This repository has been archived by the owner on Aug 21, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 35
/
weakness.rb
76 lines (65 loc) · 2.31 KB
/
weakness.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# frozen_string_literal: true
module HackerOne
module Client
class Weakness
class << self
def validate_cwe!(cwe)
fail NotAnOwaspWeaknessError if cwe.upcase.start_with?("CAPEC-")
fail StandardError::ArgumentError unless cwe.upcase.start_with?("CWE-")
end
def extract_cwe_number(cwe)
return if cwe.nil?
validate_cwe!(cwe)
cwe.split("CWE-").last.to_i
end
end
class NotAnOwaspWeaknessError < StandardError
def message
"CAPEC labels do not describe OWASP weaknesses"
end
end
CLASSIFICATION_MAPPING = {
"None Applicable" => "A0-Other",
"Denial of Service" => "A0-Other",
"Memory Corruption" => "A0-Other",
"Cryptographic Issue" => "A0-Other",
"Privilege Escalation" => "A0-Other",
"UI Redressing (Clickjacking)" => "A0-Other",
"Command Injection" => "A1-Injection",
"Remote Code Execution" => "A1-Injection",
"SQL Injection" => "A1-Injection",
"Authentication" => "A2-AuthSession",
"Cross-Site Scripting (XSS)" => "A3-XSS",
"Information Disclosure" => "A6-DataExposure",
"Cross-Site Request Forgery (CSRF)" => "A8-CSRF",
"Unvalidated / Open Redirect" => "A10-Redirects"
}
OWASP_TOP_10_2013_TO_CWE = {
"A1-Injection" => [77, 78, 88, 89, 90, 91, 564],
"A2-AuthSession" =>
[287, 613, 522, 256, 384, 472, 346, 441, 523, 620, 640, 319, 311],
"A3-XSS" => [79],
"A4-DirectObjRef" => [639, 99, 22],
"A5-Misconfig" => [16, 2, 215, 548, 209],
"A6-DataExposure" => [312, 319, 310, 326, 320, 311, 325, 328, 327],
"A7-MissingACL" => [285, 287],
"A8-CSRF" => [352, 642, 613, 346, 441],
"A9-KnownVuln" => [],
"A10-Redirects" => [601],
}.freeze
OWASP_DEFAULT = "A0-Other".freeze
def initialize(weakness)
@attributes = weakness
end
def to_owasp
from_cwe = OWASP_TOP_10_2013_TO_CWE.map do |owasp, cwes|
owasp if cwes.include?(self.class.extract_cwe_number(to_cwe))
end.compact.first
from_cwe || CLASSIFICATION_MAPPING[@attributes[:name]] || OWASP_DEFAULT
end
def to_cwe
@attributes[:external_id]
end
end
end
end