v4.1.0 - Full Multi-Framework Annotations: Middleware & Services
What's New
All 6 middleware and service modules now carry the same 5-framework annotation standard as �pp.py.
Files Updated
| File | New Framework Coverage |
|---|---|
| middleware/auth.py | PCI DSS Req 6.2.4/7.2/7.3/8.3.6/8.6.x; NIST AC-3/6, IA-5/8, SC-5/8/13, SI-10; SANS Top 25 |
| services/crypto_service.py | PCI DSS Req 3.3.1/3.5.1/4.2.1/8.3.6/8.6.3; NIST IA-5(1), SC-13/28, SI-3/10; SANS Top 25 |
| services/email.py | PCI DSS Req 1.3/6.2.4/8.6.x; NIST AC-4, SC-7, SI-10; SANS Top 25 |
| services/logger.py | PCI DSS Req 3.3.1/3.4/6.2.4/10.3.3; NIST AU-3/9, SC-28, SI-10; SANS Top 25 |
| services/notification.py | PCI DSS Req 1.3/6.2.4/7.3/8.6.x; NIST AC-3/4, SC-7, SI-10; SANS Top 25 |
| services/search.py | PCI DSS Req 1.3/6.2.4; NIST AC-4, AU-3, SC-7, SI-10; SANS Top 25 |
New Vulnerability Findings Added During Annotation Pass
- services/crypto_service.py - CWE-208 (timing attack) in �erify_signature() via non-constant-time ==
- services/email.py - CWE-915 (mass assignment) in update_email_preferences()
- services/notification.py - CWE-285 BOLA in delete_notification() - no ownership check
- services/search.py - CWE-208 username enumeration in suggest_users() autocomplete
Framework Coverage (All Modules Combined)
- PCI DSS v4.0 - 15+ requirements across payment, auth, crypto, access control, logging, network
- NIST SP 800-53 Rev 5 - 20+ controls across AC, AU, CA, CM, IA, SA, SC, SI families
- SANS/CWE Top 25 - #2 XSS, #3 SQLi, #5 CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE