The Data model

The Finite State Product Security Data Model

Finite State is a product security platform that helps organizations identify and mitigate risks in their supply chain. The Finite State platform is built on a data model that represents the DevSecOps lifecycle, and the relationships between the various entities in the lifecycle. The data model is designed to be flexible and extensible, and can be used to represent Product Security across multiple Business Lines, and supports any DevSecOps lifecycle.

  • Organization
    • This is the highest level of the data model and represents an individual customer instance. Each customer belongs to one Organization.
  • Business Units (aka Groups)
    • This is the second level of the data model and represents a business unit within an Organization. Each Organization can have multiple Business Units.
  • Products
    • A Product is a software or hardware product that is being developed by a Business Unit. Each Business Unit can have multiple Products. Products have children that are Components, and can either be Sub-Product (as a hierarchy for complex Products or Solutions), or Artifacts.
  • Artifacts / Assets
    • Individual software components that may come from any stage in the DevSecOps lifecycle. From the Code stage, this may be a software repository (like a Github repo), from the Build stage this may be a Firmware Image or File System Image.
  • Asset Versions / Artifacts
    • Each Asset can have multiple versions. Each version is a unique build that can be identified by a version number, commit hash, or other identifier that is unique to the Artifact.
  • Findings
    • Findings include any security or compliance issues that are found in the DevSecOps lifecycle. These can be from any stage in the lifecycle, and are added to ArtifactVersions based on Scan Results from various security tools. Findings can be investigated and resolved using VEX statuses, and support justification information and comments. Findings can be also be manually created.
  • Test (aka Scanner)
    • A tool (usually a security tool) such as Source Code SCA tool, Source Code SAST tool, Binary SCA / SAST tools, etc. that is used to scan an ArtifactVersion and generate Scan Results.
  • Test Results
    • Usually the output file generated by running a Scanner on an Artifact. Scan Results can be uploaded for an Artifact Version, and Findings are extracted from the Scan Results.
    • Finite State supports more than 100 different security and compliance tools. Finite State adds additional support for custom formats and new tools, and can generally support any tool that generates a JSON, XML, or CSV output file.
    • Scan Results may also be added based on an API integration with a tool.