Skip to content

v4.1.0 - Full Multi-Framework Annotations: Middleware & Services

Choose a tag to compare

@OmarRao OmarRao released this 22 Jun 17:45

What's New

All 6 middleware and service modules now carry the same 5-framework annotation standard as �pp.py.

Files Updated

File New Framework Coverage
middleware/auth.py PCI DSS Req 6.2.4/7.2/7.3/8.3.6/8.6.x; NIST AC-3/6, IA-5/8, SC-5/8/13, SI-10; SANS Top 25
services/crypto_service.py PCI DSS Req 3.3.1/3.5.1/4.2.1/8.3.6/8.6.3; NIST IA-5(1), SC-13/28, SI-3/10; SANS Top 25
services/email.py PCI DSS Req 1.3/6.2.4/8.6.x; NIST AC-4, SC-7, SI-10; SANS Top 25
services/logger.py PCI DSS Req 3.3.1/3.4/6.2.4/10.3.3; NIST AU-3/9, SC-28, SI-10; SANS Top 25
services/notification.py PCI DSS Req 1.3/6.2.4/7.3/8.6.x; NIST AC-3/4, SC-7, SI-10; SANS Top 25
services/search.py PCI DSS Req 1.3/6.2.4; NIST AC-4, AU-3, SC-7, SI-10; SANS Top 25

New Vulnerability Findings Added During Annotation Pass

  • services/crypto_service.py - CWE-208 (timing attack) in �erify_signature() via non-constant-time ==
  • services/email.py - CWE-915 (mass assignment) in update_email_preferences()
  • services/notification.py - CWE-285 BOLA in delete_notification() - no ownership check
  • services/search.py - CWE-208 username enumeration in suggest_users() autocomplete

Framework Coverage (All Modules Combined)

  • PCI DSS v4.0 - 15+ requirements across payment, auth, crypto, access control, logging, network
  • NIST SP 800-53 Rev 5 - 20+ controls across AC, AU, CA, CM, IA, SA, SC, SI families
  • SANS/CWE Top 25 - #2 XSS, #3 SQLi, #5 CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE