Skip to content

Add importer support for newer OWASP standards for issue #471#4

Open
Bornunique911 wants to merge 1 commit into
mainfrom
followup/owasp-standards-importers
Open

Add importer support for newer OWASP standards for issue #471#4
Bornunique911 wants to merge 1 commit into
mainfrom
followup/owasp-standards-importers

Conversation

@Bornunique911

Copy link
Copy Markdown
Owner

Related Issue

This branch addresses:

Problem

OpenCRE does not yet include parser/import support for several newer OWASP resources that are useful for mapping CREs to current guidance.

Without importer support for these resources:

  • the standards cannot be loaded into OpenCRE in a structured way
  • they cannot participate in CRE mapping or comparison flows
  • adding future OWASP resources remains inconsistent and manual

Solution

This branch adds parser and data support for newer OWASP resources, including:

  • OWASP Top 10 2025
  • OWASP API Security Top 10 2023
  • OWASP Top 10 for LLM and Gen AI Apps 2025
  • OWASP Kubernetes Top Ten 2022
  • OWASP Kubernetes Top Ten 2025 (Draft)
  • OWASP AI Security Verification Standard (AISVS)

The implementation uses explicit parser and data files so the imported resources remain maintainable and reviewable.

This branch also adds the required parser wiring so these resources can be imported through the existing OpenCRE flow.

Testing

Executed focused parser tests:

./venv/bin/python -m pytest \
  application/tests/owasp_top10_2025_parser_test.py \
  application/tests/owasp_api_top10_2023_parser_test.py \
  application/tests/owasp_aisvs_parser_test.py \
  application/tests/owasp_kubernetes_top10_2022_parser_test.py \
  application/tests/owasp_kubernetes_top10_2025_parser_test.py \
  application/tests/owasp_llm_top10_2025_parser_test.py \
  -q

Bornunique911 pushed a commit that referenced this pull request Jun 24, 2026
OWASP#928)

* feat(module-b): add Pydantic v2 schemas + hashing for Module A input contract

Establishes the data contract Module B consumes from Module A. ChangeRecord
is a Pydantic v2 model matching A's actual emission shape: nested source
(discriminated union on type for github/rss), span (chunk position +
heading_path + char/line offsets), and locator (addressing scheme). Internal
models ClassifyResult and QueuePayload prep for later stages.

hashing.py provides normalize_text + compute_content_hash since Module A
does not emit content_hash; B computes its own (SHA-256 of normalized text)
for use as the knowledge_queue dedup key.

22 unittest cases cover the round-trip, the discriminated union, hash
determinism, normalization rules, code-fence preservation, and idempotency.
Full make test: 271 passing, no regressions.

Part of GSoC 2026 OpenCRE Scraper & Indexer (Project OIE) Module B.

* feat(module-b): add Module A mock fixture + generated JSON Schema artifact

module_a_mock.jsonl: Module A's canonical 20-record mock shared 2026-05-29,
saved as JSONL (one record per line per the contract). Becomes a permanent
integration-test fixture for B's parser and a reference shape for the
Module A contributor.

module_a_contract.schema.json: JSON Schema generated from B's Pydantic
ChangeRecord model via model_json_schema(). 246 lines covering all four
nested types (ChangeRecord, GithubSource, RssSource, Span, Locator).
Source of truth for cross-module CI validation.

Part of GSoC 2026 OpenCRE Scraper & Indexer (Project OIE) Module B.

* feat(module-b): add OWASP harvester, labeling TUI, and labeled dataset

build_labeled_dataset.py: PyGithub-based harvester that acts as Module A's
stand-in for producing benchmark data. Fetches recent commits from 4 OWASP
repos (WSTG, ASVS, CheatSheetSeries, SAMM), applies the contract's
normalization rules, splits into chunks at markdown heading boundaries
with a fence-aware stack-based walker that tracks heading_path + char/line
offsets, and emits records in Module A's actual nested shape. Pluggable
via GITHUB_TOKEN env var. Reproducible: python scripts/build_labeled_dataset.py
regenerates the candidate set.

label_dataset.py: resumable interactive TUI for manual classification.
Atomic-writes labeled_data.json after every keystroke; lookup by chunk_id
for resume. Embeds the recall-first definition (agreed with maintainer
2026-06-01) so labelers see the rule front-of-mind: KNOWLEDGE for any
chunk with security signal, NOISE only for pure organizational content.

candidate_commits.json: 100 records, 25 per repo, all Pydantic-valid
against ChangeRecord. 90/100 have non-empty heading_path; 10 multi-chunk
artifacts captured.

labeled_data.json: 100/100 labeled by hand under the recall-first rule.
Distribution 55 KNOWLEDGE / 40 NOISE / 5 UNCERTAIN. Per-repo skew is
visible: CheatSheetSeries 92% K, SAMM 0% K (the SAMM commits sampled
landed entirely on Website/Sponsorship/meetings paths -- empirical input
for Week 2's noise_patterns.yaml).

Part of GSoC 2026 OpenCRE Scraper & Indexer (Project OIE) Module B.

* style(module-b): apply Black formatting to Week 1 files

Super-Linter (Black 24.4.2) flagged 4 files in the previous push.
Applied `black` (same pinned version) to bring them in line with the
repo's formatting standard. Cosmetic changes only: blank lines around
section-separator comments, one multi-line dict join. No behavior or
test changes -- `make test` remains 271 passing, 1 skip.

* chore(module-b): address CodeRabbit Week 1 review comments

- Sort __all__ lists in hashing.py and schemas.py to satisfy
  Ruff RUF022.
- Declare JSON Schema dialect ($schema = draft 2020-12, which is
  what Pydantic v2 model_json_schema() emits) on the contract artifact.
- Wrap load_labeled() in scripts/label_dataset.py with try/except so a
  corrupted labeled_data.json prints an actionable hint instead of a
  raw JSONDecodeError stack trace.

Deferred to Week 2 (will be addressed when we touch the harvester):
- chunker should also track <pre> open/close, not just ``` fences
- _split_chunk_by_size cursor arithmetic assumes \\n\\n separator even
  on hard-split sub-chunks

Tests: 271 passing, 1 skip (unchanged). Black: clean.

* feat(module-b): add Stage 1.5 sanitize.py vendored from TRACT

Defensive text cleanup (PDF ligatures, zero-width chars, HTML, hyphenation).
Vendored from rocklambros/TRACT under CC0; drops their whitespace-collapse
step so structure (newlines, paragraphs) is preserved for Module B's LLM.

26 unit tests, all passing.

* feat(module-b): add Stage 1 regex_filter + noise_patterns.yaml

Path-based filter with extension/filename/glob deny rules and allow_overrides.
Patterns are deliberately conservative under the recall-first labeling rule.

15 unit tests including >=90% rejection / 0% false-positive acceptance criteria.

* fix(module-b): chunker tracks <pre> blocks; correct hard-split cursor math

Addresses CodeRabbit comments #4 and #5 on the Week 1 PR.

* chore(module-b): address CodeRabbit Week 2 review comments

* chore(module-b): address Week 2 maintainer review on noise_patterns.yaml

---------

Signed-off-by: Manshu Saini <149303743+manshusainishab@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant