Skip to content

Expand OWASP standards and resource mappings for issue #471#3

Open
Bornunique911 wants to merge 18 commits into
mainfrom
followup/standards-mapping
Open

Expand OWASP standards and resource mappings for issue #471#3
Bornunique911 wants to merge 18 commits into
mainfrom
followup/standards-mapping

Conversation

@Bornunique911

Copy link
Copy Markdown
Owner

Related Issue

This branch addresses:

Problem

OpenCRE is most useful when its CRE catalog is connected to the OWASP resources practitioners actually use during design, implementation, testing, and review.

Issue #471 calls for broader mapping to OWASP resources. At the moment, that coverage is incomplete in a few important ways:

  • several newer OWASP standards are not yet imported into OpenCRE
  • some OWASP resources are present but not mapped through stable or official references
  • local update workflows for these resources are more manual than they should be
  • the application does not consistently surface these newer mapped standards in analysis and exploration flows

This leaves gaps in practical coverage for newer OWASP guidance across web, API, AI/LLM, cloud, and cheat-sheet resources.

Solution

This branch expands OpenCRE’s OWASP resource coverage by adding curated standards data, parser support, mapping data, official reference normalization, and local refresh workflows.

1. Add importer support for additional OWASP resources

This branch adds parser/data support for newer OWASP resources, including:

  • OWASP Top 10 2025
  • OWASP API Security Top 10 2023
  • OWASP Top 10 for LLM and Gen AI Apps 2025
  • OWASP Kubernetes Top Ten 2022
  • OWASP Kubernetes Top Ten 2025 (Draft)
  • OWASP AI Security Verification Standard (AISVS)

These resources are added through explicit parser and data files so the mappings remain maintainable and reviewable.

2. Expand curated mapping coverage

This branch adds curated CRE mappings for the new OWASP resources so they can participate meaningfully in OpenCRE linking and comparison flows.

This includes:

  • newer OWASP Top 10 categories
  • AI / LLM-related resources
  • API-focused resources
  • Kubernetes and cloud-related resources
  • additional OWASP cheat sheet coverage

3. Normalize official OWASP references

This branch updates resource references so imported OWASP items point to stable and official locations where possible.

This includes:

  • OWASP Cheat Sheet Series URLs
  • official OWASP GenAI risk pages for LLM Top 10 entries
  • AISVS section references aligned to the actual source structure

4. Add local update workflows

This branch adds scripts to simplify local refresh of mapped OWASP resources and related data.

These scripts support repeatable local updates for:

  • OWASP standards mappings
  • cheat sheets
  • CWE refreshes used alongside related mapping work

5. Surface the new resources in application flows

To make the added mappings usable in practice, this branch also includes supporting application changes so the imported standards can be surfaced in:

  • map analysis
  • explorer/root standards discovery
  • specialized cheat-sheet presentation where category-aware rendering improves signal

6. Add focused test coverage

This branch adds targeted tests for:

  • new OWASP standards parsers
  • cheat sheet parsing behavior
  • map analysis behavior tied to newer standards
  • supporting route and parser behavior needed for these mappings

Testing

Focused validation during development included commands such as:

./venv/bin/python -m pytest application/tests/owasp_top10_2025_parser_test.py -q
./venv/bin/python -m pytest application/tests/owasp_llm_top10_2025_parser_test.py -q
./venv/bin/python -m pytest application/tests/owasp_api_top10_2023_parser_test.py -q
./venv/bin/python -m pytest application/tests/owasp_aisvs_parser_test.py -q
./venv/bin/python -m pytest application/tests/cheatsheets_parser_test.py -q
./venv/bin/python -m pytest application/tests/web_main_test.py -k 'owasp or specialized or direct_cre_overlap' -q
./venv/bin/python -m pytest application/tests/cre_main_test.py -q

