├── .github
    ├── CONTRIBUTING.md
    ├── PULL_REQUEST_TEMPLATE.md
    └── workflows
    │   ├── validate_artifacts.yml
    │   └── validate_vrt.yml
├── .gitignore
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── Dockerfile
├── LICENSE.md
├── README.md
├── deprecated-node-mapping.json
├── lib
    ├── artifacts
    │   ├── __init__.py
    │   └── scw_artifact.py
    ├── generate_artifacts.py
    ├── requirements.txt
    ├── tests
    │   ├── __init__.py
    │   ├── test_artifact_format.py
    │   ├── test_deprecated_mapping.py
    │   └── test_vrt.py
    ├── utils
    │   ├── __init__.py
    │   └── utils.py
    ├── validate_artifacts.py
    └── validate_vrt.py
├── mappings
    ├── cvss_v3
    │   ├── cvss_v3.json
    │   └── cvss_v3.schema.json
    ├── cwe
    │   ├── cwe.json
    │   └── cwe.schema.json
    └── remediation_advice
    │   ├── remediation_advice.json
    │   └── remediation_advice.schema.json
├── sort_all_jsons.py
├── third-party-mappings
    └── remediation_training
    │   └── secure-code-warrior-links.json
├── vrt.schema.json
└── vulnerability-rating-taxonomy.json


/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | Bugcrowd welcomes community feedback and direct contributions to the Bugcrowd VRT. We accept comments for public discussion via GitHub Issues, but can also accommodate comments made via email to [vrt@bugcrowd.com](mailto:vrt@bugcrowd.com).
 3 | 
 4 | ## Process
 5 | Please open your feedback as an **Issue**. The Bugcrowd team strives to review and comment on new Issues within five business days. Large or systemic changes should first be discussed in an Issue rather than be submitted as a pull request directly. If you have a suggested minor change that includes:
 6 | 
 7 | - Additional subcategories or variants
 8 | - Rewording of existing entries
 9 | - Corrections of typographical or other minor errors
10 | 
11 | you may open a pull request directly for these examples. Prior to opening a pull request please ensure your suggested changes pass schema validation. The repository includes a [`validate_vrt.py`](../validate_vrt.py) script that can be used to perform JSON validation using [`vrt.schema.json`](../vrt.schema.json) (see examples below).
12 | 
13 | ### Example Git Hook Validation
14 | 1. Install `jsonschema` and `GitPython` via pip with `pip install jsonschema GitPython`
15 |  - If you don't have pip, you can install it like so: `easy_install pip`
16 | 2. Add a pre-commit hook that will automatically run the validation script every time you run `git commit`
17 |  - Windows: `mklink /H .git\hooks\pre-commit validate_vrt.py`
18 |  - Linux/macOS: `ln -s ../../validate_vrt.py .git/hooks/pre-commit`
19 | 
20 | ### Example Manual JSON validation
21 |  1. Install `jsonschema` and `GitPython` via pip with `pip install jsonschema GitPython`
22 |   - If you don't have pip, you can install it like so: `easy_install pip`
23 |  2. Run `validate_vrt.py`
24 | 
25 |  ### This validation is also run in github actions
26 |  You can find the Validate VRT action [here](https://github.com/bugcrowd/vulnerability-rating-taxonomy/actions?query=workflow%3A%22Validate+VRT%22)
27 | 
28 | ### CHANGELOG Entry
29 | When opening a Pull Request append an entry to the [`CHANGELOG`](../CHANGELOG.md) under the `[Unreleased]` header, following the format from [Keep a CHANGELOG](http://keepachangelog.com/en/0.3.0/) and our previous releases.
30 | 
31 | To detail, an entry can go in one of three headers, `Added`, `Removed`, or `Changed`. For `Added` or `Removed` categories add a bullet (`-`) then state the `ID` of the entry that was either added or removed.  With `Changed`, we handle attribute or parent changes.
32 | 
33 | If a data attribute (name or priority) changes, use the format of:
34 | ```
35 | - {ID} {attribute} changed from {old value} to {new value}
36 | ```
37 | 
38 | Yet if the parent changes, the format below should be used:
39 | ```
40 | - {old ID} moved via {type} change to {new ID}
41 | ```
42 | 
43 | ### Deprecated Node Mapping
44 | When a breaking change occurs, a new entry should be added to [`deprecated-node-mapping.json`](../deprecated-node-mapping.json).
45 | 
46 | #### Format
47 | ```json
48 | {
49 |   "deprecated_id": {
50 |     "1.3": "new_id",
51 |     "2.0": "newest_id"
52 |   }
53 | }
54 | ```
55 | 
56 | ### Mapping to Other Systems
57 | When adding, removing or modifying VRT entries, the [mapping files](../mappings) will also need to be updated. Check
58 | the [README](../README.md#mapping-to-other-systems) for details about the file formats.
59 | 


--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | #### Issue: Resolves #
 2 | 
 3 | #### [CVSS v3 Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/cvss_v3/cvss_v3.json):
 4 | 
 5 | #### [CWE Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/cwe/cwe.json):
 6 | 
 7 | #### [Remediation Advice Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/remediation_advice/remediation_advice.json):
 8 | 
 9 | #### [Deprecated Node Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/deprecated-node-mapping.json) (_if needed_):
10 | 
11 | 
12 | #### Checklist:
13 | 
14 | - [ ] I have added entries to `CHANGELOG.md` and marked it Added/Changed/Removed
15 | - [ ] I have made corresponding changes to the documentation (_if needed_)
16 | 


--------------------------------------------------------------------------------
/.github/workflows/validate_artifacts.yml:
--------------------------------------------------------------------------------
 1 | name: Validate Artifacts
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: 
 6 |       - master
 7 |   release:
 8 |     types:
 9 |       - created
10 |       - edited
11 |       - unpublished
12 | 
13 | jobs:
14 |   validate_scw_artifact:
15 |     name: Validate SCW Artifact
16 |     runs-on: ubuntu-latest
17 |     steps:
18 |       - uses: actions/checkout@v1
19 |       - name: Set up Python 3.11
20 |         uses: actions/setup-python@v1
21 |         with:
22 |           python-version: 3.11
23 |       - name: Install dependencies
24 |         run: |
25 |           python -m pip install --upgrade pip
26 |           pip install -r lib/requirements.txt
27 |       - name: Install requests library
28 |         run: |
29 |           pip install requests
30 |       - name: Create artifact json file
31 |         run: |
32 |           python3 -B lib/generate_artifacts.py
33 |       - name: Upload artifact
34 |         uses: actions/upload-artifact@v1
35 |         with:
36 |           name: Secure Code Warrior Links
37 |           path: scw_links.json
38 |       - name: Validate links
39 |         run: |
40 |           python3 -B lib/validate_artifacts.py
41 | 


--------------------------------------------------------------------------------
/.github/workflows/validate_vrt.yml:
--------------------------------------------------------------------------------
 1 | name: Validate VRT
 2 | 
 3 | on: [push]
 4 | 
 5 | jobs:
 6 |   build:
 7 | 
 8 |     runs-on: ubuntu-latest
 9 | 
10 |     steps:
11 |     - uses: actions/checkout@v1
12 |     - name: Set up Python 3.11
13 |       uses: actions/setup-python@v1
14 |       with:
15 |         python-version: 3.11
16 |     - name: Install dependencies
17 |       run: |
18 |         python -m pip install --upgrade pip
19 |         pip install -r lib/requirements.txt
20 |     - name: Lint with flake8
21 |       run: |
22 |         pip install flake8
23 |         # stop the build if there are Python syntax errors or undefined names
24 |         flake8 ./lib --count --select=E9,F63,F7,F82 --show-source --statistics
25 |         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
26 |         flake8 ./lib --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
27 |     - name: Test with unittest
28 |       run: |
29 |         python3 -B lib/validate_vrt.py
30 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *~
3 | 
4 | # vscode config
5 | .vscode/
6 | .DS_STORE


