Merge branch 'Fixing-Errors' of https://github.com/bugcrowd/vulnerabi…

…lity-rating-taxonomy into Fixing-Errors
bugcrowd · Nov 17, 2023 · 6720f10 · 6720f10
2 parents 24921c7 + 54343a9
commit 6720f10
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 68 deletions.
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -966,6 +966,19 @@
             }
           ]
         },
+        {
+          "id": "broken_cryptography",
+          "children": [
+            {
+              "id": "use_of_broken_cryptographic_primitive",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+            },
+            {
+              "id": "use_of_vulnerable_cryptographic_library",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
+            }
+          ]
+        },
         {
           "id": "side_channel_attack",
           "children": [
@@ -1001,19 +1014,6 @@
         }
       ]
     },
-    {
-      "id": "broken_cryptography",
-      "children": [
-        {
-          "id": "use_of_broken_cryptographic_primitive",
-          "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-        },
-        {
-          "id": "use_of_vulnerable_cryptographic_library",
-          "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
-        }
-      ]
-    },
     {
       "id": "privacy_concerns",
       "children": [

diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
@@ -552,6 +552,20 @@
             }
           ]
         },
+        {
+          "id": "broken_cryptography",
+          "cwe": ["CWE-327"],
+          "children": [
+            {
+              "id": "use_of_broken_cryptographic_primitive",
+              "cwe": ["CWE-327"]
+            },
+            {
+              "id": "use_of_vulnerable_cryptographic_library",
+              "cwe": ["CWE-327"]
+            }
+          ]
+        },
         {
           "id": "side_channel_attack",
           "cwe": ["CWE-203", "CWE-1300"],
@@ -588,20 +602,6 @@
         }
       ]
     },
-    {
-      "id": "broken_cryptography",
-      "cwe": ["CWE-327"],
-      "children": [
-        {
-          "id": "use_of_broken_cryptographic_primitive",
-          "cwe": ["CWE-327"]
-        },
-        {
-          "id": "use_of_vulnerable_cryptographic_library",
-          "cwe": ["CWE-327"]
-        }
-      ]
-    },
     {
       "id": "privacy_concerns",
       "cwe": ["CWE-359"]

diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
@@ -1382,6 +1382,28 @@
             }
           ]
         },
+        {
+          "id": "broken_cryptography",
+          "children": [
+            {
+              "id": "use_of_broken_cryptographic_primitive",
+              "remediation_advice": "The use of broken, weak, or flawed cryptographic algorithms can allow an attacker to decrypt sensistive information.  Ensure the application makes use of only trustworthy cryprographic algorithms as indicated by relevant security standard(s) and regulation(s).",
+              "references": [
+                "https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/",
+                "https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf",
+                "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
+              ]
+            },
+            {
+              "id": "use_of_vulnerable_cryptographic_library",
+              "remediation_advice": "The identification, patching, and disclosure of vulnerabilities in third-party libraries, including cryptographic libraries, is a daily occurrence.  In some cases, cryptographic libraries are deemed 'broken' and deprecated.  Ensure the application is updated to include the latest secure version of all third-party cryptographic libraries and replace known 'broken' cryptographic libraries with secure alternatives.",
+              "references": [
+                "https://www.ubiqsecurity.com/bouncy-castle-and-the-impact-of-cryptographic-vulnerabilities/",
+                "https://blog.cryptographyengineering.com/2013/09/20/rsa-warns-developers-against-its-own/"
+              ]
+            }
+          ]
+        },
         {
           "id": "side_channel_attack",
           "children": [
@@ -1449,28 +1471,6 @@
         }
       ]
     },
-    {
-      "id": "broken_cryptography",
-      "children": [
-        {
-          "id": "use_of_broken_cryptographic_primitive",
-          "remediation_advice": "The use of broken, weak, or flawed cryptographic algorithms can allow an attacker to decrypt sensistive information.  Ensure the application makes use of only trustworthy cryprographic algorithms as indicated by relevant security standard(s) and regulation(s).",
-          "references": [
-            "https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/",
-            "https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf",
-            "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
-          ]
-        },
-        {
-          "id": "use_of_vulnerable_cryptographic_library",
-          "remediation_advice": "The identification, patching, and disclosure of vulnerabilities in third-party libraries, including cryptographic libraries, is a daily occurrence.  In some cases, cryptographic libraries are deemed 'broken' and deprecated.  Ensure the application is updated to include the latest secure version of all third-party cryptographic libraries and replace known 'broken' cryptographic libraries with secure alternatives.",
-          "references": [
-            "https://www.ubiqsecurity.com/bouncy-castle-and-the-impact-of-cryptographic-vulnerabilities/",
-            "https://blog.cryptographyengineering.com/2013/09/20/rsa-warns-developers-against-its-own/"
-          ]
-        }
-      ]
-    },
     {
       "id": "privacy_concerns",
       "remediation_advice": "1. Avoid storing unnecessary data where possible.\n2. Purge all known unnecessary data when identified on the device or application.\n3. Purge all known unnecessary data in known cached locations.\n4. Purge all known unnecessary data on known backup locations.",

diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
@@ -2004,6 +2004,25 @@
             }
           ]
         },
+        {
+          "id": "broken_cryptography",
+          "name": "Broken Cryptography",
+          "type": "category",
+          "children": [
+            {
+              "id": "use_of_broken_cryptographic_primitive",
+              "name": "Use of Broken Cryptographic Primitive",
+              "type": "subcategory",
+              "priority": 3
+            },
+            {
+              "id": "use_of_vulnerable_cryptographic_library",
+              "name": "Use of Vulnerable Cryptographic Library",
+              "type": "subcategory",
+              "priority": 4
+            }
+          ]
+        },
         {
           "id": "side_channel_attack",
           "name": "Side-Channel Attack",
@@ -2055,25 +2074,6 @@
         }
       ]
     },
-    {
-      "id": "broken_cryptography",
-      "name": "Broken Cryptography",
-      "type": "category",
-      "children": [
-        {
-          "id": "use_of_broken_cryptographic_primitive",
-          "name": "Use of Broken Cryptographic Primitive",
-          "type": "subcategory",
-          "priority": 3
-        },
-        {
-          "id": "use_of_vulnerable_cryptographic_library",
-          "name": "Use of Vulnerable Cryptographic Library",
-          "type": "subcategory",
-          "priority": 4
-        }
-      ]
-    },
     {
       "id": "privacy_concerns",
       "name": "Privacy Concerns",