Document a standardized OWASP category in the vulnerability identifiers array
In order to show OWASP information on the security dashboard #8503, vulnerabilities will need to be mapped to an OWASP category.
In the common report format there are identifiers
. A format for OWASP mapping should be added to the documentation. This would eventually allow the dashboard to manage vulnerabilities by OWASP score.
Proposal:
In the identifier's node:
"identifiers": [
{
"type": "owasptop10",
"name": "A1:2017-Injection",
"value": "A1:2017-Injection",
"url": "https://www.owasp.org/index.php/Top_10-2017_A1-Injection"
}
]
Next Steps:
-
Agree to this format -
Add examples to any Secure documentation that references the common vulnerability format. -
Create implementation issue(s). Notes - Do we need to add this new identifier to
type_identifier?
? i.e.: ignore these identifiers for deduplication.
- Do we need to add this new identifier to
After this format is agreed upon, we can show the Top 10 on the dasbhoard, however most vulnerabilities will be unclassified until each scanner can get updated with the categorization. A follow-on issue will have to be created for each analyzer to update its categorization.
Edited by Thiago Figueiró