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | # Change Log
  2 | 
  3 | All notable changes to this project will be documented in this file.
  4 | 
  5 | The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/)
  6 | 
  7 | ## [Unreleased]
  8 | 
  9 | ### Added
 10 | 
 11 | ### Removed
 12 | 
 13 | ### Changed
 14 | 
 15 | ## [v1.15.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.15...v1.15.1) - 2025-03-11
 16 | 
 17 | ### Added
 18 | 
 19 | - Server Security Misconfiguration - Cache Deception - Varies
 20 | 
 21 | ### Other
 22 | 
 23 | - Fixed minor issues with deprecated-node-mapping.json file.
 24 | - Adding missing issues from deprecated-node-mapping.json file.
 25 | 
 26 | ## [v1.15](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14.2...v1.15) - 2025-02-12
 27 | 
 28 | ### Added
 29 | 
 30 | - Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key - P1
 31 | - Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure - Varies
 32 | - Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation - Varies
 33 | - Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack - Varies
 34 | - Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation - Varies
 35 | - Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error - Varies
 36 | - Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance - Varies
 37 | - Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover - P1
 38 | - Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer - P1
 39 | - Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation - P1
 40 | - Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer - P2
 41 | - Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation - P2
 42 | - Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass - P3
 43 | - Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals - Varies
 44 | - Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic - Varies
 45 | - Decentralized Application Misconfiguration - Marketplace Security - Denial of Service - Varies
 46 | - Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service - P1
 47 | - Protocol Specific Misconfiguration - Frontrunning-Enabled Attack - P2
 48 | - Protocol Specific Misconfiguration - Sandwich-Enabled Attack - P2
 49 | - Protocol Specific Misconfiguration - Misconfigured Staking Logic - Varies
 50 | - Protocol Specific Misconfiguration - Improper Validation and Finalization Logic - Varies
 51 | - Smart Contract Misconfiguration - Reentrancy Attack - P1
 52 | - Smart Contract Misconfiguration - Smart Contract Owner Takeover - P1
 53 | - Smart Contract Misconfiguration - Uninitialized Variables - P1
 54 | - Smart Contract Misconfiguration - Unauthorized Transfer of Funds - P1
 55 | - Smart Contract Misconfiguration - Integer Overflow / Underflow - P2
 56 | - Smart Contract Misconfiguration - Unauthorized Smart Contract Approval - P2
 57 | - Smart Contract Misconfiguration - Irreversible Function Call - P3
 58 | - Smart Contract Misconfiguration - Function-level Denial of Service - P3
 59 | - Smart Contract Misconfiguration - Malicious Superuser Risk - P3
 60 | - Smart Contract Misconfiguration - Improper Fee Implementation - P3
 61 | - Smart Contract Misconfiguration - Improper Use of Modifier - P4
 62 | - Smart Contract Misconfiguration - Improper Decimals Implementation - P4
 63 | - Smart Contract Misconfiguration - Inaccurate Rounding Calculation - Varies
 64 | - Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks - Varies
 65 | - Zero Knowledge Security Misconfiguration - Missing Constraint - Varies
 66 | - Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths - Varies
 67 | - Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup - Varies
 68 | - Zero Knowledge Security Misconfiguration - Missing Range Check - Varies
 69 | - Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic - P1
 70 | - Zero Knowledge Security Misconfiguration - Deanonymization of Data - P1
 71 | - Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic - Varies
 72 | - Broken Authentication and Session Management - SAML Replay - P5
 73 | 
 74 | ### Changed
 75 | 
 76 | FROM:
 77 | 
 78 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - P1
 79 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers - P2
 80 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers - P3
 81 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - P4
 82 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information - P5
 83 | 
 84 | TO:
 85 | 
 86 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Iterable Object Identifiers) - P1
 87 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify Sensitive Information(Iterable Object Identifiers) - P2
 88 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Sensitive Information(Iterable Object Identifiers) - P3
 89 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID) - P4
 90 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Non-Sensitive Information - P5
 91 | 
 92 | ### Other
 93 | 
 94 | - CVSS Score correction for Server Security Misconfiguration - Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain - P4.
 95 | - All JSONs, i.e., VRT and its mapping JSONs are now alphabetically sorted.
 96 | - Internal library changes to add a new helper script that aids in sorting the JSONs.
 97 | 
 98 | ## [v1.14.2](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14.1...v1.14.2) - 2024-10-25
 99 | 
100 | ### Removed
101 | 
102 | - Server Security Misconfiguration - Misconfigured DNS - High Impact Subdomain Takeover - P2
103 | 
104 | ### Changed
105 | 
106 | FROM:
107 | 
108 | - Server Security Misconfiguration - Misconfigured DNS - Basic Subdomain Takeover - P3
109 | 
110 | TO:
111 | 
112 | - Server Security Misconfiguration - Misconfigured DNS - Subdomain Takeover - P3
113 | 
114 | ## [v1.14.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14...v1.14.1) - 2024-07-18
115 | 
116 | ### Changed
117 | 
118 | - `vulnerability-rating-taxononomy.json` correction
119 | 
120 | ## [v1.14](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.13...v1.14) - 2024-07-09
121 | 
122 | ### Added
123 | 
124 | - Server Security Misconfiguration - Email verification bypass - P5
125 | - Server Security Misconfiguration - Missing Subresource Integrity - P5
126 | - Sensitive Data Exposure - Token Leakage via Referer - Password Reset Token - P5
127 | - Server Security Misconfiguration - Software Package Takeover - VARIES
128 | - Broken Access Control (BAC) - Privilege Escalation - VARIES
129 | - Data Biases - Representation Bias - VARIES
130 | - Data Biases - Pre-existing Bias - VARIES
131 | - Algorithmic Biases - Processing Bias - VARIES
132 | - Algorithmic Biases - Aggregation Bias - VARIES
133 | - Societal Biases - Confirmation Bias - VARIES
134 | - Societal Biases - Systemic Bias - VARIES
135 | - Misinterpretation Biases - Context Ignorance - VARIES
136 | - Developer Biases - Implicit Bias - VARIES
137 | 
138 | ### Removed
139 | 
140 | - Broken Authentication and Session Management - Privilege Escalation - VARIES
141 | 
142 | ## [v1.13](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.12...v1.13) - 2024-04-02
143 | 
144 | ### Added
145 | 
146 | - Physical Security Issues - Bypass of physical access control - VARIES
147 | - Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
148 | - Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
149 | - Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
150 | - Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
151 | - Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
152 | - Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
153 | - Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
154 | - Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
155 | - Insecure OS/Firmware - Shared Credentials on Storage - P3
156 | - Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
157 | - Insecure OS/Firmware - Local Administrator on default environment - P2
158 | - Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
159 | - Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
160 | - Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
161 | - Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
162 | - Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5
163 | 
164 | ## [v1.12](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.11...v1.12) - 2023-12-18
165 | 
166 | ### Added
167 | 
168 | - Application Level DoS - Excessive Resource Consumption - Injection (Prompt) - VARIES
169 | - AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
170 | - AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
171 | - AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
172 | - AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2
173 | 
174 | ## [v1.11](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.11) - 2023-11-20
175 | 
176 | ### Added
177 | 
178 | - Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure: VARIES
179 | - Server-Side Injection - Content Spoofing - HTML Content Injection: P5
180 | - Broken Authentication and Session Management - Failure to invalidate session - Permission change: VARIES
181 | - Server Security Misconfiguration - Request Smuggling: VARIES
182 | - Server-Side Injection - LDAP Injection: VARIES
183 | - Cryptographic Weakness - Insufficient Entropy - Limited Random Number Generator (RNG) Entropy Source: P4
184 | - Cryptographic Weakness - Insufficient_Entropy - Use of True Random Number Generator (TRNG) for Non-Security Purpose: P5
185 | - Cryptographic Weakness - Insufficient_Entropy - Pseudo-Random Number Generator (PRNG) Seed Reuse: P5
186 | - Cryptographic Weakness - Insufficient_Entropy - Predictable Pseudo-Random Number Generator (PRNG) Seed: P4
187 | - Cryptographic Weakness - Insufficient_Entropy - Small Seed Space in Pseudo-Random Number Generator (PRNG): P4
188 | - Cryptographic Weakness - Insufficient_Entropy - Initialization Vector (IV) Reuse: P5
189 | - Cryptographic Weakness - Insufficient_Entropy - Predictable Initialization Vector (IV): P4
190 | - Cryptographic Weakness - Insecure Implementation - Missing Cryptographic Step: VARIES
191 | - Cryptographic Weakness - Insecure Implementation - Improper Following of Specification (Other): VARIES
192 | - Cryptographic Weakness - Weak Hash - Lack of Salt: VARIES
193 | - Cryptographic Weakness - Weak Hash - Use of Predictable Salt: P5
194 | - Cryptographic Weakness - Weak Hash - Predictable Hash Collision: VARIES
195 | - Cryptographic Weakness - Insufficient Verification of Data Authenticity - Integrity Check Value (ICV): P4
196 | - Cryptographic Weakness - Insufficient Verification of Data Authenticity - Cryptographic Signature: VARIES
197 | - Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Prime Selection: VARIES
198 | - Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Exponent Selection: VARIES
199 | - Cryptographic Weakness - Insecure Key Generation - Insufficient Key Stretching: VARIES
200 | - Cryptographic Weakness - Insecure Key Generation - Insufficient Key Space: P3
201 | - Cryptographic Weakness - Insecure Key Generation - Key Exchage Without Entity Authentication: P3
202 | - Cryptographic Weakness - Key Reuse - Lack of Perfect Forward Secrecy: P4
203 | - Cryptographic Weakness - Key Reuse - Intra-Environment: P5
204 | - Cryptographic Weakness - Key Reuse - Inter-Environment: P2
205 | - Cryptographic Weakness - Side-Channel Attack - Padding Oracle Attack: P4
206 | - Cryptographic Weakness - Side-Channel Attack - Timing Attack: P4
207 | - Cryptographic Weakness - Side-Channel Attack - Power Analysis Attack: P5
208 | - Cryptographic Weakness - Side-Channel Attack - Emanations Attack: P5
209 | - Cryptographic Weakness - Side-Channel Attack - Differential Fault Analysis: VARIES
210 | - Cryptographic Weakness - Use of Expired Cryptographic Key (or Certificate): P4
211 | - Cryptographic Weakness - Incomplete Cleanup of Keying Material: P5
212 | - Cryptographic Weakness - Broken Cryptography - Use of Broken Cryptographic Primitive: P3
213 | - Cryptographic Weakness - Broken Cryptography - Use of Vulnerable Cryptographic Library: P4
214 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information: P5
215 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/GUID/Complex Object Identifiers: P4
216 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers: P3
217 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers: P2
218 | - Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information (PII)/Iterable Object Identifier: P1
219 | 
220 | ### Changed
221 | 
222 | FROM:
223 | 
224 | - Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11): P5
225 | 
226 | TO:
227 | 
228 | - Cross-Site Scripting (XSS) - IE-Only: P5
229 | 
230 | FROM:
231 | 
232 | - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
233 | - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
234 | - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External: P4
235 | - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only : P5
236 | 
237 | TO:
238 | 
239 | - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
240 | - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
241 | - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low impact: P5
242 | - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only: P5
243 | 
244 | FROM:
245 | 
246 | - Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage: P1
247 | 
248 | TO:
249 | 
250 | - Automotive Security Misconfiguration - Infotainment, Radio Head Unit - Sensitive data Leakage/Exposure: P1
251 | 
252 | ### Removed
253 | 
254 | - Cross-Site Scripting (XSS) - IE-Only - IE11: P4
255 | - Cross-Site Scripting (XSS) - XSS Filter Disabled: P5
256 | - Broken Cryptography - Cryptographic Flaw - Incorrect Usage: P1
257 | 
258 | ## [v1.10.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.10.1) - 2021-03-29
259 | 
260 | ### Changed
261 | 
262 | - renamed `secure code warriors` mapping to `secure code warrior`
263 | 
264 | ## [v1.10](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.9...v1.10) - 2021-03-18
265 | 
266 | ### Added
267 | 
268 | - insufficient_security_configurability.verification_of_contact_method_not_required
269 | - insufficient_security_configurability.weak_two_fa_implementation.two_fa_code_is_not_updated_after_new_code_is_requested
270 | - insufficient_security_configurability.weak_two_fa_implementation.old_two_fa_code_is_not_invalidated_after_new_code_is_generated
271 | - broken_authentication_and_session_management.weak_login_function.over_http
272 | - server_security_misconfiguration.oauth_misconfiguration.account_squatting
273 | - Third-party mapping to [Secure Code Warrior](https://www.securecodewarrior.com/) trainings
274 | - automotive_security_misconfiguration.can.injection_battery_management_system
275 | - automotive_security_misconfiguration.can.injection_steering_control
276 | - automotive_security_misconfiguration.can.injection_pyrotechnical_device_deployment_tool
277 | - automotive_security_misconfiguration.can.injection_headlights
278 | - automotive_security_misconfiguration.can.injection_sensors
279 | - automotive_security_misconfiguration.can.injection_vehicle_anti_theft_systems
280 | - automotive_security_misconfiguration.can.injection_powertrain
281 | - automotive_security_misconfiguration.can.injection_basic_safety_message
282 | - automotive_security_misconfiguration.battery_management_system
283 | - automotive_security_misconfiguration.battery_management_system.firmware_dump
284 | - automotive_security_misconfiguration.battery_management_system.fraudulent_interface
285 | - automotive_security_misconfiguration.gnss_gps
286 | - automotive_security_misconfiguration.gnss_gps.spoofing
287 | - automotive_security_misconfiguration.immobilizer
288 | - automotive_security_misconfiguration.immobilizer.engine_start
289 | - automotive_security_misconfiguration.abs
290 | - automotive_security_misconfiguration.abs.unintended_acceleration_brake
291 | - automotive_security_misconfiguration.rsu
292 | - automotive_security_misconfiguration.rsu.sybil_attack
293 | - automotive_security_misconfiguration.infotainment_radio_head_unit
294 | - automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage
295 | - automotive_security_misconfiguration.infotainment_radio_head_unit.ota_firmware_manipulation
296 | - automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot
297 | - automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot
298 | - automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services
299 | - automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump
300 | - automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick
301 | - automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials
302 | 
303 | ### Removed
304 | 
305 | - insufficient_security_configurability.lack_of_verification_email
306 | - broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
307 | - broken_authentication_and_session_management.weak_login_function.http_and_https_available
308 | - broken_authentication_and_session_management.weak_login_function.lan_only
309 | - cross_site_request_forgery_csrf.flash_based.high_impact
310 | - cross_site_request_forgery_csrf.flash_based.low_impact
311 | - automotive_security_misconfiguration.infotainment
312 | - automotive_security_misconfiguration.infotainment.pii_leakage
313 | - automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
314 | - automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
315 | - automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
316 | - automotive_security_misconfiguration.infotainment.source_code_dump
317 | - automotive_security_misconfiguration.infotainment.dos_brick
318 | - automotive_security_misconfiguration.infotainment.default_credentials
319 | 
320 | ### Changed
321 | 
322 | - server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_non_sensitive_page updated remediation advice
323 | - server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_sensitive_page updated remediation advice
324 | - cross_site_scripting_xss.flash_based priority changed from P4 to P5
325 | - cross_site_request_forgery_csrf.flash_based priority changed from null to P5 (due to children removal)
326 | - using_components_with_known_vulnerabilities.rosetta_flash priority changed from P4 to P5
327 | 
328 | ## [v1.9](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.8...v1.9) - 2020-05-22
329 | 
330 | ### Added
331 | 
332 | - sensitive_data_exposure.disclosure_of_secrets.for_publicly_accessible_asset
333 | - sensitive_data_exposure.disclosure_of_secrets.for_internal_asset
334 | - sensitive_data_exposure.disclosure_of_secrets.pay_per_use_abuse
335 | - sensitive_data_exposure.disclosure_of_secrets.intentionally_public_sample_or_invalid
336 | - sensitive_data_exposure.disclosure_of_secrets.data_traffic_spam
337 | - sensitive_data_exposure.disclosure_of_secrets.non_corporate_user
338 | - server_side_injection.ssti.basic
339 | - server_side_injection.ssti.custom
340 | - sensitive_data_exposure.via_localstorage_sessionstorage.sensitive_token
341 | - sensitive_data_exposure.via_localstorage_sessionstorage.non_sensitive_token
342 | - mobile_security_misconfiguration.auto_backup_allowed_by_default
343 | - server_security_misconfiguration.no_rate_limiting_on_form.change_password
344 | - server_side_injection.content_spoofing.impersonation_via_broken_link_hijacking
345 | - cross_site_request_forgery_csrf.flash_based.high_impact
346 | - cross_site_request_forgery_csrf.flash_based.low_impact
347 | - insufficient_security_configurability.password_policy_bypass
348 | 
349 | ### Removed
350 | 
351 | - sensitive_data_exposure.critically_sensitive_data.password_disclosure
352 | - sensitive_data_exposure.critically_sensitive_data.private_api_keys
353 | - sensitive_data_exposure.critically_sensitive_data
354 | 
355 | ## [v1.8](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.7.1...v1.8) - 2019-09-25
356 | 
357 | ### Added
358 | 
359 | - server_security_misconfiguration.race_condition
360 | - server_security_misconfiguration.cache_poisoning
361 | - indicators_of_compromise
362 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_two_fa_activation_change
363 | 
364 | ### Removed
365 | 
366 | - mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content
367 | - mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content
368 | 
369 | ### Changed
370 | 
371 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain name changed from "Email Spoofing on non-email domain" to "Email Spoofing on Non-Email Domain"
372 | - mobile_security_misconfiguration.clipboard_enabled priority changed from null to P5 (due to children removal)
373 | 
374 | ## [v1.7.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.7...v1.7.1) - 2019-04-15
375 | 
376 | ### Added
377 | 
378 | - Remediation Advice and CVSS mappings for automotive_security_misconfiguration
379 | 
380 | ## [v1.7](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.6...v1.7) - 2019-03-13
381 | 
382 | ### Added
383 | 
384 | - sensitive_data_exposure.weak_password_reset_implementation.token_leakage_via_host_header_poisoning
385 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain
386 | - broken_access_control.username_enumeration.non_brute_force
387 | - insufficient_security_configurability.weak_two_fa_implementation.two_fa_secret_cannot_be_rotated
388 | - insufficient_security_configurability.weak_two_fa_implementation.two_fa_secret_remains_obtainable_after_two_fa_is_enabled
389 | - insufficient_security_configurability.weak_two_fa_implementation
390 | - sensitive_data_exposure.token_leakage_via_referer.trusted_third_party
391 | - sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party
392 | - cross_site_scripting_xss.ie_only.ie_eleven
393 | - cross_site_scripting_xss.ie_only.older_version_ie_eleven
394 | - automotive_security_misconfiguration
395 | - automotive_security_misconfiguration.infotainment
396 | - automotive_security_misconfiguration.infotainment.pii_leakage
397 | - automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
398 | - automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
399 | - automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
400 | - automotive_security_misconfiguration.infotainment.source_code_dump
401 | - automotive_security_misconfiguration.infotainment.dos_brick
402 | - automotive_security_misconfiguration.infotainment.default_credentials
403 | - automotive_security_misconfiguration.rf_hub
404 | - automotive_security_misconfiguration.rf_hub.key_fob_cloning
405 | - automotive_security_misconfiguration.rf_hub.can_injection_interaction
406 | - automotive_security_misconfiguration.rf_hub.data_leakage_pull_encryption_mechanism
407 | - automotive_security_misconfiguration.rf_hub.unauthorized_access_turn_on
408 | - automotive_security_misconfiguration.rf_hub.roll_jam
409 | - automotive_security_misconfiguration.rf_hub.replay
410 | - automotive_security_misconfiguration.rf_hub.relay
411 | - automotive_security_misconfiguration.can
412 | - automotive_security_misconfiguration.can.injection_disallowed_messages
413 | - automotive_security_misconfiguration.can.injection_dos
414 | - server_side_injection.content_spoofing.email_hyperlink_injection_based_on_email_provider
415 | 
416 | ### Removed
417 | 
418 | - broken_access_control.username_enumeration.data_leak
419 | - insufficient_security_configurability.weak_2fa_implementation
420 | - sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party
421 | - sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party
422 | - cross_site_scripting_xss.ie_only.ie11
423 | - cross_site_scripting_xss.ie_only.older_version_ie11
424 | 
425 | ### Changed
426 | 
427 | - server_security_misconfiguration.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
428 | - broken_access_control.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
429 | - updated Remediation Advice reference URLs for OWASP
430 | 
431 | ## [v1.6](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.5...v1.6) - 2018-09-13
432 | 
433 | ### Added
434 | 
435 | - broken_access_control.server_side_request_forgery_ssrf.internal_high_impact
436 | - broken_access_control.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact
437 | - server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain
438 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain
439 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_spam_folder
440 | - server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim
441 | 
442 | ### Removed
443 | 
444 | - broken_access_control.server_side_request_forgery_ssrf.internal
445 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain
446 | - server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain
447 | - server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail
448 | - server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups
449 | - server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc
450 | 
451 | ## [v1.5](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.4...v1.5) - 2018-09-13
452 | 
453 | ### Added
454 | 
455 | - unvalidated_redirects_and_forwards.open_redirect.flash_based
456 | - cross_site_scripting_xss.flash_based
457 | - server_side_injection.content_spoofing.flash_based_external_authentication_injection
458 | - broken_authentication_and_session_management.session_fixation.remote_attack_vector
459 | - broken_authentication_and_session_management.session_fixation.local_attack_vector
460 | - broken_authentication_and_session_management.cleartext_transmission_of_session_token
461 | - broken_access_control.server_side_request_forgery_ssrf.dns_query_only
462 | - mobile_security_misconfiguration.clipboard_enabled
463 | - mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content
464 | - mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content
465 | - server_security_misconfiguration.waf_bypass.direct_server_access
466 | - broken_authentication_and_session_management.two_fa_bypass
467 | - server_security_misconfiguration.no_rate_limiting_on_form.sms_triggering
468 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain
469 | - server_security_misconfiguration.insecure_ssl.certificate_error
470 | - cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation
471 | - cross_site_scripting_xss.stored.privileged_user_to_no_privilege_elevation
472 | - server_security_misconfiguration.clickjacking.form_input
473 | - server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover
474 | - server_security_misconfiguration.misconfigured_dns.high_impact_subdomain_takeover
475 | - server_security_misconfiguration.captcha
476 | - server_security_misconfiguration.captcha.missing
477 | - cross_site_request_forgery_csrf.csrf_token_not_unique_per_request
478 | 
479 | ### Removed
480 | 
481 | - server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain
482 | - server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration
483 | - cross_site_scripting_xss.stored.admin_to_anyone
484 | - server_security_misconfiguration.misconfigured_dns.subdomain_takeover
485 | - server_security_misconfiguration.captcha_bypass
486 | 
487 | ### Changed
488 | 
489 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change updated remediation advice
490 | - CWE mapping default changed from `[CWE-2000]` to `null`
491 | - Updated python version to 3.6
492 | - cross_site_scripting_xss.stored.non_admin_to_anyone name changed from "Non-Admin to Anyone" to "Non-Privileged User to Anyone"
493 | - server_security_misconfiguration.clickjacking.sensitive_action name changed from "Sensitive Action" to "Sensitive Click-Based Action"
494 | - server_security_misconfiguration.captcha_bypass.implementation_vulnerability moved via subcategory change to server_security_misconfiguration.captcha.implementation_vulnerability
495 | - server_security_misconfiguration.captcha_bypass.brute_force moved via subcategory change to server_security_misconfiguration.captcha.brute_force
496 | 
497 | ## [v1.4](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.3.1...v1.4) - 2018-04-13
498 | 
499 | ### Added
500 | 
501 | - insufficient_security_configurability.weak_password_reset_implementation.token_is_not_invalidated_after_login
502 | - server_side_injection.content_spoofing.rtlo
503 | - mapping of VRT to CWE
504 | - server_security_misconfiguration.dbms_misconfiguration.excessively_privileged_user_dba
505 | - cross_site_scripting_xss.stored.url_based
506 | - server_security_misconfiguration.oauth_misconfiguration.insecure_redirect_uri
507 | - server_security_misconfiguration.oauth_misconfiguration.account_takeover
508 | - client_side_injection.binary_planting.non_default_folder_privilege_escalation
509 | - broken_authentication_and_session_management.weak_login_function.not_operational
510 | - broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative
511 | - broken_authentication_and_session_management.weak_login_function.lan_only
512 | - broken_authentication_and_session_management.weak_login_function.http_and_https_available
513 | - broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
514 | - cross_site_scripting_xss.ie_only.ie11
515 | - cross_site_scripting_xss.ie_only.older_version_ie11
516 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_logout_server_side_only
517 | - sensitive_data_exposure.sensitive_token_in_url.user_facing
518 | - sensitive_data_exposure.sensitive_token_in_url.in_the_background
519 | - sensitive_data_exposure.sensitive_token_in_url.on_password_reset
520 | - mapping of VRT to Remediation Advice
521 | 
522 | ### Removed
523 | 
524 | - server_side_injection.sql_injection.error_based
525 | - server_side_injection.sql_injection.blind
526 | - broken_authentication_and_session_management.weak_login_function.over_http
527 | - cross_site_scripting_xss.ie_only.older_version_ie_10_11
528 | - cross_site_scripting_xss.ie_only.older_version_ie10
529 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset
530 | - network_security_misconfiguration.telnet_enabled.credentials_required
531 | - server_security_misconfiguration.using_default_credentials.production_server
532 | - server_security_misconfiguration.using_default_credentials.staging_development_server
533 | 
534 | ### Changed
535 | 
536 | - Use unittest for vrt validations
537 | - broken_authentication_and_session_management.failure_to_invalidate_session.all_sessions name changed from "All Sessions" to "Concurrent Sessions On Logout"
538 | - server_security_misconfiguration.oauth_misconfiguration.missing_state_parameter name changed from "Missing State Parameter" to "Missing/Broken State Parameter"
539 | - server_security_misconfiguration.oauth_misconfiguration.missing_state_parameter priority changed from P4 to null
540 | - server_security_misconfiguration.no_rate_limiting_on_form.login priority changed from P3 to P4
541 | - client_side_injection.binary_planting.privilege_escalation name changed from "Privilege Escalation" to "Default Folder Privilege Escalation" priority changed from P4 to P3
542 | - server_security_misconfiguration.lack_of_password_confirmation.change_email_address priority changed from P4 to P5
543 | - server_security_misconfiguration.lack_of_password_confirmation.change_password priority changed from P4 to P5
544 | - server_security_misconfiguration.unsafe_file_upload.no_antivirus priority changed from P4 to P5
545 | - server_security_misconfiguration.unsafe_file_upload.no_size_limit priority changed from P4 to P5
546 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_logout name changed from "On Logout" to "On Logout (Client and Server-Side)"
547 | - broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change name changed from "On Password Change" to "On Password Reset and/or Change"
548 | - network_security_misconfiguration.telnet_enabled priority changed from null to P5 (due to children removal)
549 | - server_security_misconfiguration.using_default_credentials priority changed from null to P1 (due to children removal)
550 | 
551 | ## [v1.3.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.3...v1.3.1) - 2017-10-31
552 | 
553 | ### Changed
554 | 
555 | - references to the invalid insufficient_security_configurability.weak_password_policy.no_password_policy updated to insufficient_security_configurability.no_password_policy
556 | 
557 | ## [v1.3.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.2...v1.3) - 2017-09-22
558 | 
559 | ### Added
560 | 
561 | - insecure_data_transport.cleartext_transmission_of_sensitive_data
562 | - broken_access_control
563 | - broken_access_control.idor
564 | - mobile_security_misconfiguration.tapjacking
565 | - server_security_misconfiguration.misconfigured_dns.missing_caa_record
566 | - mapping of VRT to CVSS V3
567 | - server_security_misconfiguration.bitsquatting
568 | 
569 | ### Removed
570 | 
571 | - missing_function_level_access_control
572 | - insecure_direct_object_references_idor
573 | 
574 | ### Changed
575 | 
576 | - missing_function_level_access_control.server_side_request_forgery_ssrf moved via category change to broken_access_control.server_side_request_forgery_ssrf
577 | - missing_function_level_access_control.server_side_request_forgery_ssrf.internal moved via category change to broken_access_control.server_side_request_forgery_ssrf.internal
578 | - missing_function_level_access_control.server_side_request_forgery_ssrf.external moved via category change to broken_access_control.server_side_request_forgery_ssrf.external
579 | - missing_function_level_access_control.username_enumeration moved via category change to broken_access_control.username_enumeration
580 | - missing_function_level_access_control.username_enumeration.data_leak moved via category change to broken_access_control.username_enumeration.data_leak
581 | - missing_function_level_access_control.exposed_sensitive_android_intent moved via category change to broken_access_control.exposed_sensitive_android_intent
582 | - missing_function_level_access_control.exposed_sensitive_ios_url_scheme moved via category change to broken_access_control.exposed_sensitive_ios_url_scheme
583 | - cross_site_request_forgery_csrf.application_wide name changed from Applicaton-Wide to Application-Wide
584 | 
585 | ## [v1.2.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.1...v1.2) - 2017-08-04
586 | 
587 | ### Added
588 | 
589 | - sensitive_data_exposure.visible_detailed_error_page.descriptive_stack_trace
590 | - sensitive_data_exposure.visible_detailed_error_page.detailed_server_configuration
591 | - unvalidated_redirects_and_forwards.open_redirect.get_based
592 | - sensitive_data_exposure.internal_ip_disclosure
593 | - sensitive_data_exposure.visible_detailed_error_page.full_path_disclosure
594 | - server_security_misconfiguration.cookie_scoped_to_parent_domain
595 | - client_side_injection.binary_planting
596 | - client_side_injection.binary_planting.privilege_escalation
597 | - client_side_injection.binary_planting.no_privilege_escalation
598 | - sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party
599 | - sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party
600 | - server_security_misconfiguration.fingerprinting_banner_disclosure
601 | - server_security_misconfiguration.lack_of_password_confirmation.manage_two_fa
602 | - sensitive_data_exposure.json_hijacking
603 | - cross_site_request_forgery_csrf.action_specific.logout
604 | - broken_authentication_and_session_management.privilege_escalation
605 | - insecure_data_transport.executable_download
606 | - insecure_data_transport.executable_download.no_secure_integrity_check
607 | - insecure_data_transport.executable_download.secure_integrity_check
608 | - server_security_misconfiguration.rfd
609 | - sensitive_data_exposure.xssi
610 | - server_security_misconfiguration.misconfigured_dns.zone_transfer
611 | - insufficient_security_configurability.no_password_policy (changelog text corrected in v1.4.0 #100)
612 | - insecure_data_storage.server_side_credentials_storage
613 | - insecure_data_storage.server_side_credentials_storage.plaintext
614 | 
615 | ### Removed
616 | 
617 | - unvalidated_redirects_and_forwards.open_redirect.get_based_all_users
618 | - unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated
619 | - unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated
620 | - sensitive_data_exposure.token_leakage_via_referer.over_https
621 | - sensitive_data_exposure.mixed_content.sensitive_data_disclosure
622 | - sensitive_data_exposure.mixed_content.requires_being_a_man_in_the_middle
623 | - broken_authentication_and_session_management.session_token_in_url
624 | - broken_authentication_and_session_management.session_token_in_url.over_http
625 | - broken_authentication_and_session_management.session_token_in_url.over_https
626 | - broken_authentication_and_session_management.authentication_bypass.vertical
627 | - broken_authentication_and_session_management.authentication_bypass.horizontal
628 | - insecure_data_storage.credentials_stored_unencrypted
629 | - insecure_data_storage.credentials_stored_unencrypted.on_external_storage
630 | - insecure_data_storage.credentials_stored_unencrypted.on_internal_storage
631 | - insecure_data_storage.insecure_data_storage
632 | - insecure_data_storage.insecure_data_storage.password
633 | - insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced
634 | - insufficient_security_configurability.weak_password_policy.complexity_length_not_enforced
635 | - insufficient_security_configurability.weak_password_policy.complexity_char_type_not_enforced
636 | - insufficient_security_configurability.weak_password_policy.allows_reuse_of_old_passwords
637 | - insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username
638 | 
639 | ### Changed
640 | 
641 | - sensitive_data_exposure.visible_detailed_error_page name changed from 'Visible Detailed Error Page' to 'Visible Detailed Error/Debug Page'
642 | - server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc name changed from 'Missing DMARC' to 'Missing DKIM/DMARC'
643 | - insecure_data_transport.ssl_certificate_pinning moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning
644 | - insecure_data_transport.ssl_certificate_pinning.absent moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning.absent
645 | - insecure_data_transport.ssl_certificate_pinning.defeatable moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning.defeatable
646 | - sensitive_data_exposure.mixed_content name changed from 'Mixed Content' to 'Mixed Content (HTTPS Sourcing HTTP)'
647 | - sensitive_data_exposure.mixed_content priority changed from null to P5 (due to children removal)
648 | - broken_authentication_and_session_management.authentication_bypass priority changed from null to P1 (due to children removal)
649 | - insufficient_security_configurability.weak_password_policy priority changed from null to P5 (due to children removal)
650 | 
651 | ## [v1.1.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.0...v1.1) - 2017-04-13
652 | 
653 | ### Added
654 | 
655 | - directory_listing_enabled
656 | - directory_listing_enabled.sensitive_data_exposure
657 | - directory_listing_enabled.non_sensitive_data_exposure
658 | - server_security_misconfiguration.path_traversal
659 | - cross_site_scripting_xss.reflected.self
660 | - cross_site_scripting_xss.reflected.non_self
661 | - cross_site_request_forgery_csrf.application_wide
662 | - cross_site_request_forgery_csrf.application_specific
663 | - cross_site_request_forgery_csrf.authenticated_action
664 | - cross_site_request_forgery_csrf.unauthenticated_action
665 | 
666 | ### Removed
667 | 
668 | - poor_physical_security
669 | - social_engineering
670 | 
671 | ### Changed
672 | 
673 | - cross_site_scripting_xss.cookie_based priority changed from P4 to P5
674 | 
675 | ## [1.0.0] - 2017-03-06
676 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 6 | 
 7 | ## Our Standards
 8 | 
 9 | Examples of behavior that contributes to creating a positive environment include:
10 | 
11 | * Using welcoming and inclusive language
12 | * Being respectful of differing viewpoints and experiences
13 | * Gracefully accepting constructive criticism
14 | * Focusing on what is best for the community
15 | * Showing empathy towards other community members
16 | 
17 | Examples of unacceptable behavior by participants include:
18 | 
19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances
20 | * Trolling, insulting/derogatory comments, and personal or political attacks
21 | * Public or private harassment
22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission
23 | * Other conduct which could reasonably be considered inappropriate in a professional setting
24 | 
25 | ## Our Responsibilities
26 | 
27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
28 | 
29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
30 | 
31 | ## Scope
32 | 
33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
34 | 
35 | ## Enforcement
36 | 
37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at vrt@bugcrowd.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
38 | 
39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
40 | 
41 | ## Attribution
42 | 
43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
44 | 
45 | [homepage]: http://contributor-covenant.org
46 | [version]: http://contributor-covenant.org/version/1/4/
47 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.11
2 | 
3 | WORKDIR /tmp/vrt
4 | ADD . /tmp/vrt
5 | 
6 | RUN pip install -r lib/requirements.txt
7 | 
8 | CMD [ "python3", "-B" , "./lib/validate_vrt.py" ]
9 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    Copyright 2017 Bugcrowd, Inc.
179 | 
180 |    Licensed under the Apache License, Version 2.0 (the "License");
181 |    you may not use this file except in compliance with the License.
182 |    You may obtain a copy of the License at
183 | 
184 |        http://www.apache.org/licenses/LICENSE-2.0
185 | 
186 |    Unless required by applicable law or agreed to in writing, software
187 |    distributed under the License is distributed on an "AS IS" BASIS,
188 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
189 |    See the License for the specific language governing permissions and
190 |    limitations under the License.
191 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | <p align="center">
  2 |   <img src="https://user-images.githubusercontent.com/3189125/115076777-e434d600-9eb1-11eb-81bf-0b3ee98d9df5.png" height="200"/>
  3 | </p>
  4 | 
  5 | <p align="center">
  6 |   <img src="https://github.com/bugcrowd/vulnerability-rating-taxonomy/workflows/Validate%20VRT/badge.svg?branch=master" />
  7 | </p>
  8 | 
  9 | # Bugcrowd VRT
 10 | The current VRT release is located at [https://bugcrowd.com/vrt](https://bugcrowd.com/vulnerability-rating-taxonomy) as both a searchable page and downloadable PDF.
 11 | 
 12 | The VRT is also available via our API. Documentation and examples of VRT API usage may be found [here](https://documentation.bugcrowd.com/reference#view-versions).
 13 | 
 14 | ## Background
 15 | At the beginning 2016, we released the Bugcrowd Vulnerability Rating Taxonomy (VRT) to provide a baseline vulnerability priority scale for bug hunters and organizations. Over the past year and a half this document has evolved to be a dynamic and valuable resource for the bug bounty community.
 16 | 
 17 | In April 2017 we decided to open source our taxonomy and published formal contributor guidelines for the VRT, allowing us to gain additional insight from the public and transparently communicate about any feedback.
 18 | 
 19 | ## VRT Council
 20 | Each week several members of the Bugcrowd team hold a meeting where they discuss vulnerability edge cases, improving vulnerability classification and all external VRT feedback. When the team comes to a consensus regarding each change proposed to the VRT, it is committed to this repository. We have decided to publish minutes from the VRT Council meeting to allow even more transparency and will be sharing those [here](https://github.com/bugcrowd/vulnerability-rating-taxonomy/wiki/VRT-Council-minutes).
 21 | 
 22 | ## Description
 23 | Bugcrowd's VRT outlines Bugcrowd's baseline technical severity rating – taking into account potential differences among edge cases – for common vulnerability classes. To arrive at this baseline technical severity rating for a given vulnerability, Bugcrowd's application security engineers started with the generally-accepted industry guideline and further considered the vulnerability's average acceptance rate, average priority, and frequency on business use case specific exclusions lists across all of Bugcrowd's programs.
 24 | 
 25 | It is important to remember that while the recommended priority, from P1 to P5 might apply without context, it’s possible that application complexity, bounty brief restrictions or unusual impact could result in a different rating.
 26 | 
 27 | Bugcrowd welcomes community feedback and direct contributions to the Bugcrowd VRT. We accept comments for public discussion via GitHub Issues, but can also accommodate comments made via email to [vrt@bugcrowd.com](mailto:vrt@bugcrowd.com). For more details see [CONTRIBUTING](.github/CONTRIBUTING.md).
 28 | 
 29 | ## Anatomy of VRT Entries
 30 | Each top-level category entry contains one or more subcategory entries, and each subcategory entry may contain one or more variant entries used to differentiate subcases with different priority values. Some entries may have a `null` priority value – this represents that the priority varies based on context information.
 31 | 
 32 | ### Types of VRT Entries
 33 | A VRT entry can be classified at up to three levels, including `Category`, `Sub-Category`, and `Variant`. Each classification level is nested within its parent and contains a set of definitions exclusive to its level.
 34 | 
 35 | #### Category
 36 | These comprise the top level of the VRT. They describe entire classes of vulnerabilities.
 37 | 
 38 | example: `Server-Side Injection`
 39 | 
 40 | #### Sub-Categories
 41 | Many Sub-Categories are nested within a Category. They describe individual vulnerabilities.
 42 | 
 43 | example: `Server-Side Injection > Remote Code Execution (RCE)`
 44 | 
 45 | #### Variants
 46 | Many Variants are nested within a Sub-Category. They describe specific sub-cases of an individual vulnerability.
 47 | 
 48 | example: `Server-Side Injection > SQL Injection > Blind`
 49 | 
 50 | ### Data within an Entry
 51 | Within each entry is a set of data outlined below.
 52 | 
 53 | #### ID
 54 | Each ID – often the lowercase version of its name joined by `_` –  is unique among the children of its own parent. This is how VRT ID's can map between versions, such that an ID is only changed if it should not be identified with previous versions of that entry.
 55 | 
 56 | #### Name
 57 | The human-readable name of the vulnerability.
 58 | 
 59 | #### Priority
 60 | The priority represents Bugcrowd's suggested baseline technical severity of the vulnerability on a P1 (Critical) to P5 (Informational) scale.
 61 | 
 62 | - **P1**: Critical
 63 | - **P2**: High
 64 | - **P3**: Medium
 65 | - **P4**: Low
 66 | - **P5**: Informational
 67 | 
 68 | The technical severity of some vulnerabilities – as denoted in the taxonomy as "Varies" – is context-dependent. For example, the technical severity of an `Insecure Direct Object Reference` vulnerability is heavily dependent on the capabilities of the vulnerable function and other context information. Valid `Insecure Direct Object Reference` vulnerabilities can vary in priority from P4 to P1.
 69 | 
 70 | #### Children
 71 | Entries that are nested within another Entry. Only Categories or Sub-Categories can have children.
 72 | 
 73 | ### Example
 74 | ```json
 75 | {
 76 |   "id": "server_security_misconfiguration",
 77 |   "name": "Server Security Misconfiguration",
 78 |   "type": "category",
 79 |   "children": [
 80 |     {
 81 |       "id": "directory_listing_enabled",
 82 |       "name": "Directory Listing Enabled",
 83 |       "type": "subcategory",
 84 |       "children": [
 85 |         {
 86 |           "id": "non_sensitive_data_exposure",
 87 |           "name": "Non-Sensitive Data Exposure",
 88 |           "type": "variant",
 89 |           "priority": 5
 90 |         }
 91 |       ]
 92 |     }
 93 |   ]
 94 | }
 95 | ```
 96 | 
 97 | ### Deprecated Node Mapping
 98 | When breaking changes such as deletion/collapsing of IDs or moving to a different parent occur, the [`deprecated-node-mapping.json`](deprecated-node-mapping.json) will serve as a reference to find the latest mapped ids so that deprecated nodes are not lost.
 99 | 
100 | #### Example
101 | _2 nodes being collapsed into 1_
102 | ```json
103 | {
104 |   "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
105 |     "2.1": "unvalidated_redirects_and_forwards.open_redirect.get_based"
106 |   },
107 |   "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
108 |     "2.1": "unvalidated_redirects_and_forwards.open_redirect.get_based"
109 |   }
110 | }
111 | ```
112 | 
113 | ### Mapping to Other Systems
114 | Sometimes it is useful to convert VRT IDs to other vulnerability classification systems, eg CVSS.
115 | Such mappings are supported by adding a mapping folder/files to the [mappings](mappings) directory.
116 | These files have a similar structure to the main VRT file but only include the `id` and `children` attributes,
117 | plus an additional mapping attribute with the same name as the file.
118 | 
119 | For example, suppose we wish to map to a traffic light system which maps all vulnerabilities to red, green or yellow.
120 | We would add a mapping file called `mappings/traffic_light/traffic_light.json` with contents like:
121 | 
122 | ```
123 | {
124 |   "metadata": {
125 |     "default": "green"
126 |   },
127 |   "content": [
128 |     ...
129 |     {
130 |       "id": "server_side_injection",
131 |       "traffic_light": "red",
132 |       "children": [
133 |         {
134 |           "id": "content_spoofing",
135 |           "children": [
136 |             {
137 |               "id": "iframe_injection",
138 |               "traffic_light": "yellow"
139 |             }
140 |           ]
141 |         }
142 |       ]
143 |     },
144 |     ...
145 |   ]
146 | }
147 | ```
148 | 
149 | This would map the `other` category and any unknown IDs to the `metadata.default` value of `green`.
150 | All VRT IDs nested below `server_side_injection` would map to `red`, except for
151 | `server_side_injection.content_spoofing.iframe_injection` which would map to `yellow`.
152 | 
153 | Each mapping should be setup in the following structure:
154 | 
155 |     .
156 |     ├── ...
157 |     ├── mappings
158 |     │   ├── new_mapping
159 |     |   |     ├── new_mapping.schema.json # Following JSON Schema (https://json-schema.org/), to be run in CI
160 |     |   |     ├── new_mapping.json        # Actual VRT mapping file as described above
161 |     │   └── ...              
162 |     └── ...
163 | 
164 | #### Supported Mappings
165 | - [CVSS v3](mappings/cvss_v3/cvss_v3.json)
166 | - [CWE](mappings/cwe/cwe.json)
167 | - [Remediation Advice](mappings/remediation_advice/remediation_advice.json)
168 | 
169 | #### Third-Party Managed Mappings
170 | - [Secure Code Warrior](third-party-mappings/remediation_training/secure-code-warrior-links.json)
171 | 
172 | ## Supported Libraries
173 | - [Ruby](https://github.com/bugcrowd/vrt-ruby)
174 | 
175 | ## License
176 | Copyright 2017 Bugcrowd, Inc.
177 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
178 | 
179 | http://www.apache.org/licenses/LICENSE-2.0
180 | 
181 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
182 | 


--------------------------------------------------------------------------------
/deprecated-node-mapping.json:
--------------------------------------------------------------------------------
  1 | {
  2 |   "poor_physical_security": {
  3 |     "1.1": "other"
  4 |   },
  5 |   "social_engineering": {
  6 |     "1.1": "other"
  7 |   },
  8 |   "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
  9 |     "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
 10 |   },
 11 |   "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
 12 |     "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
 13 |   },
 14 |   "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
 15 |     "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
 16 |   },
 17 |   "broken_authentication_and_session_management.session_token_in_url.over_https": {
 18 |     "1.2": "sensitive_data_exposure.sensitive_token_in_url"
 19 |   },
 20 |   "broken_authentication_and_session_management.session_token_in_url.over_http": {
 21 |     "1.2": "sensitive_data_exposure.sensitive_token_in_url"
 22 |   },
 23 |   "broken_authentication_and_session_management.session_token_in_url": {
 24 |     "1.2": "sensitive_data_exposure.sensitive_token_in_url"
 25 |   },
 26 |   "insecure_data_transport": {
 27 |     "1.2": "mobile_security_misconfiguration"
 28 |   },
 29 |   "insecure_data_transport.ssl_certificate_pinning": {
 30 |     "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
 31 |   },
 32 |   "insecure_data_transport.ssl_certificate_pinning.absent": {
 33 |     "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
 34 |   },
 35 |   "insecure_data_transport.ssl_certificate_pinning.defeatable": {
 36 |     "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
 37 |   },
 38 |   "insecure_data_storage.credentials_stored_unencrypted": {
 39 |     "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
 40 |   },
 41 |   "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
 42 |     "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
 43 |   },
 44 |   "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
 45 |     "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
 46 |   },
 47 |   "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
 48 |     "1.2": "insufficient_security_configurability.no_password_policy"
 49 |   },
 50 |   "missing_function_level_access_control": {
 51 |     "1.3": "broken_access_control"
 52 |   },
 53 |   "missing_function_level_access_control.server_side_request_forgery_ssrf": {
 54 |     "1.3": "broken_access_control.server_side_request_forgery_ssrf"
 55 |   },
 56 |   "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
 57 |     "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
 58 |   },
 59 |   "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
 60 |     "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
 61 |   },
 62 |   "missing_function_level_access_control.username_enumeration": {
 63 |     "1.3": "broken_access_control.username_enumeration"
 64 |   },
 65 |   "missing_function_level_access_control.username_enumeration.data_leak": {
 66 |     "1.3": "broken_access_control.username_enumeration.data_leak"
 67 |   },
 68 |   "missing_function_level_access_control.exposed_sensitive_android_intent": {
 69 |     "1.3": "broken_access_control.exposed_sensitive_android_intent"
 70 |   },
 71 |   "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
 72 |     "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
 73 |   },
 74 |   "insecure_direct_object_references_idor": {
 75 |     "1.3": "broken_access_control.idor"
 76 |   },
 77 |   "broken_authentication_and_session_management.weak_login_function.over_http": {
 78 |     "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
 79 |   },
 80 |   "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
 81 |     "1.4": "cross_site_scripting_xss.ie_only.ie11"
 82 |   },
 83 |   "cross_site_scripting_xss.ie_only.older_version_ie10": {
 84 |     "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
 85 |   },
 86 |   "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
 87 |     "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
 88 |   },
 89 |   "network_security_misconfiguration.telnet_enabled.credentials_required": {
 90 |     "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
 91 |   },
 92 |   "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
 93 |     "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
 94 |   },
 95 |   "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
 96 |     "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
 97 |   },
 98 |   "cross_site_scripting_xss.stored.admin_to_anyone": {
 99 |     "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
100 |   },
101 |   "server_security_misconfiguration.captcha_bypass": {
102 |     "1.5": "server_security_misconfiguration.captcha"
103 |   },
104 |   "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
105 |     "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
106 |   },
107 |   "server_security_misconfiguration.captcha_bypass.brute_force": {
108 |     "1.5": "server_security_misconfiguration.captcha.brute_force"
109 |   },
110 |   "broken_access_control.server_side_request_forgery_ssrf.internal": {
111 |     "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
112 |   },
113 |   "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
114 |     "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
115 |   },
116 |   "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
117 |     "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
118 |   },
119 |   "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
120 |     "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
121 |   },
122 |   "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
123 |     "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
124 |   },
125 |   "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
126 |     "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
127 |   },
128 |   "broken_access_control.username_enumeration.data_leak": {
129 |     "1.7": "broken_access_control.username_enumeration.non_brute_force"
130 |   },
131 |   "insufficient_security_configurability.weak_2fa_implementation": {
132 |     "1.7": "insufficient_security_configurability.weak_two_fa_implementation"
133 |   },
134 |   "sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party": {
135 |     "1.7": "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party"
136 |   },
137 |   "sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party": {
138 |     "1.7": "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party"
139 |   },
140 |   "cross_site_scripting_xss.ie_only.ie11": {
141 |     "1.7": "cross_site_scripting_xss.ie_only.ie_eleven"
142 |   },
143 |   "cross_site_scripting_xss.ie_only.older_version_ie11": {
144 |     "1.7": "cross_site_scripting_xss.ie_only.older_version_ie_eleven"
145 |   },
146 |   "sensitive_data_exposure.critically_sensitive_data.password_disclosure": {
147 |     "1.9": "sensitive_data_exposure.disclosure_of_secrets"
148 |   },
149 |   "sensitive_data_exposure.critically_sensitive_data.private_api_keys": {
150 |     "1.9": "sensitive_data_exposure.disclosure_of_secrets"
151 |   },
152 |   "sensitive_data_exposure.critically_sensitive_data": {
153 |     "1.9": "sensitive_data_exposure"
154 |   },
155 |   "insufficient_security_configurability.lack_of_verification_email": {
156 |     "1.10": "insufficient_security_configurability.verification_of_contact_method_not_required"
157 |   },
158 |   "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default": {
159 |     "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
160 |   },
161 |   "broken_authentication_and_session_management.weak_login_function.http_and_https_available": {
162 |     "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
163 |   },
164 |   "broken_authentication_and_session_management.weak_login_function.lan_only": {
165 |     "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
166 |   },
167 |   "cross_site_request_forgery_csrf.flash_based.high_impact": {
168 |     "1.10": "cross_site_request_forgery_csrf.flash_based"
169 |   },
170 |   "cross_site_request_forgery_csrf.flash_based.low_impact": {
171 |     "1.10": "cross_site_request_forgery_csrf.flash_based"
172 |   },
173 |   "automotive_security_misconfiguration.infotainment": {
174 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit"
175 |   },
176 |   "automotive_security_misconfiguration.infotainment.pii_leakage": {
177 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage"
178 |   },
179 |   "automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot": {
180 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot"
181 |   },
182 |   "automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot": {
183 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot"
184 |   },
185 |   "automotive_security_misconfiguration.infotainment.unauthorized_access_to_services": {
186 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services"
187 |   },
188 |   "automotive_security_misconfiguration.infotainment.source_code_dump": {
189 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump"
190 |   },
191 |   "automotive_security_misconfiguration.infotainment.dos_brick": {
192 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick"
193 |   },
194 |   "automotive_security_misconfiguration.infotainment.default_credentials": {
195 |     "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials"
196 |   },
197 |   "broken_cryptography": {
198 |     "1.11": "other"
199 |   },
200 |   "broken_cryptography.cryptographic_flaw": {
201 |     "1.11": "other"
202 |   },
203 |   "broken_cryptography.cryptographic_flaw.incorrect_usage": {
204 |     "1.11": "other"
205 |   },
206 |   "cross_site_scripting_xss.ie_only.ie_eleven": {
207 |     "1.11": "other"
208 |   },
209 |   "cross_site_scripting_xss.ie_only.older_version_ie_eleven": {
210 |     "1.11": "cross_site_scripting_xss.ie_only"
211 |   },
212 |   "cross_site_scripting_xss.ie_only.xss_filter_disabled": {
213 |     "1.11": "other"
214 |   },
215 |   "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage": {
216 |     "1.11": "automotive_security_misconfiguration.infotainment_radio_head_unit.sensitive_data_leakage_exposure"
217 |   },
218 |   "broken_access_control.server_side_request_forgery_ssrf": {
219 |     "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf"
220 |   },
221 |   "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact": {
222 |     "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.internal_high_impact"
223 |   },
224 |   "broken_access_control.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact": {
225 |     "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact"
226 |   },
227 |   "broken_access_control.server_side_request_forgery_ssrf.dns_query_only": {
228 |     "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.external_dns_query_only"
229 |   },
230 |   "broken_access_control.server_side_request_forgery_ssrf.external": {
231 |     "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.external_low_impact"
232 |   },
233 |   "broken_authentication_and_session_management.privilege_escalation": {
234 |     "1.14": "broken_access_control.privilege_escalation"
235 |   },
236 |   "server_security_misconfiguration.misconfigured_dns.high_impact_subdomain_takeover": {
237 |     "1.14.2": "other"
238 |   },
239 |   "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover": {
240 |     "1.14.2": "server_security_misconfiguration.misconfigured_dns.subdomain_takeover"
241 |   },
242 |   "broken_access_control.idor.read_edit_delete_non_sensitive_information": {
243 |     "1.15": "broken_access_control.idor.view_non_sensitive_information"
244 |   },
245 |   "broken_access_control.idor.read_edit_delete_sensitive_information_guid": {
246 |     "1.15": "broken_access_control.idor.modify_view_sensitive_information_guid"
247 |   },
248 |   "broken_access_control.idor.read_sensitive_information_iterable_object_identifiers": {
249 |     "1.15": "broken_access_control.idor.modify_view_sensitive_information_iterable_object_identifiers"
250 |   },
251 |   "broken_access_control.idor.edit_delete_sensitive_information_iterable_object_identifiers": {
252 |     "1.15": "broken_access_control.idor.modify_sensitive_information_iterable_object_identifiers"
253 |   },
254 |   "broken_access_control.idor.read_edit_delete_sensitive_information_iterable_object_identifiers": {
255 |     "1.15": "broken_access_control.idor.modify_view_sensitive_information_iterable_object_identifiers"
256 |   },
257 |   "broken_authentication_and_session_management.authentication_bypass.horizontal": {
258 |     "1.15.1": "other"
259 |   },
260 |   "broken_authentication_and_session_management.authentication_bypass.vertical": {
261 |     "1.15.1": "other"
262 |   },
263 |   "cross_site_scripting_xss.reflected.admin_to_anyone": {
264 |     "1.15.1": "other"
265 |   },
266 |   "cross_site_scripting_xss.reflected.non_admin_to_anyone": {
267 |     "1.15.1": "other"
268 |   },
269 |   "insecure_data_storage.insecure_data_storage": {
270 |     "1.15.1": "other"
271 |   },
272 |   "insecure_data_storage.insecure_data_storage.password": {
273 |     "1.15.1": "other"
274 |   },
275 |   "insufficient_security_configurability.weak_2fa_implementation.missing_failsafe": {
276 |     "1.15.1": "other"
277 |   },
278 |   "insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username": {
279 |     "1.15.1": "other"
280 |   },
281 |   "insufficient_security_configurability.weak_password_policy.allows_reuse_of_old_passwords": {
282 |     "1.15.1": "other"
283 |   },
284 |   "insufficient_security_configurability.weak_password_policy.complexity_char_type_not_enforced": {
285 |     "1.15.1": "other"
286 |   },
287 |   "insufficient_security_configurability.weak_password_policy.complexity_length_not_enforced": {
288 |     "1.15.1": "other"
289 |   },
290 |   "mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content": {
291 |     "1.15.1": "other"
292 |   },
293 |   "mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content": {
294 |     "1.15.1": "other"
295 |   },
296 |   "sensitive_data_exposure.mixed_content.requires_being_a_man_in_the_middle": {
297 |     "1.15.1": "other"
298 |   },
299 |   "sensitive_data_exposure.mixed_content.sensitive_data_disclosure": {
300 |     "1.15.1": "other"
301 |   },
302 |   "sensitive_data_exposure.token_leakage_via_referer.over_https": {
303 |     "1.15.1": "other"
304 |   },
305 |   "server_security_misconfiguration.using_default_credentials.production_server": {
306 |     "1.15.1": "other"
307 |   },
308 |   "server_security_misconfiguration.using_default_credentials.staging_development_server": {
309 |     "1.15.1": "other"
310 |   },
311 |   "server_side_injection.sql_injection.blind": {
312 |     "1.15.1": "other"
313 |   },
314 |   "server_side_injection.sql_injection.error_based": {
315 |     "1.15.1": "other"
316 |   }
317 | }


