diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index f41bed1f..61cb09b5 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -125,5 +125,6 @@ output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.docx output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.idml output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.pdf + output/owasp_cornucopia_masvs_cards_en_1.00_masvs.idml README.md source/*.yaml \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebf5c10f..6d826e7a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -111,5 +111,6 @@ output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.docx output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.idml output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.pdf + output/owasp_cornucopia_masvs_cards_en_1.00_masvs.idml README.md source/*.yaml \ No newline at end of file diff --git a/.github/workflows/run-tests-generate-output.yaml b/.github/workflows/run-tests-generate-output.yaml index 54fe63be..2672cb07 100644 --- a/.github/workflows/run-tests-generate-output.yaml +++ b/.github/workflows/run-tests-generate-output.yaml @@ -155,3 +155,4 @@ jobs: output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.docx output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.idml output/owasp_cornucopia_ecommerce_cards_pt-br_1.30_static.pdf + output/owasp_cornucopia_masvs_cards_en_1.00_masvs.idml diff --git a/resources/templates/owasp_cornucopia_edition_lang_ver_template_masvs.idml b/resources/templates/owasp_cornucopia_edition_lang_ver_template_masvs.idml new file mode 100644 index 00000000..068b84e4 Binary files /dev/null and b/resources/templates/owasp_cornucopia_edition_lang_ver_template_masvs.idml differ diff --git a/scripts/convert.py b/scripts/convert.py index 5cb27e26..6440f51b 100644 --- a/scripts/convert.py +++ b/scripts/convert.py @@ -22,8 +22,8 @@ class ConvertVars: BASE_PATH = os.path.split(os.path.dirname(os.path.realpath(__file__)))[0] FILETYPE_CHOICES: List[str] = ["all", "docx", "pdf", "idml"] LANGUAGE_CHOICES: List[str] = ["template", "all", "en", "es", "fr", "nl", "no-nb", "pt-br"] - VERSION_CHOICES: List[str] = ["1.20", "1.21", "1.30"] - STYLE_CHOICES: List[str] = ["all", "static", "dynamic", "leaflet"] + VERSION_CHOICES: List[str] = ["1.00", "1.20", "1.21", "1.30"] + STYLE_CHOICES: List[str] = ["all", "static", "dynamic", "leaflet", "masvs"] DEFAULT_TEMPLATE_FILENAME: str = os.sep.join( ["resources", "templates", "owasp_cornucopia_edition_lang_ver_template"] ) @@ -221,9 +221,10 @@ def parse_arguments(input_args: List[str]) -> argparse.Namespace: required=False, default="1.30", help=( - "Output version to produce. [`1.20`, `1.21`, `1.30`] " + "Output version to produce. [`1.00`, `1.20`, `1.21`, `1.30`] " "\nVersion 1.20 and 1.2x will deliver cards mapped to ASVS 3.0.1" "\nVersion 1.30 and 1.3x will deliver cards mapped to ASVS 4.0" + "\nVersion 1.00 and 1.0x will deliver cards mapped to MASVS 2.0" ), ) group = parser.add_mutually_exclusive_group(required=False) @@ -246,7 +247,6 @@ def parse_arguments(input_args: List[str]) -> argparse.Namespace: ) group = parser.add_mutually_exclusive_group(required=False) group.add_argument( - # parser.add_argument( "-l", "--language", type=str, @@ -266,16 +266,16 @@ def parse_arguments(input_args: List[str]) -> argparse.Namespace: ) group = parser.add_mutually_exclusive_group(required=False) group.add_argument( - # parser.add_argument( "-s", "--style", type=str, choices=convert_vars.STYLE_CHOICES, default="static", help=( - "Output style to produce. [`static`, `dynamic` or `leaflet`]\n" + "Output style to produce. [`static`, `dynamic`, `masvs` or `leaflet`]\n" "Static cards have the mappings printed on them, dynamic ones a QRCode that points to an maintained list." "The leaflet contains the instructions" + "MASVS will print the Cornucopia MASVS/MASTG edition" ), ) parser.add_argument( @@ -440,7 +440,7 @@ def get_replacement_data( data = {} continue if not data or "suits" not in list(data.keys()): - logging.error("Could not get language data from yaml " + os.path.split(file)[1]) + logging.error("Could not get " + language + " language data from yaml " + os.path.split(file)[1]) logging.debug(f" --- Len = {len(data)}.") return data @@ -467,7 +467,7 @@ def get_replacement_dict(input_data: Dict[str, Any], mappings: bool = False) -> """Loop through language file data and build up a find-replace dict""" data = {} for key in list(k for k in input_data.keys() if k != "meta"): - suit_tags, suit_key = get_suit_tags_and_key(key) + suit_tags, suit_key = get_suit_tags_and_key(key, input_data["meta"]["edition"]) logging.debug(f" --- key = {key}.") logging.debug(f" --- suit_tags = {suit_tags}") logging.debug(f" --- suit_key = {suit_key}") @@ -511,7 +511,11 @@ def get_replacement_dict(input_data: Dict[str, Any], mappings: bool = False) -> def get_replacement_mapping_value(k: str, v: str, el_text: str) -> str: - reg_str: str = "^(OWASP SCP|OWASP ASVS|OWASP AppSensor|CAPEC|SAFECODE)\u2028" + k.replace("$", "\\$").strip() + "$" + reg_str: str = ( + "^(OWASP MASTG|OWASP MASVS|OWASP SCP|OWASP ASVS|OWASP AppSensor|CAPEC|SAFECODE)\u2028" + + k.replace("$", "\\$").strip() + + "$" + ) if re.match(reg_str, el_text.strip()): if len(v) >= 38: return el_text[: el_text.find("\u2028")] + ": " + v @@ -531,13 +535,16 @@ def get_replacement_value_from_dict(el_text: str, replacement_values: List[Tuple return el_text -def get_suit_tags_and_key(key: str) -> Tuple[List[str], str]: +def get_suit_tags_and_key(key: str, edition: str) -> Tuple[List[str], str]: # Short tags to match the suits in the template documents suit_tags: List[str] = [] suit_key: str = "" - if key == "suits": + if key == "suits" and edition == "ecommerce": suit_tags = ["VE", "AT", "SM", "AZ", "CR", "CO", "WC"] suit_key = "cards" + if key == "suits" and edition == "masvs": + suit_tags = ["PC", "AA", "NS", "RS", "CR", "COM", "WC"] + suit_key = "cards" elif key == "paragraphs": suit_tags = ["Common"] suit_key = "sentences" @@ -606,7 +613,7 @@ def get_template_doc(file_type: str, style: str = "static") -> str: def has_not_valid_file_style(style: str, file_type: str) -> bool: - if style == "leaflet" and file_type != "idml": + if (style == "leaflet" or style == "masvs") and file_type != "idml": return True return False @@ -661,7 +668,9 @@ def get_valid_version_choices() -> List[str]: def get_valid_mapping_for_version(version: str) -> str: - return {"1.20": "1.2", "1.21": "1.2", "1.30": "1.3", "1.3": "1.3", "1.2": "1.2"}.get(version, "") + return {"1.00": "1.0", "1.20": "1.2", "1.21": "1.2", "1.30": "1.3", "1.3": "1.3", "1.2": "1.2", "1.0": "1.0"}.get( + version, "" + ) def get_valid_styles() -> List[str]: diff --git a/source/masvs-cards-1.00-en.yaml b/source/masvs-cards-1.00-en.yaml new file mode 100644 index 00000000..5edc13fb --- /dev/null +++ b/source/masvs-cards-1.00-en.yaml @@ -0,0 +1,371 @@ +--- +meta: + edition: "masvs" + component: "cards" + language: "EN" + version: "1.00" +suits: +- + name: "Platform & code" + cards: + - + id: "PC2" + value: "2" + desc: "Andrew can expose sensitive data through the app's auto-generated screenshots when the app moves to the background" + - + id: "PC3" + value: "3" + desc: "Harold can spy sensitive data being entered through the user interface because the data is excessive, not properly masked or cleaned up after use" + - + id: "PC4" + value: "4" + desc: "Kelly can expose sensitive data by taking advantage of the app's excessive permissions connected to the app's use of location, camera, microphone, storage, etc" + - + id: "PC5" + value: "5" + desc: "Jason can provoke memory leak or corruption because the app has cyclic dependencies, manages pointers inadequately, keeps an incorrect reference count, does not release shared resources or apply stack protection" + - + id: "PC6" + value: "6" + desc: "Dawn can expose and intercept sensitive functionality through interprocess communication because permissions for broadcast and sharing are not set, not narrow enough or appropriately excluded when sharing" + - + id: "PC7" + value: "7" + desc: "Lauren can traverse or modify otherwise protected files through access to the underlying file system by exploiting weaknesses in file system-based content providers, resolvers or its configuration" + - + id: "PC8" + value: "8" + desc: "Colin can expose sensitive data through the app's interprocess communication because the content provider's query methods are not properly parameterized and arguments sanitized" + - + id: "PC9" + value: "9" + desc: "Toby can modify or expose data by injection because the response from implicit intents is not properly validated" + - + id: "PCX" + value: "10" + desc: "Max can modify or expose data because input validation and sanitation are not properly applied to interprocess communication or because extensions are not properly restricted" + - + id: "PCJ" + value: "J" + desc: "Johan can modify or expose sensitive data by exploiting weaknesses in the SDK or third party libraries because updates to the app and platform are not enforced or do not patch known software vulnerabilities" + - + id: "PCQ" + value: "Q" + desc: "Xavier can inject scripts into the web view because it allows embedding content using deep linking without proper authorization and validation of the host, schema and path of the target as these can be changed by the user or because safe browsing is disabled" + - + id: "PCK" + value: "K" + desc: "Isreal can modify or expose data by influencing or altering JavaScript bridges, extensions or interprocess communication (e.g. shared memory, message passing, pipes, sockets)" + - + id: "PCA" + value: "A" + desc: "You have invented a new attack against “Platform and Code”" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Code Quality” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Authentication & Authorization" + cards: + - + id: "AA2" + value: "2" + desc: "Jie can use the app to do sensitive operations because the “unlocked key” is not used during the application flow" + - + id: "AA3" + value: "3" + desc: "Choi can access capabilities, objects, resources, or properties they should not be authorized to access because entitlements or permissions are too wide, not properly set or not enforced" + - + id: "AA4" + value: "4" + desc: "Vandana can bypass biometric authentication because the authentication is misconfigured or not implemented correctly" + - + id: "AA5" + value: "5" + desc: "Eiman can bypass the local authentication through patching and/or by instrumentation because the authentication can be patched out or overloaded" + - + id: "AA6" + value: "6" + desc: "Anant can perform sensitive operations without additional authentication because authentication requirements are too weak or missing" + - + id: "AA7" + value: "7" + desc: "Abdullah can bypass authentication by altering the usual process sequence or flow, or by undertaking the process in incorrect order, or by manipulating date and time values used by the app, or by using valid features for unintended purposes" + - + id: "AA8" + value: "8" + desc: "Pramod can intercept credentials through misdirection because the app is vulnerable to attacks like Tapjacking, StrandHogg and/or URL scheme hijacking" + - + id: "AA9" + value: "9" + desc: "Wong can bypass the authentication because it does not fail securely. (i.e. it defaults to allowing unauthenticated access)" + - + id: "AAX" + value: "10" + desc: "Prasad can bypass the centralized authentication and authorization controls since they are not being used comprehensively on all interactions" + - + id: "AAJ" + value: "J" + desc: "Ade can bypass authentication because it is not enforced using a remote endpoint, or it is not based on a cryptographic primitive protected by keystore/keychain access control flags" + - + id: "AAQ" + value: "Q" + desc: "Riotaro can inject and run a command that the application will run at a higher privilege level without being authenticated or authorized to do so" + - + id: "AAK" + value: "K" + desc: "Aatif can influence or alter authentication controls and can therefore bypass them" + - + id: "AAA" + value: "A" + desc: "You have invented a new attack against “Authentication & Authorization”" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Authentication Architectures” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Network & Storage" + cards: + - + id: "NS2" + value: "2" + desc: "Matt can inspect sensitive application log data because logging statements have not been removed or reviewed as safe before the production release" + - + id: "NS3" + value: "3" + desc: "Bil can access sensitive data for sensitive fields from the pasteboard/clipboard or keyboard cache because the pasteboard/clipboard is not timely cleared, disabled or restricted for sensitive fields, or the keyboard cache is not disabled" + - + id: "NS4" + value: "4" + desc: "Ricardo can extract data stored by the app on a stolen or decommissioned device because it does not enforce device access security policies (e.g. PIN protected locking, app-/os-version, USB debug deactivation, device encryption and rooting)" + - + id: "NS5" + value: "5" + desc: "Kevin can read sensitive data mapped to user accounts or sessions by extracting data sent through third-party libraries and/or notifications sent between the app and embedded services (e.g. logs, notifications, backups, cache, local db)" + - + id: "NS6" + value: "6" + desc: "Sam can dump sensitive data from memory because the data is not stored as primitive data types and overwritten with random data after use or because the app's input fields use insecure SDKs to store the data in RAM" + - + id: "NS7" + value: "7" + desc: "Steve can access sensitive data by reading backups and/or local, internal/external storage" + - + id: "NS8" + value: "8" + desc: "Martin can modify or expose sensitive data through unsafe reflection when reading data from public data storage (e.g. shared preferences) because the data is not validated before being read by the app" + - + id: "NS9" + value: "9" + desc: "Adrian can compromise the app communication through a proxy because the app does not make use of certificate pinning or implements it incorrectly" + - + id: "NSX" + value: "10" + desc: "Maarten can compromise the communication between the app and the external services because the app does not verify TLS certificates and -chains, trust insecure sources, lack hostname verification or ignore TLS verification issues" + - + id: "NSJ" + value: "J" + desc: "Nihel can compromise the communication as it may fall back to an insecure or unencrypted channel, because encryption is optional, or because of client-server protocol or security provider weaknesses" + - + id: "NSQ" + value: "Q" + desc: "Ahmed can read and modify data in transit because the communication is transmitted over an unencrypted channel" + - + id: "NSK" + value: "K" + desc: "Taher can intercept, extract or modify sensitive data at rest or in transit by influencing or altering methods for transferring or storing data at rest or in transit" + - + id: "NSA" + value: "A" + desc: "You have invented a new attack against “Network & Storage”" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Network Communication” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Resilience" + cards: + - + id: "RS2" + value: "2" + desc: " Sebastien can disclose sensitive data because the application is set up to log debug information at runtime" + - + id: "RS3" + value: "3" + desc: "Tobias can disclose sensitive data by dumping debug symbols while the application is running" + - + id: "RS4" + value: "4" + desc: "Timur can change the code of the production release because the code of the application has not been properly signed using a valid production certificate" + - + id: "RS5" + value: "5" + desc: "Matteo can bypass access controls and trigger functionality because debugging is left enabled in the production build" + - + id: "RS6" + value: "6" + desc: "Joren can bypass access controls because the anti-debugging controls aren't strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RS7" + value: "7" + desc: "Erlend can compromise the app by running it in an emulator because the prevention against emulators are not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RS8" + value: "8" + desc: "Carlos can reverse engineer the app because the prevention against the use of anti reverse engineering tools are not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RS9" + value: "9" + desc: "Sean can reverse engineer the app because the code obfuscation is not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RSX" + value: "10" + desc: "Juan can bypass jailbreak and root detection and execute administrative functions to bypass integrity checks and access controls and trigger app functionality" + - + id: "RSJ" + value: "J" + desc: "Pekka can compromise the integrity of the storage because the file integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RSQ" + value: "Q" + desc: "Titus can patch out critical functionality because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "RSK" + value: "K" + desc: "Sherif can influence or alter controls against reverse engineering and runtime protection and can therefore bypass them" + - + id: "RSA" + value: "A" + desc: "You have invented a new attack against Authorization" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Tampering and Reverse Engineering” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Cryptography" + cards: + - + id: "CR2" + value: "2" + desc: "Lesego can compromise cryptographic operations and resources because keys are reused for multiple purposes, or not used according to the purpose for which they were created" + - + id: "CR3" + value: "3" + desc: "Emery can access data because it has been obfuscated rather than using an approved cryptographic function" + - + id: "CR4" + value: "4" + desc: "Enselme can modify sensitive data (stored or in transit) because it is not subject to integrity checking" + - + id: "CR5" + value: "5" + desc: "Orace can predict the seed value used for generating cryptographic keys thereby compromising the cryptographic key" + - + id: "CR6" + value: "6" + desc: "Kouti can extract sensitive data because the cryptographic key, used, is hard-coded or stored insecurely such as in local, internal/external storage" + - + id: "CR7" + value: "7" + desc: "Ramsey can access stored sensitive data because it is not securely encrypted" + - + id: "CR8" + value: "8" + desc: "Adel can predict and use the app's cryptographic keys because they are insufficiently long and random, can be enumerated, or derived from known values" + - + id: "CR9" + value: "9" + desc: "Fady can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)" + - + id: "CRX" + value: "10" + desc: "Ash can break the cryptography because it is not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "CRJ" + value: "J" + desc: "Hassan can extract or modify sensitive data because functions for storage and/or encryption are weak, deprecated or used incorrectly" + - + id: "CRQ" + value: "Q" + desc: "Simon can bypass hashing and encryption functions because they are custom and/or inadequately implemented" + - + id: "CRK" + value: "K" + desc: "Tarik can influence or alter cryptographic operations and can therefore bypass them" + - + id: "CRA" + value: "A" + desc: "You have invented a new attack against “Cryptography”" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Cryptography” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Cornucopia" + cards: + - + id: "COM2" + value: "2" + desc: "Garth can reduce app users' privacy because the app is not transparent about the app's data collection and usage in a concise, easily accessible and understandable way" + - + id: "COM3" + value: "3" + desc: " Elsa can reduce app users' privacy because the app does not allow for the user to easily manage, delete and modify their data, change privacy settings and re-prompt for consent when more data is required" + - + id: "COM4" + value: "4" + desc: "Elizabeth can reduce app users' privacy because the app sends too much personal data without the user's consent to downstream services that are outside the user's control" + - + id: "COM5" + value: "5" + desc: "Debarghaya can reduce app users' privacy because the app repurpose personal information (e.g. device IDs, IP addresses, behavioral patterns) collected for security concerns in order to cater for commercial interests without consent" + - + id: "COM6" + value: "6" + desc: "Kim can reduce app users' privacy because the app repurpose biometric information (e.g. fingerprints, facial recognition data, etc.) collected for security concerns in order to cater for commercial interests" + - + id: "COM7" + value: "7" + desc: "Gastón can execute malicious actions through intent redirection because the intent is not properly sanitized and immutable" + - + id: "COM8" + value: "8" + desc: "Roxana can do arbitrary file overwrites and potentially execute malicious code through path traversal because the target path and directory is not appropriately validated" + - + id: "COM9" + value: "9" + desc: "Alessandro can exploit the app by taking advantage of buffer overflows and memory leaks to write foreign code within the mobile code's address space" + - + id: "COMX" + value: "10" + desc: "Carlos can use the application's notification services to launch phishing campaigns because notifications are not sanitized and validated according to best practices" + - + id: "COMJ" + value: "J" + desc: "Luis can influence or alter cryptographic methods to corrupt other users' data because the integrity of the encrypted data is not verified before being shared with external services" + - + id: "COMQ" + value: "Q" + desc: "Victor can patch the app and use it to distribute malicious code because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker" + - + id: "COMK" + value: "K" + desc: "Ruben can use the app, without modifications, to spread malicious code because methods for transfer and storage do not perform proper data sanitization and validation" + - + id: "COMA" + value: "A" + desc: "You have invented a new attack of any type" + misc: "Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App User Privacy Protection” in the “Mobile Application Security Testing Guide” on the OWASP MAS website" +- + name: "Wild Card" + cards: + - + id: "JOA" + value: "JokerA" + card: "Joker" + desc: "Mallory can influence, alter or affect the app so that it no longer complies with legal, regulatory, contractual or other mandates" + misc: "Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work" + - + id: "JOB" + value: "JokerB" + card: "Joker" + desc: "Bob can use the app installed on Alice's device maliciously to surveil, spy on, eavesdrop, control remotely, track or otherwise monitor Alice, without consent and/or notification" + misc: "Examine vulnerabilities and discover how they can be fixed using training applications in the free MASTG reference applications on the OWASP MAS website" +paragraphs: +- + name: "Common" + sentences: + - + value: "NoCard" + text: "No Card" + - + value: "Title" + text: "Mobile Edition v1.00-EN" + - + value: "Title_full" + text: "OWASP Cornucopia Mobile Edition v1.00-EN" diff --git a/source/masvs-mappings-1.0.yaml b/source/masvs-mappings-1.0.yaml new file mode 100644 index 00000000..2f19448b --- /dev/null +++ b/source/masvs-mappings-1.0.yaml @@ -0,0 +1,457 @@ +--- +meta: + edition: "masvs" + component: "mappings" + language: "ALL" + version: "1.0" +suits: +- + name: "Platform & code" + cards: + - + value: "2" + owasp_masvs: [ PLATFORM-3 ] + owasp_mastg: [ TEST-0010, TEST-0059 ] + capec: [ 37, 155, 498, 648 ] + safecode: [ "-" ] + - + value: "3" + owasp_masvs: [ PLATFORM-3 ] + owasp_mastg: [ TEST-0008, TEST-0037, TEST-0057 ] + capec: [ 508 ] + safecode: [ "-" ] + - + value: "4" + owasp_masvs: [ PLATFORM-1 ] + owasp_mastg: [ TEST-0024, TEST-0069 ] + capec: [ 634, 651 ] + safecode: [ 11 ] + - + value: "5" + owasp_masvs: [ CODE-4 ] + owasp_mastg: [ TEST-0043, TEST-0044, TEST-0086 ] + capec: [ 14, 24, 44, 45, 46, 47, 92, 100, 124, 128, 129, 131, 679 ] + safecode: [ 7, 9, 34, 36 ] + - + value: "6" + owasp_masvs: [ PLATFORM-1 ] + owasp_mastg: [ TEST-0029, TEST-0030, TEST-0071 ] + capec: [ 94,117, 499, 502, 504 ] + safecode: [ 8, 10, 11 ] + - + value: "7" + owasp_masvs: [ PLATFORM-1 ] + owasp_mastg: [ TEST-0007, TEST-0056 ] + capec: [ 126, 127, 139, 597, 643 ] + safecode: [ 16, 33 ] + - + value: "8" + owasp_masvs: [ PLATFORM-1 ] + owasp_mastg: [ TEST-0007, TEST-0056 ] + capec: [ 137, 499, 502, 586 ] + safecode: [ "-" ] + - + value: "9" + owasp_masvs: [ CODE-4 ] + owasp_mastg: [ TEST-0026 ] + capec: [ 497, 499, 502 ] + safecode: [ 17 ] + - + value: "10" + owasp_masvs: [ CODE-4 ] + owasp_mastg: [ TEST-0025, TEST-0072 ] + capec: [ 137, 499, 502, 586 ] + safecode: [ "-" ] + - + value: "J" + owasp_masvs: [ CODE-1, CODE-2, CODE-3 ] + owasp_mastg: [ TEST-0036, TEST-0042, TEST-0080, TEST-0085 ] + capec: [ 310, 538, 691 ] + safecode: [ "-" ] + - + value: "Q" + owasp_masvs: [ PLATFORM-1, PLATFORM-2 ] + owasp_mastg: [ TEST-0027, TEST-0028, TEST-0031, TEST-0070, TEST-0076, TEST-0077 ] + capec: [ 175, 240, 242, 500, 591, 592 ] + safecode: [ 17 ] + - + value: "K" + owasp_masvs: [ PLATFORM-1, PLATFORM-2 ] + owasp_mastg: [ TEST-0007, TEST-0030, TEST-0033, TEST-0056, TEST-0072, TEST-0078 ] + capec: [ 137, 138, 499, 502, 586 ] + safecode: [ "-" ] +- + name: "Authentication & Authorization" + cards: + - + value: "2" + owasp_masvs: [ AUTH-2, AUTH-3 ] + owasp_mastg: [ TEST-0017, TEST-0064 ] + capec: [ 115 ] + safecode: [ 28 ] + - + value: "3" + owasp_masvs: [ AUTH-1, AUTH-3 ] + owasp_mastg: [ TEST-0024, TEST-0032, TEST-0069, TEST-0077 ] + capec: [ 122 ] + safecode: [ 8, 10, 11 ] + - + value: "4" + owasp_masvs: [ AUTH-2 ] + owasp_mastg: [ TEST-0018 ] + capec: [ 114, 115, 554 ] + safecode: [ 28 ] + - + value: "5" + owasp_masvs: [ AUTH-2 ] + owasp_mastg: [ TEST-0017, TEST-0018, TEST-0064 ] + capec: [ 114, 115, 207, 554 ] + safecode: [ 28 ] + - + value: "6" + owasp_masvs: [ AUTH-2, AUTH-3 ] + owasp_mastg: [ TEST-0064 ] + capec: [ 20, 49, 50, 55, 115 ] + safecode: [ 28 ] + - + value: "7" + owasp_masvs: [ AUTH-1 ] + owasp_mastg: [ TEST-0034, TEST-0079 ] + capec: [ 39, 74, 162, 166, 207 ] + safecode: [ 8, 10, 11, 12 ] + - + value: "8" + owasp_masvs: [ AUTH-1, CODE-4, PLATFORM-1, PLATFORM-3 ] + owasp_mastg: [ TEST-0025, TEST-0030, TEST-0035, TEST-0072, TEST-0075 ] + capec: [ 153, 505, 506 ] + safecode: [ ] + - + value: "9" + owasp_masvs: [ AUTH-2 ] + owasp_mastg: [ TEST-0017, TEST-0018, TEST-0064 ] + capec: [ 114, 115, 554 ] + safecode: [ 28 ] + - + value: "10" + owasp_masvs: [ AUTH-1 ] + owasp_mastg: [ TEST-0017, TEST-0064 ] + capec: [ 36, 121 ] + safecode: [ 8, 10, 11 ] + - + value: "J" + owasp_masvs: [ AUTH-2 ] + owasp_mastg: [ TEST-0017, TEST-0018, TEST-0064 ] + capec: [ 114, 115, 554 ] + safecode: [ 28 ] + - + value: "Q" + owasp_masvs: [ AUTH-1 ] + owasp_mastg: [ TEST-0033, TEST-0025, TEST-0078 ] + capec: [ 17, 30, 69, 234 ] + safecode: [ 8, 10,11 ] + - + value: "K" + owasp_masvs: [ AUTH-2 ] + owasp_mastg: [ TEST-0017, TEST-0018, TEST-0064 ] + capec: [ 114, 115, 207, 554 ] + safecode: [ 8, 10, 11 ] +- + name: "Network & Storage" + cards: + - + value: "2" + owasp_masvs: [ STORAGE-2 ] + owasp_mastg: [ TEST-0003, TEST-0053 ] + capec: [ 155 ] + safecode: [ 11, 23, 29 ] + - + value: "3" + owasp_masvs: [ STORAGE-2 ] + owasp_mastg: [ TEST-0006, TEST-0055, TEST-0073 ] + capec: [ 204, 637, 679 ] + safecode: [ "-" ] + - + value: "4" + owasp_masvs: [ STORAGE-1 ] + owasp_mastg: [ TEST-0012 ] + capec: [ 406, 675 ] + safecode: [ "-" ] + - + value: "5" + owasp_masvs: [ STORAGE-2 ] + owasp_mastg: [ TEST-0004, TEST-0005, TEST-0054 ] + capec: [ 155, 161, 204, 220, 639, 643 ] + safecode: [ 11, 23, 29 ] + - + value: "6" + owasp_masvs: [ STORAGE-2 ] + owasp_mastg: [ TEST-0011, TEST-0060 ] + capec: [ 679 ] + safecode: [ "-" ] + - + value: "7" + owasp_masvs: [ STORAGE-1, STORAGE-2 ] + owasp_mastg: [ TEST-0001, TEST-0003, TEST-0009, TEST-0052, TEST-0053, TEST-0058 ] + capec: [ 37, 155, 204, 639, 643 ] + safecode: [ 11, 23, 29 ] + - + value: "8" + owasp_masvs: [ STORAGE-1, CODE-4 ] + owasp_mastg: [ TEST-0002 ] + capec: [ 176 ] + safecode: [ "-" ] + - + value: "9" + owasp_masvs: [ NETWORK-2 ] + owasp_mastg: [ TEST-0022, TEST-0068 ] + capec: [ 57, 94, 156, 465, 466, 479, 701 ] + safecode: [ 14, 30 ] + - + value: "10" + owasp_masvs: [ NETWORK-1 ] + owasp_mastg: [ TEST-0019, TEST-0021, TEST-0065, TEST-0067 ] + capec: [ 57, 94, 156, 465, 466, 479, 701 ] + safecode: [ 14, 29, 30 ] + - + value: "J" + owasp_masvs: [ NETWORK-1 ] + owasp_mastg: [ TEST-0020, TEST-0023, TEST-0066 ] + capec: [ 57, 94, 156, 220, 459, 465, 466 ] + safecode: [ 12, 14, 29, 30 ] + - + value: "Q" + owasp_masvs: [ NETWORK-1 ] + owasp_mastg: [ TEST-0019, TEST-0065 ] + capec: [ 31, 36, 57, 102, 157, 158, 384, 466 ] + safecode: [ 29, 30 ] + - + value: "K" + owasp_masvs: [ STORAGE-1 ] + owasp_mastg: [ TEST-0001, TEST-0052 ] + capec: [ 75, 76, 113, 153, 161, 165, 176, 190, 207, 210, 554, 562 ] + safecode: [ 12, 19 ] +- + name: "Resilience" + cards: + - + value: "2" + owasp_masvs: [ RESILIENCE-3 ] + owasp_mastg: [ TEST-0041, TEST-0084 ] + capec: [ 37, 167, 191 ] + safecode: [ "-" ] + - + value: "3" + owasp_masvs: [ RESILIENCE-3 ] + owasp_mastg: [ TEST-0040, TEST-0083 ] + capec: [ 37, 167, 191 ] + safecode: [ "-" ] + - + value: "4" + owasp_masvs: [ RESILIENCE-2 ] + owasp_mastg: [ TEST-0038, TEST-0081 ] + capec: [ 68, 167, 206, 476 ] + safecode: [ 14 ] + - + value: "5" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0039, TEST-0082 ] + capec: [ 115, 167, 554 ] + safecode: [ "-" ] + - + value: "6" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0046, TEST-0089 ] + capec: [ 115, 167, 554 ] + safecode: [ "-" ] + - + value: "7" + owasp_masvs: [ RESILIENCE-1 ] + owasp_mastg: [ TEST-0049, TEST-0092 ] + capec: [ 189, 554 ] + safecode: [ "-" ] + - + value: "8" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0048, TEST-0091 ] + capec: [ 167, 554 ] + safecode: [ "-" ] + - + value: "9" + owasp_masvs: [ RESILIENCE-3 ] + owasp_mastg: [ TEST-0051, TEST-0093 ] + capec: [ 167, 554 ] + safecode: [ "-" ] + - + value: "10" + owasp_masvs: [ RESILIENCE-1 ] + owasp_mastg: [ TEST-0045, TEST-0088 ] + capec: [ 167, 660, 661 ] + safecode: [ "-" ] + - + value: "J" + owasp_masvs: [ RESILIENCE-2 ] + owasp_mastg: [ TEST-0047, TEST-0090 ] + capec: [ 23, 165, 167 ] + safecode: [ "-" ] + - + value: "Q" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0050 ] + capec: [ 167, 554 ] + safecode: [ "-" ] + - + value: "K" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0046, TEST-0089 ] + capec: [ 167, 554 ] + safecode: [ "-" ] +- + name: "Cryptography" + cards: + - + value: "2" + owasp_masvs: [ CRYPTO-2 ] + owasp_mastg: [ TEST-0015, TEST-0062 ] + capec: [ 97, 116, 117 ] + safecode: [ 14, 29 ] + - + value: "3" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0014, TEST-0061 ] + capec: [ 37, 204 ] + safecode: [ 21, 29 ] + - + value: "4" + owasp_masvs: [ CRYPTO-1, CODE-4 ] + owasp_mastg: [ TEST-0002 ] + capec: [ 68, 75, 145, 438, 439, 442 ] + safecode: [ 12, 14 ] + - + value: "5" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0016, TEST-0063 ] + capec: [ 20, 112, 485 ] + safecode: [ 29, 33 ] + - + value: "6" + owasp_masvs: [ STORAGE-1, CRYPTO-1, CRYPTO-2 ] + owasp_mastg: [ TEST-0001, TEST-0013, TEST-0052, TEST-0062 ] + capec: [ 37, 117, 155, 191, 204 ] + safecode: [ 21, 29 ] + - + value: "7" + owasp_masvs: [ STORAGE-1, CRYPTO-2 ] + owasp_mastg: [ TEST-0001, TEST-0013, TEST-0052, TEST-0062 ] + capec: [ 37, 117, 155, 191, 204 ] + safecode: [ 21, 29, 31 ] + - + value: "8" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0013, TEST-0016, TEST-0063 ] + capec: [ 20, 55, 112, 485 ] + safecode: [ 21, 29, 32, 33 ] + - + value: "9" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0014 ] + capec: [ 97, 620 ] + safecode: [ 21, 29 ] + - + value: "10" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0014, TEST-0061 ] + capec: [ 20, 116, 117, 97, 112, 485 ] + safecode: [ 14, 23, 29, 31, 32, 33 ] + - + value: "J" + owasp_masvs: [ CRYPTO-1, STORAGE-1 ] + owasp_mastg: [ TEST-0001, TEST-0014, TEST-0052, TEST-0061 ] + capec: [ 210, 212 ] + safecode: [ 15 ] + - + value: "Q" + owasp_masvs: [ CRYPTO-1 ] + owasp_mastg: [ TEST-0014, TEST-0061 ] + capec: [ 20, 116, 117, 97, 112, 485 ] + safecode: [ 14, 21, 29, 32, 33 ] + - + value: "K" + owasp_masvs: [ CRYPTO-1, CRYPTO-2 ] + owasp_mastg: [ TEST-0014, TEST-0061, TEST-0062 ] + capec: [ 54, 97, 116, 117, 220 ] + safecode: [ 14, 21, 29 ] +- + name: "Cornucopia" + cards: + - + value: "2" + owasp_masvs: [ PRIVACY-3 ] + owasp_mastg: [ "-" ] + capec: [ 410 ] + safecode: [ "-" ] + - + value: "3" + owasp_masvs: [ PRIVACY-4 ] + owasp_mastg: [ "-" ] + capec: [ 410 ] + safecode: [ "-" ] + - + value: "4" + owasp_masvs: [ PRIVACY-1 ] + owasp_mastg: [ "-" ] + capec: [ 410 ] + safecode: [ "-" ] + - + value: "5" + owasp_masvs: [ PRIVACY-4 ] + owasp_mastg: [ "-" ] + capec: [ 410 ] + safecode: [ "-" ] + - + value: "6" + owasp_masvs: [ PRIVACY-2 ] + owasp_mastg: [ "-" ] + capec: [ 410 ] + safecode: [ "-" ] + - + value: "7" + owasp_masvs: [ CODE-4, PLATFORM-1 ] + owasp_mastg: [ TEST-0025, TEST-0030, TEST-0072 ] + capec: [ 499, 502 ] + safecode: [ "-" ] + - + value: "8" + owasp_masvs: [ STORAGE-2 ] + owasp_mastg: [ "-" ] + capec: [ 126 ] + safecode: [ 16 ] + - + value: "9" + owasp_masvs: [ CODE-4 ] + owasp_mastg: [ TEST-0043, TEST-0086 ] + capec: [ 92, 100 ] + safecode: [ 3, 6, 36 ] + - + value: "10" + owasp_masvs: [ CODE-4 ] + owasp_mastg: [ TEST-0025, TEST-0072 ] + capec: [ 137, 499, 502, 586 ] + safecode: [ "-" ] + - + value: "J" + owasp_masvs: [ CRYPTO-1, CODE-4 ] + owasp_mastg: [ TEST-0002 ] + capec: [ 23, 165, 442 ] + safecode: [ "-" ] + - + value: "Q" + owasp_masvs: [ RESILIENCE-4 ] + owasp_mastg: [ TEST-0050 ] + capec: [ 167, 202, 554 ] + safecode: [ "-" ] + - + value: "K" + owasp_masvs: [ RESILIENCE-2 ] + owasp_mastg: [ TEST-0047, TEST-0090 ] + capec: [ 17, 23, 165, 167, 636 ] + safecode: [ "-" ] diff --git a/tests/scripts/convert_utest.py b/tests/scripts/convert_utest.py index 2a520917..a3ac84fa 100644 --- a/tests/scripts/convert_utest.py +++ b/tests/scripts/convert_utest.py @@ -1102,7 +1102,7 @@ def test_get_mapping_dict_true(self) -> None: def test_get_mapping_dict_empty(self) -> None: input_yaml_files = [os.sep.join([self.BASE_PATH, "source", "ecommerce-cards-1.21-en.yaml"])] want_mapping_dict: Dict[str, str] = {} - want_logging_error_message = ["ERROR:root:Could not get language data from yaml ecommerce-cards-1.21-en.yaml"] + want_logging_error_message = ["ERROR:root:Could not get language data from yaml ecommerce-cards-1.21-en.yaml"] with self.assertLogs(logging.getLogger(), logging.ERROR) as ll: got_mapping_dict = c.get_mapping_dict(input_yaml_files) @@ -1112,7 +1112,7 @@ def test_get_mapping_dict_empty(self) -> None: def test_get_mapping_dict_wrong_file_type(self) -> None: input_yaml_files = [os.sep.join([self.BASE_PATH, "resources", "originals", "owasp_cornucopia_en.docx"])] want_mapping_dict: Dict[str, str] = {} - want_logging_error_message = ["ERROR:root:Could not get language data from yaml owasp_cornucopia_en.docx"] + want_logging_error_message = ["ERROR:root:Could not get language data from yaml owasp_cornucopia_en.docx"] with self.assertLogs(logging.getLogger(), logging.ERROR) as ll: got_mapping_dict = c.get_mapping_dict(input_yaml_files) @@ -1582,7 +1582,7 @@ def test_get_suit_tags_and_key_suits(self) -> None: want_tags = ["VE", "AT", "SM", "AZ", "CR", "CO", "WC"] want_key = "cards" - got_tags, got_key = c.get_suit_tags_and_key(input_key) + got_tags, got_key = c.get_suit_tags_and_key(input_key, "ecommerce") self.assertEqual(want_tags, got_tags) self.assertEqual(want_key, got_key) @@ -1591,7 +1591,16 @@ def test_get_suit_tags_and_key_paragraphs(self) -> None: want_tags = ["Common"] want_key = "sentences" - got_tags, got_key = c.get_suit_tags_and_key(input_key) + got_tags, got_key = c.get_suit_tags_and_key(input_key, "ecommerce") + self.assertEqual(want_tags, got_tags) + self.assertEqual(want_key, got_key) + + def test_get_suit_tags_and_key_suits_for_masvs(self) -> None: + input_key = "suits" + want_tags = ["PC", "AA", "NS", "RS", "CR", "COM", "WC"] + want_key = "cards" + + got_tags, got_key = c.get_suit_tags_and_key(input_key, "masvs") self.assertEqual(want_tags, got_tags) self.assertEqual(want_key, got_key)