feat: Add missing OWASP categories to C rulesets
What
Some fixes and improvements to our OWASP rule categories. As discussed in slack we haven't standardized very closely for our owasp references. This adds OWASP categories to the C rulesets to bring them inline with our other rules and validates the format against our minimal json schema.
I originally tried scripting this but it required enough manual verification that it became easier to do so manually. Eventually I certainly think we want to rely on something like vulninfo
but since we don't yet, adding the missing ones felt like a simpler iteration.
Reviewer notes
Some of these were chosen manually and are likely debateable, happy to take feedback. I had to traverse the CWE ontologies a bit to find corresponding ones. For example, I'm mixed on the usage of A09 Using Components with Known Vulnerabilities
for obsolete components and would be happy to swap to A06 - Security Misconfiguration
depending on how reviewers feel.
I'd also really like to tighten up the schema regex, but it needs to stay loose until we either port the other categories to 2017, or just modify the format a bit (i.e. whitespace and leading zeros). This will also require a few updates, for example go/secrets/rule-secrets.yml
references A3: Broken Authentication and Session Management
which is a 2010 top10 category.
I'd also like us to swap to a many-to-one collection as we likely want to reference multiple categories here, but that's the same improvement we should likely make to CWEs via inclusion of a more fully-featured mapping library. Regardless, standardization feels like a good first step.
Why 2017?
We could probably use a more recent one but that's what we use within vulninfo so the above transition may be easier in the future.
Changelist
- feat: Add missing OWASP categories to C rulesets
- fix: standardize java/scala OWASP refs to 2017 Top10
- chore: Add schema validation for OWASP Top10 categories: Previously, field was unvalidated leading to a variety of formats