--------------------------------------------------------------------------------
/lib/artifacts/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bugcrowd/vulnerability-rating-taxonomy/6f8e8d6198e8c3f496b5c370b9cf1ad907971575/lib/artifacts/__init__.py


--------------------------------------------------------------------------------
/lib/artifacts/scw_artifact.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import requests
 3 | 
 4 | BASE_SCW_URL = 'https://integration-api.securecodewarrior.com\
 5 | /api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey='
 6 | OUTPUT_FILENAME = 'scw_links.json'
 7 | 
 8 | 
 9 | def scw_url(vrt_id):
10 |     return f'{BASE_SCW_URL}{vrt_id.replace(".", ":")}'
11 | 
12 | 
13 | def scw_mapping(vrt_id):
14 |     path = scw_url(vrt_id)
15 |     print('Fetching...')
16 |     response = requests.get(path)
17 |     if response.status_code == 200:
18 |         print(f'Exists: {path}')
19 |         return path + '&redirect=true'
20 |     else:
21 |         print(f'Not Found: {path}')
22 |         return None
23 | 
24 | 
25 | def join_vrt_id(parent_id, child_id):
26 |     return '.'.join(
27 |         [parent_id, child_id]
28 |     ) if parent_id is not None else child_id
29 | 
30 | 
31 | def generate_urls(vrt, content, parent_id=None):
32 |     for node in vrt:
33 |         vrt_id = join_vrt_id(parent_id, node['id'])
34 |         content[vrt_id] = scw_mapping(vrt_id)
35 |         if 'children' in node:
36 |             content.update(
37 |                 generate_urls(
38 |                     node['children'],
39 |                     {},
40 |                     vrt_id
41 |                 )
42 |             )
43 | 
44 |     return content
45 | 
46 | 
47 | def write_artifact_file(mapping):
48 |     with open(OUTPUT_FILENAME, 'w') as outfile:
49 |         json.dump(mapping, outfile, indent=2, sort_keys=False)
50 | 


--------------------------------------------------------------------------------
/lib/generate_artifacts.py:
--------------------------------------------------------------------------------
1 | from utils import utils
2 | from artifacts import scw_artifact
3 | 
4 | url_mapping = {}
5 | current_vrt = utils.get_json(utils.VRT_FILENAME)
6 | scw_artifact.write_artifact_file(
7 |   scw_artifact.generate_urls(current_vrt['content'], url_mapping)
8 | )
9 | 


--------------------------------------------------------------------------------
/lib/requirements.txt:
--------------------------------------------------------------------------------
1 | jsonschema
2 | GitPython
3 | semantic_version
4 | 


--------------------------------------------------------------------------------
/lib/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bugcrowd/vulnerability-rating-taxonomy/6f8e8d6198e8c3f496b5c370b9cf1ad907971575/lib/tests/__init__.py


--------------------------------------------------------------------------------
/lib/tests/test_artifact_format.py:
--------------------------------------------------------------------------------
 1 | from utils import utils
 2 | import os
 3 | import unittest
 4 | 
 5 | 
 6 | class TestArtifactFormat(unittest.TestCase):
 7 |     def setUp(self):
 8 |         print("\n`---{}---`".format(self._testMethodName))
 9 |         self.scw_artifact_path = os.path.join(
10 |           utils.THIRD_PARTY_MAPPING_DIR,
11 |           utils.SCW_DIR,
12 |           utils.SCW_FILENAME
13 |         )
14 | 
15 |     def test_artifact_loads_valid_json(self):
16 |         self.assertTrue(
17 |           utils.get_json(self.scw_artifact_path),
18 |           self.scw_artifact_path + ' is not valid JSON.'
19 |         )
20 | 
21 | 
22 | if __name__ == "__main__":
23 |     unittest.main()
24 | 