Bornunique911 and others added 17 commits March 16, 2026 12:24
Signed-off-by: Bornunique911 <69379200+Bornunique911@users.noreply.github.com>
	modified:   application/frontend/src/pages/Explorer/explorer.scss
	modified:   application/frontend/src/pages/Explorer/explorer.tsx
	modified:   application/frontend/src/pages/GapAnalysis/GapAnalysis.scss
	modified:   application/frontend/src/pages/GapAnalysis/GapAnalysis.tsx
	modified:   application/frontend/src/providers/DataProvider.tsx
	modified:   application/frontend/src/types.ts
	modified:   application/frontend/www/bundle.js
	modified:   application/frontend/www/bundle.js.LICENSE.txt
	modified:   application/frontend/www/index.html
	modified:   application/prompt_client/openai_prompt_client.py
	modified:   application/tests/cheatsheets_parser_test.py
	modified:   application/tests/cre_main_test.py
	modified:   application/tests/cwe_parser_test.py
	modified:   application/tests/web_main_test.py
	modified:   application/utils/external_project_parsers/parsers/cheatsheets_parser.py
	modified:   application/utils/external_project_parsers/parsers/cwe.py
	modified:   application/web/web_main.py
	modified:   cre.py
	modified:   yarn.lock

	application/tests/owasp_aisvs_parser_test.py
	application/tests/owasp_api_top10_2023_parser_test.py
	application/tests/owasp_kubernetes_top10_2022_parser_test.py
	application/tests/owasp_kubernetes_top10_2025_parser_test.py
	application/tests/owasp_llm_top10_2025_parser_test.py
	application/tests/owasp_top10_2025_parser_test.py
	application/utils/external_project_parsers/data/
	application/utils/external_project_parsers/parsers/owasp_aisvs.py
	application/utils/external_project_parsers/parsers/owasp_api_top10_2023.py
	application/utils/external_project_parsers/parsers/owasp_kubernetes_top10_2022.py
	application/utils/external_project_parsers/parsers/owasp_kubernetes_top10_2025.py
	application/utils/external_project_parsers/parsers/owasp_llm_top10_2025.py
	application/utils/external_project_parsers/parsers/owasp_top10_2025.py
	package-lock.json
	scripts/run-local.sh
	scripts/show-db-stats.sh
	scripts/update-cheatsheets.sh
	scripts/update-cwe.sh
	scripts/update-owasp-top10-2025-mappings.sh
	scripts/update-owasp-top10-standards.sh
	new file:   application/tests/owasp_api_top10_2023_parser_test.py
	new file:   application/tests/owasp_kubernetes_top10_2022_parser_test.py
	new file:   application/tests/owasp_kubernetes_top10_2025_parser_test.py
	new file:   application/tests/owasp_llm_top10_2025_parser_test.py
	new file:   application/tests/owasp_top10_2025_parser_test.py
	new file:   application/utils/external_project_parsers/data/cwe_fallback_mappings.json
	new file:   application/utils/external_project_parsers/data/owasp_aisvs_1_0.json
	new file:   application/utils/external_project_parsers/data/owasp_api_top10_2023.json
	new file:   application/utils/external_project_parsers/data/owasp_cheatsheets_supplement.json
	new file:   application/utils/external_project_parsers/data/owasp_kubernetes_top10_2022.json
	new file:   application/utils/external_project_parsers/data/owasp_kubernetes_top10_2025.json
	new file:   application/utils/external_project_parsers/data/owasp_llm_top10_2025.json
	new file:   application/utils/external_project_parsers/data/owasp_top10_2025.json
	new file:   application/utils/external_project_parsers/parsers/owasp_aisvs.py
	new file:   application/utils/external_project_parsers/parsers/owasp_api_top10_2023.py
	new file:   application/utils/external_project_parsers/parsers/owasp_kubernetes_top10_2022.py
	new file:   application/utils/external_project_parsers/parsers/owasp_kubernetes_top10_2025.py
	new file:   application/utils/external_project_parsers/parsers/owasp_llm_top10_2025.py
	new file:   application/utils/external_project_parsers/parsers/owasp_top10_2025.py
	new file:   package-lock.json
	new file:   scripts/run-local.sh
	new file:   scripts/show-db-stats.sh
	new file:   scripts/update-cheatsheets.sh
	new file:   scripts/update-cwe.sh
	new file:   scripts/update-owasp-top10-2025-mappings.sh
	new file:   scripts/update-owasp-top10-standards.sh
Signed-off-by: Bornunique911 <69379200+Bornunique911@users.noreply.github.com>
@Bornunique911 Bornunique911 self-assigned this Mar 24, 2026
Signed-off-by: Bornunique911 <69379200+Bornunique911@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant