diff --git a/website/docs/security-assurance-case.md b/website/docs/security-assurance-case.md index 789b139..5e16a49 100644 --- a/website/docs/security-assurance-case.md +++ b/website/docs/security-assurance-case.md @@ -55,28 +55,33 @@ The scope of these claims is the CLI itself. They do not extend to the security ## Trust boundaries -``` - ┌────────────────────────────────────────────────────────────┐ - │ Developer machine │ - │ │ - │ ┌──────────────┐ ┌─────────────┐ ┌─────────────┐ │ - │ │ Lockfile + │───>│ │<───│ Local │ │ - │ │ package.json │ │ CVE Lite │ │ advisory DB │ │ - │ └──────────────┘ │ CLI │ │ (offline) │ │ - │ │ │ └─────────────┘ │ - │ ┌──────────────┐ │ │ ┌─────────────┐ │ - │ │ CLI args │───>│ │<───│ OSV cache │ │ - │ └──────────────┘ │ │ │ (online) │ │ - │ └──────┬──────┘ └─────────────┘ │ - │ │ │ - │ ▼ │ - │ Stdout / report │ - └─────────────────────────┬────────────────────────────────-─┘ - │ (only outbound: hardcoded endpoints) - ┌──────────────┼──────────────┐ - ▼ ▼ ▼ - api.osv.dev storage.googleapis registry.npmjs.org - /osv-vulnerabilities +```mermaid +flowchart TB + subgraph dev["Developer machine"] + lockfile["Lockfile + package.json"] + args["CLI args"] + localdb["Local advisory DB (offline)"] + osvcache["OSV cache (online)"] + cli["CVE Lite CLI"] + output["Stdout / report"] + + lockfile --> cli + args --> cli + localdb --> cli + osvcache --> cli + cli --> output + end + + subgraph ext["External endpoints — outbound only, hardcoded"] + direction LR + osv["api.osv.dev"] + gcs["storage.googleapis.com/osv-vulnerabilities"] + npm["registry.npmjs.org"] + end + + cli --> osv + cli --> gcs + cli --> npm ``` **Boundaries and what crosses them:**