--------------------------------------------------------------------------------
/lib/tests/test_deprecated_mapping.py:
--------------------------------------------------------------------------------
 1 | from utils import utils
 2 | import unittest
 3 | from semantic_version import Version
 4 | 
 5 | 
 6 | class TestDeprecatedMapping(unittest.TestCase):
 7 |     def setUp(self):
 8 |         print("\n`---{}---`".format(self._testMethodName))
 9 |         self.vrt_versions = utils.all_versions(utils.VRT_FILENAME)
10 |         self.last_tagged_version = max(
11 |             [
12 |                 Version.coerce(x) for x in self.vrt_versions.keys()
13 |                 if x != 'current'
14 |             ]
15 |         )
16 |         self.deprecated_json = utils.get_json(
17 |             utils.DEPRECATED_MAPPING_FILENAME
18 |         )
19 | 
20 |     def test_old_vrt_ids_have_current_node(self):
21 |         for version, vrt in self.vrt_versions.items():
22 |             if version == 'current':
23 |                 continue
24 |             for id_list in utils.all_id_lists(vrt):
25 |                 vrt_id = '.'.join(id_list)
26 |                 if vrt_id in self.deprecated_json:
27 |                     max_ver = sorted(
28 |                         self.deprecated_json[vrt_id].keys(),
29 |                         key=lambda s: map(int, s.split('.'))
30 |                     )[-1]
31 |                     vrt_id = self.deprecated_json[vrt_id][max_ver]
32 |                     id_list = vrt_id.split('.')
33 |                 self.assertTrue(
34 |                     vrt_id == 'other' or self.check_mapping(id_list),
35 |                     '%s from v%s has no mapping' % (vrt_id, version)
36 |                 )
37 | 
38 |     def test_deprecated_nodes_map_valid_node(self):
39 |         for old_id, mapping in self.deprecated_json.items():
40 |             for new_version, new_id in mapping.items():
41 |                 self.assertTrue(
42 |                     new_id == 'other' or utils.id_valid(
43 |                         self.vrt_version(
44 |                             new_version
45 |                         ), new_id.split('.')
46 |                     ),
47 |                     new_id + ' is not valid'
48 |                 )
49 | 
50 |     def check_mapping(self, id_list):
51 |         if utils.id_valid(self.vrt_versions['current'], id_list):
52 |             return True
53 |         elif len(id_list) == 1:
54 |             return False
55 |         else:
56 |             return self.check_mapping(id_list[0:-1])
57 | 
58 |     def vrt_version(self, version):
59 |         if version in self.vrt_versions:
60 |             return self.vrt_versions[version]
61 |         elif Version.coerce(version) > self.last_tagged_version:
62 |             return self.vrt_versions['current']
63 |         else:
64 |             self.fail('Unknown version: %s' % version)
65 | 
66 | 
67 | if __name__ == "__main__":
68 |     unittest.main()
69 | 


--------------------------------------------------------------------------------
/lib/tests/test_vrt.py:
--------------------------------------------------------------------------------
 1 | from utils import utils
 2 | import unittest
 3 | import subprocess
 4 | import jsonschema
 5 | import glob
 6 | import os
 7 | 
 8 | 
 9 | class TestVrt(unittest.TestCase):
10 |     def setUp(self):
11 |         print("\n`---{}---`".format(self._testMethodName))
12 |         self.vrt = utils.get_json(utils.VRT_FILENAME)
13 |         self.mappings = [
14 |             {'filename': f, 'name': os.path.splitext(os.path.basename(f))[0]}
15 |             for f in glob.glob(
16 |                 utils.MAPPING_DIR + '/**/*.json', recursive=True
17 |             )
18 |             if 'schema' not in f
19 |         ]
20 | 
21 |     @unittest.skip('need to decide the best way to handle this')
22 |     def test_changelog_updated(self):
23 |         """
24 |         Checks if CHANGELOG.md is being updated with the current commit
25 |         and prompts the user if it isn't
26 |         """
27 |         p = subprocess.Popen(
28 |             'git diff HEAD --stat --staged CHANGELOG.md | wc -l',
29 |             shell=True, stdout=subprocess.PIPE
30 |         )
31 |         out, _err = p.communicate()
32 |         self.assertGreater(int(out), 0, 'CHANGELOG.md not updated')
33 | 
34 |     def validate_schema(self, schema_file, data_file):
35 |         schema = utils.get_json(schema_file)
36 |         data = utils.get_json(data_file)
37 |         jsonschema.Draft4Validator.check_schema(schema)
38 |         error = jsonschema.exceptions.best_match(
39 |             jsonschema.Draft4Validator(schema).iter_errors(data)
40 |         )
41 |         if error:
42 |             raise error
43 | 
44 |     def test_vrt_schema(self):
45 |         self.validate_schema(utils.VRT_SCHEMA_FILENAME, utils.VRT_FILENAME)
46 | 
47 |     def test_mapping_schemas(self):
48 |         for mapping in self.mappings:
49 |             schema_file = glob.glob(
50 |                 f'{utils.MAPPING_DIR}/**/{mapping["name"]}.schema.json',
51 |                 recursive=True
52 |             )[0]
53 |             self.assertTrue(
54 |                 os.path.isfile(schema_file),
55 |                 'Missing schema file for %s mapping' % mapping['name']
56 |             )
57 |             self.validate_schema(schema_file, mapping['filename'])
58 | 
59 |     def all_vrt_ids_have_mapping(self, mappping_filename, key):
60 |         mapping = utils.get_json(mappping_filename)
61 |         keyed_mapping = utils.key_by_id(mapping['content'])
62 |         for vrt_id_list in utils.all_id_lists(
63 |             self.vrt, include_internal=False
64 |         ):
65 |             result = utils.has_mapping(keyed_mapping, vrt_id_list, key)
66 |             if key == 'cwe' and not result:
67 |                 print('WARNING: no ' + key + ' mapping for ' + '.'.join(
68 |                     vrt_id_list
69 |                 ))
70 |             else:
71 |                 self.assertTrue(
72 |                     utils.has_mapping(
73 |                         keyed_mapping, vrt_id_list, key
74 |                     ),
75 |                     'no ' + key + ' mapping for ' + '.'.join(vrt_id_list)
76 |                 )
77 | 
78 |     def test_all_vrt_ids_have_all_mappings(self):
79 |         for mapping in self.mappings:
80 |             self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name'])
81 | 
82 |     def only_map_valid_ids(self, mapping_filename):
83 |         vrt_ids = utils.all_id_lists(self.vrt)
84 |         mapping_ids = utils.all_id_lists(utils.get_json(mapping_filename))
85 |         for id_list in mapping_ids:
86 |             self.assertIn(
87 |                 id_list,
88 |                 vrt_ids,
89 |                 'invalid id in ' + mapping_filename + ' - ' + '.'.join(id_list)
90 |             )
91 | 
92 |     def test_only_map_valid_ids(self):
93 |         for mapping in self.mappings:
94 |             self.only_map_valid_ids(mapping['filename'])
95 | 
96 | 
97 | if __name__ == '__main__':
98 |     unittest.main()
99 | 


--------------------------------------------------------------------------------
/lib/utils/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bugcrowd/vulnerability-rating-taxonomy/6f8e8d6198e8c3f496b5c370b9cf1ad907971575/lib/utils/__init__.py


--------------------------------------------------------------------------------
/lib/utils/utils.py:
--------------------------------------------------------------------------------
  1 | import json, git, os
  2 | 
  3 | VRT_FILENAME = 'vulnerability-rating-taxonomy.json'
  4 | DEPRECATED_MAPPING_FILENAME = 'deprecated-node-mapping.json'
  5 | VRT_SCHEMA_FILENAME = 'vrt.schema.json'
  6 | MAPPING_DIR = 'mappings'
  7 | 
  8 | SCW_FILENAME = 'secure-code-warrior-links.json'
  9 | SCW_DIR = 'remediation_training'
 10 | THIRD_PARTY_MAPPING_DIR = 'third-party-mappings'
 11 | CVSS_FILE = "cvss_v3/cvss_v3.json"
 12 | CWE_FILE = "cwe/cwe.json"
 13 | REMEDIATION_ADVICE_FILE = "remediation_advice/remediation_advice.json"
 14 | 
 15 | def get_json(filename):
 16 |     with open(filename) as f:
 17 |         return json.loads(f.read())
 18 | 
 19 | 
 20 | def all_versions(filename):
 21 |     """
 22 |     Find, open and parse all tagged versions of a json file,
 23 |     including the current version
 24 | 
 25 |     :param filename: The filename to find
 26 |     :return: a dictionary of all the versions, in the form
 27 |         {
 28 |             'current': {...},
 29 |             '1.0': {...},
 30 |             '1.1': {...}
 31 |         }
 32 |     """
 33 |     repo = git.Repo()
 34 |     versions = {
 35 |         'current': get_json(filename)
 36 |     }
 37 |     for tag in repo.tags:
 38 |         version_dict = repo.git.show('%s:%s' % (tag.name, filename))
 39 |         versions[tag.name.strip('v')] = json.loads(version_dict)
 40 |     return versions
 41 | 
 42 | 
 43 | def id_valid(vrt, id_list):
 44 |     """
 45 |     Check if a vrt id is valid
 46 | 
 47 |     :param vrt: The vrt object
 48 |     :param id_list: The vrt id, split into components,
 49 |         eg ['category', 'subcategory', 'variant']
 50 |     :return: True/False
 51 |     """
 52 |     # this is not particularly efficient, but it's more readable than other
 53 |     # options so until we need to care...
 54 |     return id_list in all_id_lists(vrt)
 55 | 
 56 | 
 57 | def has_mapping(mapping, id_list, key):
 58 |     """
 59 |     Check if a vrt id has a mapping
 60 | 
 61 |     :param mapping: The mapping object, keyed by id
 62 |     :param id_list: The vrt id, split into components,
 63 |         eg ['category', 'subcategory', 'variant']
 64 |     :param key: The mapping key to look for, eg 'cvss_v3'
 65 |     :return: True/False
 66 |     """
 67 |     if key in mapping:
 68 |         return True
 69 |     elif 'children' in mapping:
 70 |         return has_mapping(mapping['children'], id_list, key)
 71 |     elif len(id_list) > 0 and id_list[0] in mapping:
 72 |         return has_mapping(mapping[id_list[0]], id_list[1:], key)
 73 |     else:
 74 |         return False
 75 | 
 76 | 
 77 | def key_by_id(mapping):
 78 |     """
 79 |     Converts arrays to hashes keyed by the id attribute for easier lookup. So
 80 |         [{'id': 'one', 'foo': 'bar'}, {'id': 'two', 'foo': 'baz'}]
 81 |     becomes
 82 |         {
 83 |             'one': {'id': 'one', 'foo': 'bar'},
 84 |             'two': {'id': 'two', 'foo': 'baz'}
 85 |         }
 86 |     """
 87 |     if isinstance(
 88 |         mapping, list
 89 |     ) and isinstance(
 90 |         mapping[0], dict
 91 |     ) and 'id' in mapping[0]:
 92 |         return {x['id']: key_by_id(x) for x in mapping}
 93 |     elif isinstance(mapping, dict):
 94 |         return {k: key_by_id(v) for k, v in mapping.items()}
 95 |     else:
 96 |         return mapping
 97 | 
 98 | 
 99 | def all_id_lists(vrt, include_internal=True):
100 |     """
101 |     Get all valid vrt ids for a given vrt object, including internal nodes
102 |     by default
103 | 
104 |     :param vrt: The vrt object
105 |     :param include_internal: Whether to include internal nodes or only
106 |     leaf nodes
107 |     :return: ids in the form
108 |         [
109 |             ['category'],
110 |             ['category', 'subcategory'],
111 |             ['category', 'subcategory', 'variant1'],
112 |             ['category', 'subcategory', 'variant2']
113 |         ]
114 |     """
115 |     def _all_id_lists(sub_vrt, prefix):
116 |         if isinstance(sub_vrt, list):
117 |             return [
118 |                 vrt_id for entry in sub_vrt
119 |                 for vrt_id in _all_id_lists(entry, prefix)
120 |             ]
121 |         elif isinstance(sub_vrt, dict):
122 |             if 'children' in sub_vrt:
123 |                 new_prefix = prefix + [sub_vrt['id']]
124 |                 sub_ids = _all_id_lists(sub_vrt['children'], new_prefix)
125 |                 if include_internal:
126 |                     sub_ids += [new_prefix]
127 |                 return sub_ids
128 |             else:
129 |                 return [prefix + [sub_vrt['id']]]
130 |         else:
131 |             print(sub_vrt)
132 |             raise Exception('unexpected entry found')
133 |     return _all_id_lists(vrt['content'], [])
134 | 
135 | def sort_jsons():
136 |     '''
137 |     Sort all corresponding JSONs for this project for better readability and
138 |     maintaining properly formatted JSON files. 
139 |     '''
140 |     def sort_json(json_data):
141 |         def sort_json_blocks(block_data):
142 |             sorted_blocks = list(sorted(block_data, key = lambda a: a['id']))
143 |             for idx, block in enumerate(sorted_blocks):
144 |                 if 'children' in block and block['children']!=[]:
145 |                     sorted_children = sort_json_blocks(block['children'])
146 |                     sorted_blocks[idx]['children'] = sorted_children
147 |             return sorted_blocks
148 |         json_data['content'] = sort_json_blocks(json_data['content'])
149 |         return json_data
150 |     
151 |     for json_path in [
152 |         VRT_FILENAME, 
153 |         os.path.join(MAPPING_DIR, CVSS_FILE), 
154 |         os.path.join(MAPPING_DIR, CWE_FILE), 
155 |         os.path.join(MAPPING_DIR, REMEDIATION_ADVICE_FILE)
156 |         ]:
157 |         data = sort_json(get_json(json_path))
158 |         print("`{}` JSON data sorted!".format(json_path))
159 |         output = json.dumps(data, indent=2)
160 |         open(json_path, "w").write(output)
161 |         print("- Writing {} bytes.\n".format(len(output)))
162 | 


--------------------------------------------------------------------------------
/lib/validate_artifacts.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import json
 4 | from utils import utils
 5 | from artifacts import scw_artifact
 6 | 
 7 | artifact_json = utils.get_json(scw_artifact.OUTPUT_FILENAME)
 8 | repo_path = os.path.join(
 9 |     utils.THIRD_PARTY_MAPPING_DIR,
10 |     utils.SCW_DIR,
11 |     utils.SCW_FILENAME
12 | )
13 | print(os.path.abspath(repo_path))
14 | repo_json = utils.get_json(repo_path)
15 | 
16 | sorted_artifact_json = json.dumps(artifact_json, sort_keys=True)
17 | sorted_repo_json = json.dumps(repo_json, sort_keys=True)
18 | 
19 | if sorted_artifact_json == sorted_repo_json:
20 |     print('SCW Document is valid!')
21 |     sys.exit(0)
22 | else:
23 |     print(
24 |         'SCW Document is invalid, copy the artifact to the remediation\
25 |  training'
26 |     )
27 |     sys.exit(1)
28 | 


--------------------------------------------------------------------------------
/lib/validate_vrt.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | import unittest
 3 | import sys
 4 | 
 5 | 
 6 | def main():
 7 |     tests = unittest.defaultTestLoader.discover('tests')
 8 |     return unittest.TextTestRunner().run(tests)
 9 | 
10 | 
11 | if __name__ == '__main__':
12 |     if not main().wasSuccessful():
13 |         sys.exit(1)
14 | 


