
+TestingTools:
+  SystemTesting:
+    - Cucumber
+  SecurityTesting:
+    - ZAP
+  CompatabilityTesting:
+    - BrowserStack
+Roles:
+  # Please add/change GitHub usernames to the following roles
+  Management:
+    Lead: michaelcychan
+    Members:
+      - michaelcychan
+  SWDevelopment:
+    Lead: michaelcychan
+    Members:
+      - michaelcychan
+  Clinical:
+    Lead: michaelcychan
+    Members:
+      - michaelcychan
+  QARA:
+    Lead: michaelcychan
+    Members:
+      - michaelcychan
+SDLC:
+  IssueTracking:
+    Provider: "GitHub"
+    TrackingProjectLink: replace-me-with-bug-tracking-project-link
+  BranchingStrategy: "Feature Branching"
+  CommitMessageFormat: "Conventional Commits"
+  Methodology: "SCRUM"
+  IterationLength: 2
+Security:
+  CommitSigning: false
+  PenetrationTesting:
+    Required: true
+    Frequency: "Quarterly"
+  SAST:
+    Tools:
+      - "SonarQube"
+      - "Checkmarx"
+    Frequency: "Every Build"
+  SBOM:
+    GenerationTools:
+      - "WhiteSource"
+      - "BlackDuck"
+    MonitoringTools:
+      - "WhiteSource"
+      - "BlackDuck"
+    Frequency: "Every Build"
diff --git a/.coauthor/risk/risk-register.csv b/.coauthor/risk/risk-register.csv
@@ -0,0 +1,2 @@
+Risk ID,Software Component,Sequence of events/Failure/Use error,Hazardous situation,Potential Harm to the user/patient,Probability of hazard occurring (P1),Probability of harm occurring (P2),Severity,Overall risk score,Risk Control to be implemented
+1,Core Module,This is what may happen,The application stops when core module breaks,it affects the user,Improbable,Improbable,Minor,Low,Inform User
diff --git a/.coauthor/risk/risk.yaml b/.coauthor/risk/risk.yaml
@@ -0,0 +1,89 @@
+Probability:
+  - Class: Frequent
+    SemiQuantitative: "> 1 in 1000"
+    Interpretation: Certain or almost certain; highly likely to occur
+  - Class: Probable
+    SemiQuantitative: "1 in 1000 to 1 in 10000"
+    Interpretation: Not certain but very possible; reasonably expected to occur in the majority of cases
+  - Class: Occasional
+    SemiQuantitative: "1 in 10,000 to 1 in 100,000"
+    Interpretation: Possible
+  - Class: Remote
+    SemiQuantitative: "1 in 100,000 to 1 in 1,000,000"
+    Interpretation: Could occur but in the majority of occasions will not
+  - Class: Improbable
+    SemiQuantitative: "< 1 in 1,000,000"
+    Interpretation: Negligible or nearly negligible possibility of occurring
+Severity:
+  - Class: Catastrophic
+    EndUserImpact: |
+      Severe impact to the confidentiality, availability or integrity of data, impacting multiple companies, groups, entities, systems or individuals
+    SecurityImpact: |
+      Death of multiple patients.
+      Permanent life-changing incapacity and any condition for which the prognosis is death or permanent life-changing incapacity; severe injury or severe incapacity from which recovery is not expected in the short term for multiple patients.
+  - Class: Major
+    EndUserImpact: |
+      Major impact to the confidentiality, availability or integrity of data, impacting multiple companies, groups, entities, systems or individuals; OR severe impact to one individual.
+    SecurityImpact: |
+      Death of a single patient.
+      Permanent life-changing incapacity and any condition for which the prognosis is death or permanent life-changing incapacity; severe injury or severe incapacity from which recovery is not expected in the short term for a single patient.
+      Severe injury or severe incapacity from which recovery is expected in the short term for multiple patients.
+      Severe psychological trauma for multiple patients.
+  - Class: Considerable
+    EndUserImpact: |
+      Moderate impact to the confidentiality, availability or integrity of data, impacting multiple individuals/groups of individuals/companies; OR moderate to major impact to an individual.
+    SecurityImpact: |
+      Severe injury or severe incapacity from which recovery is expected in the short term for a single patient.
+      Severe psychological trauma for a single patient.
+      Minor injury or injuries from which recovery is not expected in the short term for multiple patients.
+      Significant psychological trauma for multiple patients.
+  - Class: Minor
+    EndUserImpact: |
+      Very low impact to the confidentiality, availability or integrity of data, impacting multiple individuals/groups of individuals/companies; OR very low to low impact to an individual.
+    SecurityImpact: |
+      Minor injury from which recovery is expected in the short term for a single patient.
+      Minor psychological upset; inconvenience; any negligible severity for a single patient.
