You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue tracks follow-up research to find the correct, distinct CRE identifiers for K09: Misconfigured Cluster Components in the OWASP Kubernetes Top Ten 2022 dataset.
Background
In PR #877, the owasp_kubernetes_top10_2022.json mapping for K09 was intentionally left unchanged because it currently shares the same cre_ids as K01 (["233-748", "486-813"]). After reviewing the upstream OWASP source, a clearly correct distinct replacement could not be identified, so a speculative change was avoided to prevent introducing incorrect data.
K09 is focused on hardening and misconfiguration of core cluster components (e.g., kubelet, etcd, kube-apiserver), with prevention guidance centred on secure configuration, CIS benchmark scans, and reducing unsafe defaults.
Open question
Is there a more specific CRE mapping for cluster-component hardening/misconfiguration that should replace or augment the current ["233-748", "486-813"] entries for K09?
Note that the OWASP Kubernetes Top Ten 2025 appears to consolidate this area under K07: Misconfigured And Vulnerable Cluster Components — the 2025 mapping (PR Add refresh scripts for OWASP resources for issue 471 #877, owasp_kubernetes_top10_2025.json) may provide useful pointers for the correct CRE IDs.
If no better mapping exists, the duplication with K01 should be explicitly documented in the data file (e.g., via a comment or a companion note) so future maintainers understand it is intentional.
Context
This issue tracks follow-up research to find the correct, distinct CRE identifiers for K09: Misconfigured Cluster Components in the OWASP Kubernetes Top Ten 2022 dataset.
Background
In PR #877, the
owasp_kubernetes_top10_2022.jsonmapping for K09 was intentionally left unchanged because it currently shares the samecre_idsas K01 (["233-748", "486-813"]). After reviewing the upstream OWASP source, a clearly correct distinct replacement could not be identified, so a speculative change was avoided to prevent introducing incorrect data.K09 is focused on hardening and misconfiguration of core cluster components (e.g.,
kubelet,etcd,kube-apiserver), with prevention guidance centred on secure configuration, CIS benchmark scans, and reducing unsafe defaults.Open question
Is there a more specific CRE mapping for cluster-component hardening/misconfiguration that should replace or augment the current
["233-748", "486-813"]entries for K09?Guidance for review
owasp_kubernetes_top10_2025.json) may provide useful pointers for the correct CRE IDs.References