--------------------------------------------------------------------------------
/mappings/cvss_v3/cvss_v3.json:
--------------------------------------------------------------------------------
   1 | {
   2 |   "metadata": {
   3 |     "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
   4 |   },
   5 |   "content": [
   6 |     {
   7 |       "id": "ai_application_security",
   8 |       "children": [
   9 |         {
  10 |           "id": "llm_security",
  11 |           "children": [
  12 |             {
  13 |               "id": "excessive_agency_permission_manipulation",
  14 |               "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
  15 |             },
  16 |             {
  17 |               "id": "llm_output_handling",
  18 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
  19 |             },
  20 |             {
  21 |               "id": "prompt_injection",
  22 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"
  23 |             },
  24 |             {
  25 |               "id": "training_data_poisoning",
  26 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
  27 |             }
  28 |           ]
  29 |         }
  30 |       ]
  31 |     },
  32 |     {
  33 |       "id": "algorithmic_biases",
  34 |       "children": [
  35 |         {
  36 |           "id": "aggregation_bias",
  37 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
  38 |         },
  39 |         {
  40 |           "id": "processing_bias",
  41 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
  42 |         }
  43 |       ]
  44 |     },
  45 |     {
  46 |       "id": "application_level_denial_of_service_dos",
  47 |       "children": [
  48 |         {
  49 |           "id": "app_crash",
  50 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
  51 |         },
  52 |         {
  53 |           "id": "critical_impact_and_or_easy_difficulty",
  54 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
  55 |         },
  56 |         {
  57 |           "id": "excessive_resource_consumption",
  58 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
  59 |         },
  60 |         {
  61 |           "id": "high_impact_and_or_medium_difficulty",
  62 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
  63 |         }
  64 |       ]
  65 |     },
  66 |     {
  67 |       "id": "automotive_security_misconfiguration",
  68 |       "children": [
  69 |         {
  70 |           "id": "abs",
  71 |           "children": [
  72 |             {
  73 |               "id": "unintended_acceleration_brake",
  74 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
  75 |             }
  76 |           ]
  77 |         },
  78 |         {
  79 |           "id": "battery_management_system",
  80 |           "children": [
  81 |             {
  82 |               "id": "firmware_dump",
  83 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
  84 |             },
  85 |             {
  86 |               "id": "fraudulent_interface",
  87 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
  88 |             }
  89 |           ]
  90 |         },
  91 |         {
  92 |           "id": "can",
  93 |           "children": [
  94 |             {
  95 |               "id": "injection_basic_safety_message",
  96 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
  97 |             },
  98 |             {
  99 |               "id": "injection_battery_management_system",
 100 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 101 |             },
 102 |             {
 103 |               "id": "injection_disallowed_messages",
 104 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
 105 |             },
 106 |             {
 107 |               "id": "injection_dos",
 108 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
 109 |             },
 110 |             {
 111 |               "id": "injection_headlights",
 112 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 113 |             },
 114 |             {
 115 |               "id": "injection_powertrain",
 116 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 117 |             },
 118 |             {
 119 |               "id": "injection_pyrotechnical_device_deployment_tool",
 120 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 121 |             },
 122 |             {
 123 |               "id": "injection_sensors",
 124 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 125 |             },
 126 |             {
 127 |               "id": "injection_steering_control",
 128 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 129 |             },
 130 |             {
 131 |               "id": "injection_vehicle_anti_theft_systems",
 132 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 133 |             }
 134 |           ]
 135 |         },
 136 |         {
 137 |           "id": "gnss_gps",
 138 |           "children": [
 139 |             {
 140 |               "id": "spoofing",
 141 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 142 |             }
 143 |           ]
 144 |         },
 145 |         {
 146 |           "id": "immobilizer",
 147 |           "children": [
 148 |             {
 149 |               "id": "engine_start",
 150 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 151 |             }
 152 |           ]
 153 |         },
 154 |         {
 155 |           "id": "infotainment_radio_head_unit",
 156 |           "children": [
 157 |             {
 158 |               "id": "code_execution_can_bus_pivot",
 159 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
 160 |             },
 161 |             {
 162 |               "id": "code_execution_no_can_bus_pivot",
 163 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
 164 |             },
 165 |             {
 166 |               "id": "default_credentials",
 167 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
 168 |             },
 169 |             {
 170 |               "id": "dos_brick",
 171 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
 172 |             },
 173 |             {
 174 |               "id": "ota_firmware_manipulation",
 175 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
 176 |             },
 177 |             {
 178 |               "id": "sensitive_data_leakage_exposure",
 179 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
 180 |             },
 181 |             {
 182 |               "id": "source_code_dump",
 183 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
 184 |             },
 185 |             {
 186 |               "id": "unauthorized_access_to_services",
 187 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
 188 |             }
 189 |           ]
 190 |         },
 191 |         {
 192 |           "id": "rf_hub",
 193 |           "children": [
 194 |             {
 195 |               "id": "can_injection_interaction",
 196 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
 197 |             },
 198 |             {
 199 |               "id": "data_leakage_pull_encryption_mechanism",
 200 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
 201 |             },
 202 |             {
 203 |               "id": "key_fob_cloning",
 204 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
 205 |             },
 206 |             {
 207 |               "id": "relay",
 208 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
 209 |             },
 210 |             {
 211 |               "id": "replay",
 212 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
 213 |             },
 214 |             {
 215 |               "id": "roll_jam",
 216 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
 217 |             },
 218 |             {
 219 |               "id": "unauthorized_access_turn_on",
 220 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
 221 |             }
 222 |           ]
 223 |         },
 224 |         {
 225 |           "id": "rsu",
 226 |           "children": [
 227 |             {
 228 |               "id": "sybil_attack",
 229 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
 230 |             }
 231 |           ]
 232 |         }
 233 |       ]
 234 |     },
 235 |     {
 236 |       "id": "blockchain_infrastructure_misconfiguration",
 237 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 238 |     },
 239 |     {
 240 |       "id": "broken_access_control",
 241 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
 242 |       "children": [
 243 |         {
 244 |           "id": "privilege_escalation",
 245 |           "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
 246 |         },
 247 |         {
 248 |           "id": "username_enumeration",
 249 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
 250 |         }
 251 |       ]
 252 |     },
 253 |     {
 254 |       "id": "broken_authentication_and_session_management",
 255 |       "children": [
 256 |         {
 257 |           "id": "authentication_bypass",
 258 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
 259 |         },
 260 |         {
 261 |           "id": "cleartext_transmission_of_session_token",
 262 |           "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 263 |         },
 264 |         {
 265 |           "id": "concurrent_logins",
 266 |           "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
 267 |         },
 268 |         {
 269 |           "id": "failure_to_invalidate_session",
 270 |           "children": [
 271 |             {
 272 |               "id": "all_sessions",
 273 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
 274 |             },
 275 |             {
 276 |               "id": "long_timeout",
 277 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
 278 |             },
 279 |             {
 280 |               "id": "on_email_change",
 281 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
 282 |             },
 283 |             {
 284 |               "id": "on_logout",
 285 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
 286 |             },
 287 |             {
 288 |               "id": "on_logout_server_side_only",
 289 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
 290 |             },
 291 |             {
 292 |               "id": "on_password_change",
 293 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
 294 |             },
 295 |             {
 296 |               "id": "on_two_fa_activation_change",
 297 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
 298 |             },
 299 |             {
 300 |               "id": "permission_change",
 301 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
 302 |             }
 303 |           ]
 304 |         },
 305 |         {
 306 |           "id": "saml_replay",
 307 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
 308 |         },
 309 |         {
 310 |           "id": "session_fixation",
 311 |           "children": [
 312 |             {
 313 |               "id": "local_attack_vector",
 314 |               "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
 315 |             },
 316 |             {
 317 |               "id": "remote_attack_vector",
 318 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
 319 |             }
 320 |           ]
 321 |         },
 322 |         {
 323 |           "id": "two_fa_bypass",
 324 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
 325 |         },
 326 |         {
 327 |           "id": "weak_login_function",
 328 |           "children": [
 329 |             {
 330 |               "id": "not_operational",
 331 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 332 |             },
 333 |             {
 334 |               "id": "other_plaintext_protocol_no_secure_alternative",
 335 |               "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
 336 |             },
 337 |             {
 338 |               "id": "over_http",
 339 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
 340 |             }
 341 |           ]
 342 |         },
 343 |         {
 344 |           "id": "weak_registration_implementation",
 345 |           "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
 346 |         }
 347 |       ]
 348 |     },
 349 |     {
 350 |       "id": "client_side_injection",
 351 |       "children": [
 352 |         {
 353 |           "id": "binary_planting",
 354 |           "children": [
 355 |             {
 356 |               "id": "no_privilege_escalation",
 357 |               "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
 358 |             },
 359 |             {
 360 |               "id": "non_default_folder_privilege_escalation",
 361 |               "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
 362 |             },
 363 |             {
 364 |               "id": "privilege_escalation",
 365 |               "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 366 |             }
 367 |           ]
 368 |         }
 369 |       ]
 370 |     },
 371 |     {
 372 |       "id": "cross_site_request_forgery_csrf",
 373 |       "children": [
 374 |         {
 375 |           "id": "action_specific",
 376 |           "children": [
 377 |             {
 378 |               "id": "authenticated_action",
 379 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
 380 |             },
 381 |             {
 382 |               "id": "logout",
 383 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
 384 |             },
 385 |             {
 386 |               "id": "unauthenticated_action",
 387 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
 388 |             }
 389 |           ]
 390 |         },
 391 |         {
 392 |           "id": "application_wide",
 393 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
 394 |         },
 395 |         {
 396 |           "id": "csrf_token_not_unique_per_request",
 397 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
 398 |         },
 399 |         {
 400 |           "id": "flash_based",
 401 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
 402 |         }
 403 |       ]
 404 |     },
 405 |     {
 406 |       "id": "cross_site_scripting_xss",
 407 |       "children": [
 408 |         {
 409 |           "id": "cookie_based",
 410 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
 411 |         },
 412 |         {
 413 |           "id": "flash_based",
 414 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
 415 |         },
 416 |         {
 417 |           "id": "ie_only",
 418 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
 419 |         },
 420 |         {
 421 |           "id": "off_domain",
 422 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
 423 |         },
 424 |         {
 425 |           "id": "referer",
 426 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
 427 |         },
 428 |         {
 429 |           "id": "reflected",
 430 |           "children": [
 431 |             {
 432 |               "id": "non_self",
 433 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
 434 |             },
 435 |             {
 436 |               "id": "self",
 437 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 438 |             }
 439 |           ]
 440 |         },
 441 |         {
 442 |           "id": "stored",
 443 |           "children": [
 444 |             {
 445 |               "id": "non_admin_to_anyone",
 446 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
 447 |             },
 448 |             {
 449 |               "id": "privileged_user_to_no_privilege_elevation",
 450 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
 451 |             },
 452 |             {
 453 |               "id": "privileged_user_to_privilege_elevation",
 454 |               "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
 455 |             },
 456 |             {
 457 |               "id": "self",
 458 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 459 |             },
 460 |             {
 461 |               "id": "url_based",
 462 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
 463 |             }
 464 |           ]
 465 |         },
 466 |         {
 467 |           "id": "trace_method",
 468 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 469 |         },
 470 |         {
 471 |           "id": "universal_uxss",
 472 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
 473 |         }
 474 |       ]
 475 |     },
 476 |     {
 477 |       "id": "cryptographic_weakness",
 478 |       "children": [
 479 |         {
 480 |           "id": "broken_cryptography",
 481 |           "children": [
 482 |             {
 483 |               "id": "use_of_broken_cryptographic_primitive",
 484 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
 485 |             },
 486 |             {
 487 |               "id": "use_of_vulnerable_cryptographic_library",
 488 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
 489 |             }
 490 |           ]
 491 |         },
 492 |         {
 493 |           "id": "incomplete_cleanup_of_keying_material",
 494 |           "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
 495 |         },
 496 |         {
 497 |           "id": "insecure_implementation",
 498 |           "children": [
 499 |             {
 500 |               "id": "improper_following_of_specification",
 501 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
 502 |             },
 503 |             {
 504 |               "id": "missing_cryptographic_step",
 505 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
 506 |             }
 507 |           ]
 508 |         },
 509 |         {
 510 |           "id": "insecure_key_generation",
 511 |           "children": [
 512 |             {
 513 |               "id": "improper_asymmetric_exponent_selection",
 514 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
 515 |             },
 516 |             {
 517 |               "id": "improper_asymmetric_prime_selection",
 518 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
 519 |             },
 520 |             {
 521 |               "id": "insufficient_key_space",
 522 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
 523 |             },
 524 |             {
 525 |               "id": "insufficient_key_stretching",
 526 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
 527 |             },
 528 |             {
 529 |               "id": "key_exchange_without_entity_authentication",
 530 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
 531 |             }
 532 |           ]
 533 |         },
 534 |         {
 535 |           "id": "insufficient_entropy",
 536 |           "children": [
 537 |             {
 538 |               "id": "initialization_vector_reuse",
 539 |               "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 540 |             },
 541 |             {
 542 |               "id": "limited_rng_entropy_source",
 543 |               "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 544 |             },
 545 |             {
 546 |               "id": "predictable_initialization_vector",
 547 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 548 |             },
 549 |             {
 550 |               "id": "predictable_prng_seed",
 551 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 552 |             },
 553 |             {
 554 |               "id": "prng_seed_reuse",
 555 |               "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 556 |             },
 557 |             {
 558 |               "id": "small_seed_space_in_prng",
 559 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 560 |             },
 561 |             {
 562 |               "id": "use_of_trng_for_nonsecurity_purpose",
 563 |               "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
 564 |             }
 565 |           ]
 566 |         },
 567 |         {
 568 |           "id": "insufficient_verification_of_data_authenticity",
 569 |           "children": [
 570 |             {
 571 |               "id": "cryptographic_signature",
 572 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
 573 |             },
 574 |             {
 575 |               "id": "identity_check_value",
 576 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
 577 |             }
 578 |           ]
 579 |         },
 580 |         {
 581 |           "id": "key_reuse",
 582 |           "children": [
 583 |             {
 584 |               "id": "inter_environment",
 585 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
 586 |             },
 587 |             {
 588 |               "id": "intra_environment",
 589 |               "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
 590 |             },
 591 |             {
 592 |               "id": "lack_of_perfect_forward_secrecy",
 593 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
 594 |             }
 595 |           ]
 596 |         },
 597 |         {
 598 |           "id": "side_channel_attack",
 599 |           "children": [
 600 |             {
 601 |               "id": "differential_fault_analysis",
 602 |               "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 603 |             },
 604 |             {
 605 |               "id": "emanations_attack",
 606 |               "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 607 |             },
 608 |             {
 609 |               "id": "padding_oracle_attack",
 610 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 611 |             },
 612 |             {
 613 |               "id": "power_analysis_attack",
 614 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 615 |             },
 616 |             {
 617 |               "id": "timing_attack",
 618 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 619 |             }
 620 |           ]
 621 |         },
 622 |         {
 623 |           "id": "use_of_expired_cryptographic_key_or_cert",
 624 |           "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
 625 |         },
 626 |         {
 627 |           "id": "weak_hash",
 628 |           "children": [
 629 |             {
 630 |               "id": "lack_of_salt",
 631 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
 632 |             },
 633 |             {
 634 |               "id": "predictable_hash_collision",
 635 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
 636 |             },
 637 |             {
 638 |               "id": "use_of_predictable_salt",
 639 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
 640 |             }
 641 |           ]
 642 |         }
 643 |       ]
 644 |     },
 645 |     {
 646 |       "id": "data_biases",
 647 |       "children": [
 648 |         {
 649 |           "id": "pre_existing_bias",
 650 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
 651 |         },
 652 |         {
 653 |           "id": "representation_bias",
 654 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
 655 |         }
 656 |       ]
 657 |     },
 658 |     {
 659 |       "id": "decentralized_application_misconfiguration",
 660 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 661 |     },
 662 |     {
 663 |       "id": "developer_biases",
 664 |       "children": [
 665 |         {
 666 |           "id": "implicit_bias",
 667 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
 668 |         }
 669 |       ]
 670 |     },
 671 |     {
 672 |       "id": "external_behavior",
 673 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 674 |     },
 675 |     {
 676 |       "id": "indicators_of_compromise",
 677 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 678 |     },
 679 |     {
 680 |       "id": "insecure_data_storage",
 681 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
 682 |       "children": [
 683 |         {
 684 |           "id": "sensitive_application_data_stored_unencrypted",
 685 |           "children": [
 686 |             {
 687 |               "id": "on_external_storage",
 688 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
 689 |             }
 690 |           ]
 691 |         },
 692 |         {
 693 |           "id": "server_side_credentials_storage",
 694 |           "children": [
 695 |             {
 696 |               "id": "plaintext",
 697 |               "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
 698 |             }
 699 |           ]
 700 |         }
 701 |       ]
 702 |     },
 703 |     {
 704 |       "id": "insecure_data_transport",
 705 |       "children": [
 706 |         {
 707 |           "id": "cleartext_transmission_of_sensitive_data",
 708 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
 709 |         },
 710 |         {
 711 |           "id": "executable_download",
 712 |           "children": [
 713 |             {
 714 |               "id": "no_secure_integrity_check",
 715 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
 716 |             },
 717 |             {
 718 |               "id": "secure_integrity_check",
 719 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
 720 |             }
 721 |           ]
 722 |         }
 723 |       ]
 724 |     },
 725 |     {
 726 |       "id": "insecure_os_firmware",
 727 |       "children": [
 728 |         {
 729 |           "id": "command_injection",
 730 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
 731 |         },
 732 |         {
 733 |           "id": "data_not_encrypted_at_rest",
 734 |           "children": [
 735 |             {
 736 |               "id": "non_sensitive",
 737 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 738 |             },
 739 |             {
 740 |               "id": "sensitive",
 741 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
 742 |             }
 743 |           ]
 744 |         },
 745 |         {
 746 |           "id": "failure_to_remove_sensitive_artifacts_from_disk",
 747 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
 748 |         },
 749 |         {
 750 |           "id": "hardcoded_password",
 751 |           "children": [
 752 |             {
 753 |               "id": "non_privileged_user",
 754 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
 755 |             },
 756 |             {
 757 |               "id": "privileged_user",
 758 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
 759 |             }
 760 |           ]
 761 |         },
 762 |         {
 763 |           "id": "kiosk_escape_or_breakout",
 764 |           "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
 765 |         },
 766 |         {
 767 |           "id": "local_administrator_on_default_environment",
 768 |           "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
 769 |         },
 770 |         {
 771 |           "id": "over_permissioned_credentials_on_storage",
 772 |           "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
 773 |         },
 774 |         {
 775 |           "id": "poorly_configured_disk_encryption",
 776 |           "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
 777 |         },
 778 |         {
 779 |           "id": "poorly_configured_operating_system_security",
 780 |           "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
 781 |         },
 782 |         {
 783 |           "id": "recovery_of_disk_contains_sensitive_material",
 784 |           "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
 785 |         },
 786 |         {
 787 |           "id": "shared_credentials_on_storage",
 788 |           "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
 789 |         },
 790 |         {
 791 |           "id": "weakness_in_firmware_updates",
 792 |           "children": [
 793 |             {
 794 |               "id": "firmware_cannot_be_updated",
 795 |               "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
 796 |             },
 797 |             {
 798 |               "id": "firmware_does_not_validate_update_integrity",
 799 |               "cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
 800 |             },
 801 |             {
 802 |               "id": "firmware_is_not_encrypted",
 803 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
 804 |             }
 805 |           ]
 806 |         }
 807 |       ]
 808 |     },
 809 |     {
 810 |       "id": "insufficient_security_configurability",
 811 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
 812 |       "children": [
 813 |         {
 814 |           "id": "no_password_policy",
 815 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
 816 |         },
 817 |         {
 818 |           "id": "weak_password_reset_implementation",
 819 |           "children": [
 820 |             {
 821 |               "id": "token_is_not_invalidated_after_use",
 822 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
 823 |             }
 824 |           ]
 825 |         },
 826 |         {
 827 |           "id": "weak_two_fa_implementation",
 828 |           "children": [
 829 |             {
 830 |               "id": "two_fa_secret_cannot_be_rotated",
 831 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 832 |             },
 833 |             {
 834 |               "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
 835 |               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
 836 |             }
 837 |           ]
 838 |         }
 839 |       ]
 840 |     },
 841 |     {
 842 |       "id": "lack_of_binary_hardening",
 843 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 844 |     },
 845 |     {
 846 |       "id": "misinterpretation_biases",
 847 |       "children": [
 848 |         {
 849 |           "id": "context_ignorance",
 850 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
 851 |         }
 852 |       ]
 853 |     },
 854 |     {
 855 |       "id": "mobile_security_misconfiguration",
 856 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
 857 |       "children": [
 858 |         {
 859 |           "id": "auto_backup_allowed_by_default",
 860 |           "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
 861 |         },
 862 |         {
 863 |           "id": "clipboard_enabled",
 864 |           "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
 865 |         }
 866 |       ]
 867 |     },
 868 |     {
 869 |       "id": "network_security_misconfiguration",
 870 |       "children": [
 871 |         {
 872 |           "id": "telnet_enabled",
 873 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 874 |         }
 875 |       ]
 876 |     },
 877 |     {
 878 |       "id": "physical_security_issues",
 879 |       "children": [
 880 |         {
 881 |           "id": "bypass_of_physical_access_control",
 882 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
 883 |         },
 884 |         {
 885 |           "id": "weakness_in_physical_access_control",
 886 |           "children": [
 887 |             {
 888 |               "id": "cloneable_key",
 889 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
 890 |             },
 891 |             {
 892 |               "id": "commonly_keyed_system",
 893 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
 894 |             },
 895 |             {
 896 |               "id": "master_key_identification",
 897 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
 898 |             }
 899 |           ]
 900 |         }
 901 |       ]
 902 |     },
 903 |     {
 904 |       "id": "privacy_concerns",
 905 |       "children": [
 906 |         {
 907 |           "id": "unnecessary_data_collection",
 908 |           "children": [
 909 |             {
 910 |               "id": "wifi_ssid_password",
 911 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
 912 |             }
 913 |           ]
 914 |         }
 915 |       ]
 916 |     },
 917 |     {
 918 |       "id": "protocol_specific_misconfiguration",
 919 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 920 |     },
 921 |     {
 922 |       "id": "sensitive_data_exposure",
 923 |       "children": [
 924 |         {
 925 |           "id": "disclosure_of_known_public_information",
 926 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 927 |         },
 928 |         {
 929 |           "id": "disclosure_of_secrets",
 930 |           "children": [
 931 |             {
 932 |               "id": "data_traffic_spam",
 933 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 934 |             },
 935 |             {
 936 |               "id": "for_internal_asset",
 937 |               "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
 938 |             },
 939 |             {
 940 |               "id": "for_publicly_accessible_asset",
 941 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
 942 |             },
 943 |             {
 944 |               "id": "intentionally_public_sample_or_invalid",
 945 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 946 |             },
 947 |             {
 948 |               "id": "non_corporate_user",
 949 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 950 |             },
 951 |             {
 952 |               "id": "pay_per_use_abuse",
 953 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
 954 |             },
 955 |             {
 956 |               "id": "pii_leakage_exposure",
 957 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
 958 |             }
 959 |           ]
 960 |         },
 961 |         {
 962 |           "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
 963 |           "children": [
 964 |             {
 965 |               "id": "automatic_user_enumeration",
 966 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
 967 |             },
 968 |             {
 969 |               "id": "manual_user_enumeration",
 970 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
 971 |             }
 972 |           ]
 973 |         },
 974 |         {
 975 |           "id": "internal_ip_disclosure",
 976 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 977 |         },
 978 |         {
 979 |           "id": "json_hijacking",
 980 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
 981 |         },
 982 |         {
 983 |           "id": "mixed_content",
 984 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
 985 |         },
 986 |         {
 987 |           "id": "non_sensitive_token_in_url",
 988 |           "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 989 |         },
 990 |         {
 991 |           "id": "sensitive_data_hardcoded",
 992 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
 993 |         },
 994 |         {
 995 |           "id": "sensitive_token_in_url",
 996 |           "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
 997 |         },
 998 |         {
 999 |           "id": "token_leakage_via_referer",
1000 |           "children": [
1001 |             {
1002 |               "id": "over_http",
1003 |               "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
1004 |             },
1005 |             {
1006 |               "id": "password_reset_token",
1007 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1008 |             },
1009 |             {
1010 |               "id": "trusted_third_party",
1011 |               "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
1012 |             },
1013 |             {
1014 |               "id": "untrusted_third_party",
1015 |               "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
1016 |             }
1017 |           ]
1018 |         },
1019 |         {
1020 |           "id": "via_localstorage_sessionstorage",
1021 |           "children": [
1022 |             {
1023 |               "id": "non_sensitive_token",
1024 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1025 |             },
1026 |             {
1027 |               "id": "sensitive_token",
1028 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1029 |             }
1030 |           ]
1031 |         },
1032 |         {
1033 |           "id": "visible_detailed_error_page",
1034 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1035 |           "children": [
1036 |             {
1037 |               "id": "detailed_server_configuration",
1038 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1039 |             }
1040 |           ]
1041 |         },
1042 |         {
1043 |           "id": "weak_password_reset_implementation",
1044 |           "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
1045 |           "children": [
1046 |             {
1047 |               "id": "token_leakage_via_host_header_poisoning",
1048 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
1049 |             }
1050 |           ]
1051 |         },
1052 |         {
1053 |           "id": "xssi",
1054 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
1055 |         }
1056 |       ]
1057 |     },
1058 |     {
1059 |       "id": "server_security_misconfiguration",
1060 |       "children": [
1061 |         {
1062 |           "id": "bitsquatting",
1063 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1064 |         },
1065 |         {
1066 |           "id": "cache_poisoning",
1067 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1068 |         },
1069 |         {
1070 |           "id": "cache_deception",
1071 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1072 |         },
1073 |         {
1074 |           "id": "captcha",
1075 |           "children": [
1076 |             {
1077 |               "id": "brute_force",
1078 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1079 |             },
1080 |             {
1081 |               "id": "implementation_vulnerability",
1082 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1083 |             },
1084 |             {
1085 |               "id": "missing",
1086 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1087 |             }
1088 |           ]
1089 |         },
1090 |         {
1091 |           "id": "clickjacking",
1092 |           "children": [
1093 |             {
1094 |               "id": "form_input",
1095 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1096 |             },
1097 |             {
1098 |               "id": "non_sensitive_action",
1099 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
1100 |             },
1101 |             {
1102 |               "id": "sensitive_action",
1103 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1104 |             }
1105 |           ]
1106 |         },
1107 |         {
1108 |           "id": "cookie_scoped_to_parent_domain",
1109 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1110 |         },
1111 |         {
1112 |           "id": "dbms_misconfiguration",
1113 |           "children": [
1114 |             {
1115 |               "id": "excessively_privileged_user_dba",
1116 |               "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
1117 |             }
1118 |           ]
1119 |         },
1120 |         {
1121 |           "id": "directory_listing_enabled",
1122 |           "children": [
1123 |             {
1124 |               "id": "non_sensitive_data_exposure",
1125 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1126 |             },
1127 |             {
1128 |               "id": "sensitive_data_exposure",
1129 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
1130 |             }
1131 |           ]
1132 |         },
1133 |         {
1134 |           "id": "email_verification_bypass",
1135 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1136 |         },
1137 |         {
1138 |           "id": "exposed_admin_portal",
1139 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1140 |         },
1141 |         {
1142 |           "id": "fingerprinting_banner_disclosure",
1143 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1144 |         },
1145 |         {
1146 |           "id": "insecure_ssl",
1147 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1148 |         },
1149 |         {
1150 |           "id": "lack_of_password_confirmation",
1151 |           "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
1152 |           "children": [
1153 |             {
1154 |               "id": "manage_two_fa",
1155 |               "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
1156 |             }
1157 |           ]
1158 |         },
1159 |         {
1160 |           "id": "lack_of_security_headers",
1161 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
1162 |           "children": [
1163 |             {
1164 |               "id": "cache_control_for_a_sensitive_page",
1165 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1166 |             }
1167 |           ]
1168 |         },
1169 |         {
1170 |           "id": "mail_server_misconfiguration",
1171 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1172 |           "children": [
1173 |             {
1174 |               "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
1175 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1176 |             },
1177 |             {
1178 |               "id": "no_spoofing_protection_on_email_domain",
1179 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
1180 |             }
1181 |           ]
1182 |         },
1183 |         {
1184 |           "id": "misconfigured_dns",
1185 |           "children": [
1186 |             {
1187 |               "id": "missing_caa_record",
1188 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1189 |             },
1190 |             {
1191 |               "id": "subdomain_takeover",
1192 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1193 |             },
1194 |             {
1195 |               "id": "zone_transfer",
1196 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1197 |             }
1198 |           ]
1199 |         },
1200 |         {
1201 |           "id": "missing_dnssec",
1202 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1203 |         },
1204 |         {
1205 |           "id": "missing_secure_or_httponly_cookie_flag",
1206 |           "children": [
1207 |             {
1208 |               "id": "non_session_cookie",
1209 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1210 |             },
1211 |             {
1212 |               "id": "session_token",
1213 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1214 |             }
1215 |           ]
1216 |         },
1217 |         {
1218 |           "id": "missing_subresource_integrity",
1219 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1220 |         },
1221 |         {
1222 |           "id": "no_rate_limiting_on_form",
1223 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
1224 |           "children": [
1225 |             {
1226 |               "id": "change_password",
1227 |               "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
1228 |             },
1229 |             {
1230 |               "id": "login",
1231 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1232 |             }
1233 |           ]
1234 |         },
1235 |         {
1236 |           "id": "oauth_misconfiguration",
1237 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
1238 |           "children": [
1239 |             {
1240 |               "id": "account_squatting",
1241 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
1242 |             },
1243 |             {
1244 |               "id": "account_takeover",
1245 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
1246 |             }
1247 |           ]
1248 |         },
1249 |         {
1250 |           "id": "path_traversal",
1251 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
1252 |         },
1253 |         {
1254 |           "id": "potentially_unsafe_http_method_enabled",
1255 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1256 |         },
1257 |         {
1258 |           "id": "race_condition",
1259 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1260 |         },
1261 |         {
1262 |           "id": "request_smuggling",
1263 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1264 |         },
1265 |         {
1266 |           "id": "rfd",
1267 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
1268 |         },
1269 |         {
1270 |           "id": "same_site_scripting",
1271 |           "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
1272 |         },
1273 |         {
1274 |           "id": "server_side_request_forgery_ssrf",
1275 |           "children": [
1276 |             {
1277 |               "id": "external_dns_query_only",
1278 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
1279 |             },
1280 |             {
1281 |               "id": "external_low_impact",
1282 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
1283 |             },
1284 |             {
1285 |               "id": "internal_high_impact",
1286 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
1287 |             },
1288 |             {
1289 |               "id": "internal_scan_and_or_medium_impact",
1290 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
1291 |             }
1292 |           ]
1293 |         },
1294 |         {
1295 |           "id": "software_package_takeover",
1296 |           "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
1297 |         },
1298 |         {
1299 |           "id": "ssl_attack_breach_poodle_etc",
1300 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
1301 |         },
1302 |         {
1303 |           "id": "unsafe_cross_origin_resource_sharing",
1304 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
1305 |         },
1306 |         {
1307 |           "id": "unsafe_file_upload",
1308 |           "children": [
1309 |             {
1310 |               "id": "file_extension_filter_bypass",
1311 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1312 |             },
1313 |             {
1314 |               "id": "no_antivirus",
1315 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
1316 |             },
1317 |             {
1318 |               "id": "no_size_limit",
1319 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1320 |             }
1321 |           ]
1322 |         },
1323 |         {
1324 |           "id": "username_enumeration",
1325 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1326 |         },
1327 |         {
1328 |           "id": "using_default_credentials",
1329 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
1330 |         },
1331 |         {
1332 |           "id": "waf_bypass",
1333 |           "children": [
1334 |             {
1335 |               "id": "direct_server_access",
1336 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1337 |             }
1338 |           ]
1339 |         }
1340 |       ]
1341 |     },
1342 |     {
1343 |       "id": "server_side_injection",
1344 |       "children": [
1345 |         {
1346 |           "id": "content_spoofing",
1347 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
1348 |           "children": [
1349 |             {
1350 |               "id": "email_html_injection",
1351 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1352 |             },
1353 |             {
1354 |               "id": "external_authentication_injection",
1355 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1356 |             },
1357 |             {
1358 |               "id": "flash_based_external_authentication_injection",
1359 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1360 |             },
1361 |             {
1362 |               "id": "html_content_injection",
1363 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1364 |             },
1365 |             {
1366 |               "id": "iframe_injection",
1367 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
1368 |             },
1369 |             {
1370 |               "id": "impersonation_via_broken_link_hijacking",
1371 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1372 |             }
1373 |           ]
1374 |         },
1375 |         {
1376 |           "id": "file_inclusion",
1377 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
1378 |         },
1379 |         {
1380 |           "id": "http_response_manipulation",
1381 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
1382 |         },
1383 |         {
1384 |           "id": "ldap_injection",
1385 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1386 |         },
1387 |         {
1388 |           "id": "parameter_pollution",
1389 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1390 |         },
1391 |         {
1392 |           "id": "remote_code_execution_rce",
1393 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1394 |         },
1395 |         {
1396 |           "id": "sql_injection",
1397 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
1398 |         },
1399 |         {
1400 |           "id": "ssti",
1401 |           "children": [
1402 |             {
1403 |               "id": "basic",
1404 |               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1405 |             },
1406 |             {
1407 |               "id": "custom",
1408 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
1409 |             }
1410 |           ]
1411 |         },
1412 |         {
1413 |           "id": "xml_external_entity_injection_xxe",
1414 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
1415 |         }
1416 |       ]
1417 |     },
1418 |     {
1419 |       "id": "smart_contract_misconfiguration",
1420 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1421 |     },
1422 |     {
1423 |       "id": "societal_biases",
1424 |       "children": [
1425 |         {
1426 |           "id": "confirmation_bias",
1427 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
1428 |         },
1429 |         {
1430 |           "id": "systemic_bias",
1431 |           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
1432 |         }
1433 |       ]
1434 |     },
1435 |     {
1436 |       "id": "unvalidated_redirects_and_forwards",
1437 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1438 |       "children": [
1439 |         {
1440 |           "id": "open_redirect",
1441 |           "children": [
1442 |             {
1443 |               "id": "get_based",
1444 |               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1445 |             }
1446 |           ]
1447 |         }
1448 |       ]
1449 |     },
1450 |     {
1451 |       "id": "using_components_with_known_vulnerabilities",
1452 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1453 |       "children": [
1454 |         {
1455 |           "id": "rosetta_flash",
1456 |           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1457 |         }
1458 |       ]
1459 |     },
1460 |     {
1461 |       "id": "zero_knowledge_security_misconfiguration",
1462 |       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1463 |     }
1464 |   ]
1465 | }