+RiskScore:
+  High:
+    - Probability: Frequent
+      Severity: Catastrophic
+    - Probability: Frequent
+      Severity: Major
+    - Probability: Frequent
+      Severity: Considerable
+    - Probability: Probable
+      Severity: Catastrophic
+    - Probability: Probable
+      Severity: Major
+    - Probability: Probable
+      Severity: Considerable
+    - Probability: Occasional
+      Severity: Catastrophic
+    - Probability: Occasional
+      Severity: Major
+    - Probability: Remote
+      Severity: Catastrophic
+  Medium:
+    - Probability: Occasional
+      Severity: Considerable
+    - Probability: Remote
+      Severity: Major
+    - Probability: Improbable
+      Severity: Catastrophic
+    - Probability: Improbable
+      Severity: Major
+  Low:
+    - Probability: Frequent
+      Severity: Minor
+    - Probability: Probable
+      Severity: Minor
+    - Probability: Occasional
+      Severity: Minor
+    - Probability: Remote
+      Severity: Considerable
+    - Probability: Remote
+      Severity: Minor
+    - Probability: Improbable
+      Severity: Considerable
+    - Probability: Improbable
+      Severity: Minor
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
@@ -1,19 +1,72 @@
 name: iOS Cucumberworkflow
 
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+on: [push]
+
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
+  upload-reports:
+    name: Upload verification reports
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.ACTION_TOKEN }}
+      - name: Print out variables
+        run: |
+          pwd
+          echo "${{ github.workspace }}"
+          echo "${{ github.repository }}"
+          echo "${{ github.event.pull_request.head.ref }}"
+          echo "${{ github.event.pull_request.head.sha }}"
+      - name: Set paths
+        id: set_paths
+        run: |
+          path_system="${{ github.repository }}/${{ github.event.pull_request.head.ref }}/${{ github.event.pull_request.head.sha }}/system"
+          path_item="${{ github.repository }}/${{ github.event.pull_request.head.ref }}/${{ github.event.pull_request.head.sha }}/item"
+          echo "path_system=$path_system" >> $GITHUB_ENV
+          echo "path_item=$path_item" >> $GITHUB_ENV
+      - name: Create Dummy Verification Test Files
+        run: |
+          mkdir -p "$path_system"  # Create the directory structure
+          mkdir -p "$path_item"  # Create the directory structure
+          echo '{"owner": '${{ github.repository_owner }}', "repository": '${{ github.repository }}', "branch": '${{ github.event.pull_request.head.ref }}', "sha": '${{ github.event.pull_request.head.sha }}', "verification": "system", "timestamp": '$(date +%s)'}' > "$path_system/cucumber-messages.ndjson"
+          echo '{"owner": '${{ github.repository_owner }}', "repository": '${{ github.repository }}', "branch": '${{ github.event.pull_request.head.ref }}', "sha": '${{ github.event.pull_request.head.sha }}', "verification": "item", "timestamp": '$(date +%s)'}' > "$path_item/cucumber-messages.ndjson"
+          echo "File created at: $path_system/cucumber-messages.ndjson"
+          echo "File created at: $path_item/cucumber-messages.ndjson"
+        env:
+          path_system: ${{ env.path_system }}
+          path_item: ${{ env.path_item}}
+      - name: Upload System Verificaiton
+        id: upload-system-ver
+        uses: coauthor-app/[email protected]
+        with:
+          evidence: 'system-verification'
+          type: 'bdd'
+          format: 'cucumber+ndjson'
+          hostname: 'nll3vb6d1l.execute-api.eu-west-2.amazonaws.com'
+          path: '${{ env.path_system }}/**'
+      - name: Upload Item Verificaiton
+        id: upload-item-ver
+        uses: coauthor-app/[email protected]
+        with:
+          evidence: 'item-verification'
+          type: 'bdd'
+          format: 'cucumber+ndjson'
+          hostname: 'nll3vb6d1l.execute-api.eu-west-2.amazonaws.com'
+          path: '${{ env.path_item }}/**'
   build:
     name: Build and Test default scheme using any available iPhone simulator
     runs-on: macos-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Set Default Scheme
         run: |
           scheme_list=$(xcodebuild -list -json | tr -d "\n")
@@ -44,7 +97,6 @@ jobs:
           if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
           file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
           xcodebuild test-without-building -scheme "$scheme" -"$filetype_parameter" "$file_to_build" -destination "platform=$platform,name=$device"
-
           # Retrieve TARGETNAME dynamically
           TARGETNAME=$(xcodebuild -list | grep -A 1 "Targets:" | tail -n 1 | awk '{$1=$1;print}')
           echo "TARGETNAME=$TARGETNAME"
@@ -58,3 +110,8 @@ jobs:
         with:
          name: cucumber-test-results
          path: ${{ steps.run-tests.outputs.report_file }}
+
+    # - name: Anchore SBOM Action
+    #   uses: anchore/[email protected]
+    #   with: 
+    #     path: ./build/
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Risk ID,Software Component,Sequence of events/Failure/Use error,Hazardous situation,Potential Harm to the user/patient,Probability of hazard occurring (P1),Probability of harm occurring (P2),Severity,Overall risk score,Risk Control to be implemented
		1,Core Module,This is what may happen,The application stops when core module breaks,it affects the user,Improbable,Improbable,Minor,Low,Inform User