search

OWASP / OpenCRE

https://opencre.org
Creative Commons Zero v1.0 Universal
77 stars 33 forks source link

add SKF data #145

Open northdpole opened 2 years ago

northdpole commented 2 years ago

Issue

What is the issue?

SKF has a knowledge base and code examples we could add the relevant SKF knowledge base items (MASVS, ASVS and custom descriptions) to CRE. Let's do this

northdpole commented 2 years ago

Lab items: the "LabItem" thing here https://github.com/blabla1337/skf-flask/blob/main/skf/initial_data.py Knowledge base items: ChecklistKB

code is the md files here https://github.com/blabla1337/skf-flask/blob/main/skf/markdown/code_examples/web/django-needs-reviewing/11-code_example--X_XSS_Protection_header--.md

and knowldge base is the md files here https://github.com/blabla1337/skf-flask/blob/main/skf/markdown/knowledge_base/web/10002-knowledge_base--XSS_injection--.md

robvanderveer commented 2 years ago

As the SKF knowledge base and code examples are standards, just like asvs is a standard, the procedure of adding these resources is to 1. add the proper cre links to the source documents and then let the parser automatically add the mapping data. This is the only approach that is maintainable and therefore sustainabile AND it is instantly reciprocal: the standard contains a link to the CRE, doing a service to the readers of the standard, plus the cre will contain the link to the SKF resource. In other words: the tactic now should try to avoid adding mapping data to the mapping specs - unless we are still far away of convincing the standard to add links to the CRE.