--------------------------------------------------------------------------------
/mappings/cvss_v3/cvss_v3.schema.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json-schema.org/draft-04/schema#",
 3 |   "title": "VRT to CVSS v3 Mapping",
 4 |   "description": "Mapping from the Vulnerability Rating Taxonomy to CVSS v3",
 5 |   "definitions": {
 6 |     "MappingMetadata": {
 7 |       "type": "object",
 8 |       "properties": {
 9 |         "default": { "$ref": "#/definitions/CVSSv3" }
10 |       },
11 |       "required": ["default"]
12 |     },
13 |     "VRTid": { "type": "string", "pattern": "^[a-z_]*$" },
14 |     "CVSSv3": { "type": "string", "pattern": "^AV:[NALP]/AC:[LH]/PR:[NLH]/UI:[NR]/S:[UC]/C:[NLH]/I:[NLH]/A:[NLH]$" },
15 |     "Mapping": {
16 |       "type": "object",
17 |       "properties": {
18 |         "id": { "$ref": "#/definitions/VRTid" },
19 |         "cvss_v3" : { "$ref": "#/definitions/CVSSv3" }
20 |       },
21 |       "required": ["id", "cvss_v3"],
22 |       "additionalProperties": false
23 |     },
24 |     "MappingParent": {
25 |       "type": "object",
26 |       "properties": {
27 |         "id": { "$ref": "#/definitions/VRTid" },
28 |         "children": {
29 |           "type": "array",
30 |           "items" : {
31 |             "anyOf": [
32 |               { "$ref": "#/definitions/MappingParent" },
33 |               { "$ref": "#/definitions/Mapping" }
34 |             ]
35 |           }
36 |         },
37 |         "cvss_v3" : { "$ref": "#/definitions/CVSSv3" }
38 |       },
39 |       "required": ["id", "children"],
40 |       "additionalProperties": false
41 |     }
42 |   },
43 |   "type": "object",
44 |   "required": ["metadata", "content"],
45 |   "properties": {
46 |     "metadata": {
47 |       "$ref": "#/definitions/MappingMetadata"
48 |     },
49 |     "content": {
50 |       "type": "array",
51 |       "items" : {
52 |         "anyOf": [
53 |           { "$ref": "#/definitions/MappingParent" },
54 |           { "$ref": "#/definitions/Mapping" }
55 |         ]
56 |       }
57 |     }
58 |   }
59 | }
60 | 


--------------------------------------------------------------------------------
/mappings/cwe/cwe.json:
--------------------------------------------------------------------------------
   1 | {
   2 |   "metadata": {
   3 |     "default": null
   4 |   },
   5 |   "content": [
   6 |     {
   7 |       "id": "ai_application_security",
   8 |       "cwe": null
   9 |     },
  10 |     {
  11 |       "id": "algorithmic_biases",
  12 |       "cwe": null,
  13 |       "children": [
  14 |         {
  15 |           "id": "aggregation_bias",
  16 |           "cwe": null
  17 |         },
  18 |         {
  19 |           "id": "processing_bias",
  20 |           "cwe": null
  21 |         }
  22 |       ]
  23 |     },
  24 |     {
  25 |       "id": "application_level_denial_of_service_dos",
  26 |       "cwe": [
  27 |         "CWE-400"
  28 |       ]
  29 |     },
  30 |     {
  31 |       "id": "automotive_security_misconfiguration",
  32 |       "cwe": null,
  33 |       "children": [
  34 |         {
  35 |           "id": "abs",
  36 |           "cwe": null
  37 |         },
  38 |         {
  39 |           "id": "battery_management_system",
  40 |           "cwe": null
  41 |         },
  42 |         {
  43 |           "id": "can",
  44 |           "cwe": null
  45 |         },
  46 |         {
  47 |           "id": "gnss_gps",
  48 |           "cwe": null
  49 |         },
  50 |         {
  51 |           "id": "immobilizer",
  52 |           "cwe": null
  53 |         },
  54 |         {
  55 |           "id": "infotainment_radio_head_unit",
  56 |           "cwe": null
  57 |         },
  58 |         {
  59 |           "id": "rf_hub",
  60 |           "cwe": null
  61 |         },
  62 |         {
  63 |           "id": "rsu",
  64 |           "cwe": null
  65 |         }
  66 |       ]
  67 |     },
  68 |     {
  69 |       "id": "blockchain_infrastructure_misconfiguration",
  70 |       "cwe": null
  71 |     },
  72 |     {
  73 |       "id": "broken_access_control",
  74 |       "cwe": [
  75 |         "CWE-723"
  76 |       ],
  77 |       "children": [
  78 |         {
  79 |           "id": "exposed_sensitive_android_intent",
  80 |           "cwe": [
  81 |             "CWE-927"
  82 |           ]
  83 |         },
  84 |         {
  85 |           "id": "exposed_sensitive_ios_url_scheme",
  86 |           "cwe": [
  87 |             "CWE-939"
  88 |           ]
  89 |         },
  90 |         {
  91 |           "id": "idor",
  92 |           "cwe": [
  93 |             "CWE-932"
  94 |           ]
  95 |         },
  96 |         {
  97 |           "id": "privilege_escalation",
  98 |           "cwe": [
  99 |             "CWE-269"
 100 |           ]
 101 |         },
 102 |         {
 103 |           "id": "username_enumeration",
 104 |           "cwe": [
 105 |             "CWE-200"
 106 |           ]
 107 |         }
 108 |       ]
 109 |     },
 110 |     {
 111 |       "id": "broken_authentication_and_session_management",
 112 |       "cwe": [
 113 |         "CWE-930"
 114 |       ],
 115 |       "children": [
 116 |         {
 117 |           "id": "authentication_bypass",
 118 |           "cwe": [
 119 |             "CWE-287"
 120 |           ]
 121 |         },
 122 |         {
 123 |           "id": "cleartext_transmission_of_session_token",
 124 |           "cwe": [
 125 |             "CWE-319"
 126 |           ]
 127 |         },
 128 |         {
 129 |           "id": "concurrent_logins",
 130 |           "cwe": [
 131 |             "CWE-1018"
 132 |           ]
 133 |         },
 134 |         {
 135 |           "id": "failure_to_invalidate_session",
 136 |           "cwe": [
 137 |             "CWE-613"
 138 |           ]
 139 |         },
 140 |         {
 141 |           "id": "session_fixation",
 142 |           "cwe": [
 143 |             "CWE-384"
 144 |           ]
 145 |         },
 146 |         {
 147 |           "id": "two_fa_bypass",
 148 |           "cwe": [
 149 |             "CWE-304"
 150 |           ]
 151 |         },
 152 |         {
 153 |           "id": "weak_login_function",
 154 |           "cwe": [
 155 |             "CWE-523"
 156 |           ]
 157 |         },
 158 |         {
 159 |           "id": "weak_registration_implementation",
 160 |           "children": [
 161 |             {
 162 |               "id": "over_http",
 163 |               "cwe": [
 164 |                 "CWE-311"
 165 |               ]
 166 |             }
 167 |           ]
 168 |         }
 169 |       ]
 170 |     },
 171 |     {
 172 |       "id": "client_side_injection",
 173 |       "cwe": [
 174 |         "CWE-929"
 175 |       ]
 176 |     },
 177 |     {
 178 |       "id": "cross_site_request_forgery_csrf",
 179 |       "cwe": [
 180 |         "CWE-352"
 181 |       ]
 182 |     },
 183 |     {
 184 |       "id": "cross_site_scripting_xss",
 185 |       "cwe": [
 186 |         "CWE-79"
 187 |       ]
 188 |     },
 189 |     {
 190 |       "id": "cryptographic_weakness",
 191 |       "cwe": [
 192 |         "CWE-310",
 193 |         "CWE-1205"
 194 |       ],
 195 |       "children": [
 196 |         {
 197 |           "id": "broken_cryptography",
 198 |           "cwe": [
 199 |             "CWE-327"
 200 |           ],
 201 |           "children": [
 202 |             {
 203 |               "id": "use_of_broken_cryptographic_primitive",
 204 |               "cwe": [
 205 |                 "CWE-327"
 206 |               ]
 207 |             },
 208 |             {
 209 |               "id": "use_of_vulnerable_cryptographic_library",
 210 |               "cwe": [
 211 |                 "CWE-327"
 212 |               ]
 213 |             }
 214 |           ]
 215 |         },
 216 |         {
 217 |           "id": "incomplete_cleanup_of_keying_material",
 218 |           "cwe": [
 219 |             "CWE-459"
 220 |           ]
 221 |         },
 222 |         {
 223 |           "id": "insecure_implementation",
 224 |           "cwe": [
 225 |             "CWE-573"
 226 |           ],
 227 |           "children": [
 228 |             {
 229 |               "id": "improper_following_of_specification",
 230 |               "cwe": [
 231 |                 "CWE-358",
 232 |                 "CWE-573"
 233 |               ]
 234 |             },
 235 |             {
 236 |               "id": "missing_cryptographic_step",
 237 |               "cwe": [
 238 |                 "CWE-325"
 239 |               ]
 240 |             }
 241 |           ]
 242 |         },
 243 |         {
 244 |           "id": "insecure_key_generation",
 245 |           "cwe": null,
 246 |           "children": [
 247 |             {
 248 |               "id": "improper_asymmetric_exponent_selection",
 249 |               "cwe": [
 250 |                 "CWE-326",
 251 |                 "CWE-1240"
 252 |               ]
 253 |             },
 254 |             {
 255 |               "id": "improper_asymmetric_prime_selection",
 256 |               "cwe": [
 257 |                 "CWE-326",
 258 |                 "CWE-1240"
 259 |               ]
 260 |             },
 261 |             {
 262 |               "id": "insufficient_key_space",
 263 |               "cwe": [
 264 |                 "CWE-326",
 265 |                 "CWE-331",
 266 |                 "CWE-1240"
 267 |               ]
 268 |             },
 269 |             {
 270 |               "id": "insufficient_key_stretching",
 271 |               "cwe": [
 272 |                 "CWE-326",
 273 |                 "CWE-1240"
 274 |               ]
 275 |             },
 276 |             {
 277 |               "id": "key_exchange_without_entity_authentication",
 278 |               "cwe": [
 279 |                 "CWE-322"
 280 |               ]
 281 |             }
 282 |           ]
 283 |         },
 284 |         {
 285 |           "id": "insufficient_entropy",
 286 |           "cwe": [
 287 |             "CWE-330",
 288 |             "CWE-331"
 289 |           ],
 290 |           "children": [
 291 |             {
 292 |               "id": "initialization_vector_reuse",
 293 |               "cwe": [
 294 |                 "CWE-1204"
 295 |               ]
 296 |             },
 297 |             {
 298 |               "id": "limited_rng_entropy_source",
 299 |               "cwe": [
 300 |                 "CWE-338",
 301 |                 "CWE-332"
 302 |               ]
 303 |             },
 304 |             {
 305 |               "id": "predictable_initialization_vector",
 306 |               "cwe": [
 307 |                 "CWE-340"
 308 |               ]
 309 |             },
 310 |             {
 311 |               "id": "predictable_prng_seed",
 312 |               "cwe": [
 313 |                 "CWE-337"
 314 |               ]
 315 |             },
 316 |             {
 317 |               "id": "prng_seed_reuse",
 318 |               "cwe": [
 319 |                 "CWE-336"
 320 |               ]
 321 |             },
 322 |             {
 323 |               "id": "small_seed_space_in_prng",
 324 |               "cwe": [
 325 |                 "CWE-339",
 326 |                 "CWE-334"
 327 |               ]
 328 |             },
 329 |             {
 330 |               "id": "use_of_trng_for_nonsecurity_purpose",
 331 |               "cwe": [
 332 |                 "CWE-333"
 333 |               ]
 334 |             }
 335 |           ]
 336 |         },
 337 |         {
 338 |           "id": "insufficient_verification_of_data_authenticity",
 339 |           "cwe": [
 340 |             "CWE-345"
 341 |           ],
 342 |           "children": [
 343 |             {
 344 |               "id": "cryptographic_signature",
 345 |               "cwe": [
 346 |                 "CWE-347"
 347 |               ]
 348 |             },
 349 |             {
 350 |               "id": "identity_check_value",
 351 |               "cwe": [
 352 |                 "CWE-353",
 353 |                 "CWE-354",
 354 |                 "CWE-924"
 355 |               ]
 356 |             }
 357 |           ]
 358 |         },
 359 |         {
 360 |           "id": "key_reuse",
 361 |           "cwe": [
 362 |             "CWE-323"
 363 |           ],
 364 |           "children": [
 365 |             {
 366 |               "id": "inter_environment",
 367 |               "cwe": [
 368 |                 "CWE-323"
 369 |               ]
 370 |             },
 371 |             {
 372 |               "id": "intra_environment",
 373 |               "cwe": [
 374 |                 "CWE-323"
 375 |               ]
 376 |             },
 377 |             {
 378 |               "id": "lack_of_perfect_forward_secrecy",
 379 |               "cwe": [
 380 |                 "CWE-323"
 381 |               ]
 382 |             }
 383 |           ]
 384 |         },
 385 |         {
 386 |           "id": "side_channel_attack",
 387 |           "cwe": [
 388 |             "CWE-203",
 389 |             "CWE-1300"
 390 |           ],
 391 |           "children": [
 392 |             {
 393 |               "id": "differential_fault_analysis",
 394 |               "cwe": [
 395 |                 "CWE-204",
 396 |                 "CWE-205"
 397 |               ]
 398 |             },
 399 |             {
 400 |               "id": "emanations_attack",
 401 |               "cwe": [
 402 |                 "CWE-1300"
 403 |               ]
 404 |             },
 405 |             {
 406 |               "id": "padding_oracle_attack",
 407 |               "cwe": [
 408 |                 "CWE-780"
 409 |               ]
 410 |             },
 411 |             {
 412 |               "id": "power_analysis_attack",
 413 |               "cwe": [
 414 |                 "CWE-1300"
 415 |               ]
 416 |             },
 417 |             {
 418 |               "id": "timing_attack",
 419 |               "cwe": [
 420 |                 "CWE-208"
 421 |               ]
 422 |             }
 423 |           ]
 424 |         },
 425 |         {
 426 |           "id": "use_of_expired_cryptographic_key_or_cert",
 427 |           "cwe": [
 428 |             "CWE-295",
 429 |             "CWE-298",
 430 |             "CWE-299",
 431 |             "CWE-324"
 432 |           ]
 433 |         },
 434 |         {
 435 |           "id": "weak_hash",
 436 |           "cwe": [
 437 |             "CWE-328"
 438 |           ],
 439 |           "children": [
 440 |             {
 441 |               "id": "lack_of_salt",
 442 |               "cwe": [
 443 |                 "CWE-759",
 444 |                 "CWE-916"
 445 |               ]
 446 |             },
 447 |             {
 448 |               "id": "predictable_hash_collision",
 449 |               "cwe": [
 450 |                 "CWE-328"
 451 |               ]
 452 |             },
 453 |             {
 454 |               "id": "use_of_predictable_salt",
 455 |               "cwe": [
 456 |                 "CWE-760"
 457 |               ]
 458 |             }
 459 |           ]
 460 |         }
 461 |       ]
 462 |     },
 463 |     {
 464 |       "id": "data_biases",
 465 |       "cwe": null,
 466 |       "children": [
 467 |         {
 468 |           "id": "pre_existing_bias",
 469 |           "cwe": null
 470 |         },
 471 |         {
 472 |           "id": "representation_bias",
 473 |           "cwe": null
 474 |         }
 475 |       ]
 476 |     },
 477 |     {
 478 |       "id": "decentralized_application_misconfiguration",
 479 |       "cwe": null
 480 |     },
 481 |     {
 482 |       "id": "developer_biases",
 483 |       "cwe": null,
 484 |       "children": [
 485 |         {
 486 |           "id": "implicit_bias",
 487 |           "cwe": null
 488 |         }
 489 |       ]
 490 |     },
 491 |     {
 492 |       "id": "external_behavior",
 493 |       "cwe": null
 494 |     },
 495 |     {
 496 |       "id": "indicators_of_compromise",
 497 |       "cwe": null
 498 |     },
 499 |     {
 500 |       "id": "insecure_data_storage",
 501 |       "cwe": [
 502 |         "CWE-729",
 503 |         "CWE-922"
 504 |       ],
 505 |       "children": [
 506 |         {
 507 |           "id": "non_sensitive_application_data_stored_unencrypted",
 508 |           "cwe": [
 509 |             "CWE-312"
 510 |           ]
 511 |         },
 512 |         {
 513 |           "id": "sensitive_application_data_stored_unencrypted",
 514 |           "cwe": [
 515 |             "CWE-312"
 516 |           ]
 517 |         },
 518 |         {
 519 |           "id": "server_side_credentials_storage",
 520 |           "cwe": [
 521 |             "CWE-522"
 522 |           ],
 523 |           "children": [
 524 |             {
 525 |               "id": "plaintext",
 526 |               "cwe": [
 527 |                 "CWE-256"
 528 |               ]
 529 |             }
 530 |           ]
 531 |         }
 532 |       ]
 533 |     },
 534 |     {
 535 |       "id": "insecure_data_transport",
 536 |       "cwe": [
 537 |         "CWE-311",
 538 |         "CWE-319"
 539 |       ],
 540 |       "children": [
 541 |         {
 542 |           "id": "cleartext_transmission_of_sensitive_data",
 543 |           "cwe": [
 544 |             "CWE-319"
 545 |           ]
 546 |         },
 547 |         {
 548 |           "id": "executable_download",
 549 |           "children": [
 550 |             {
 551 |               "id": "no_secure_integrity_check",
 552 |               "cwe": [
 553 |                 "CWE-353",
 554 |                 "CWE-354",
 555 |                 "CWE-494"
 556 |               ]
 557 |             }
 558 |           ]
 559 |         }
 560 |       ]
 561 |     },
 562 |     {
 563 |       "id": "insecure_os_firmware",
 564 |       "children": [
 565 |         {
 566 |           "id": "command_injection",
 567 |           "cwe": [
 568 |             "CWE-77"
 569 |           ]
 570 |         },
 571 |         {
 572 |           "id": "data_not_encrypted_at_rest",
 573 |           "children": [
 574 |             {
 575 |               "id": "non_sensitive",
 576 |               "cwe": [
 577 |                 "CWE-311"
 578 |               ]
 579 |             },
 580 |             {
 581 |               "id": "sensitive",
 582 |               "cwe": [
 583 |                 "CWE-311"
 584 |               ]
 585 |             }
 586 |           ]
 587 |         },
 588 |         {
 589 |           "id": "failure_to_remove_sensitive_artifacts_from_disk",
 590 |           "cwe": [
 591 |             "CWE-459"
 592 |           ]
 593 |         },
 594 |         {
 595 |           "id": "hardcoded_password",
 596 |           "cwe": [
 597 |             "CWE-259"
 598 |           ]
 599 |         },
 600 |         {
 601 |           "id": "kiosk_escape_or_breakout",
 602 |           "cwe": [
 603 |             "CWE-284"
 604 |           ]
 605 |         },
 606 |         {
 607 |           "id": "local_administrator_on_default_environment",
 608 |           "cwe": [
 609 |             "CWE-276"
 610 |           ]
 611 |         },
 612 |         {
 613 |           "id": "over_permissioned_credentials_on_storage",
 614 |           "cwe": [
 615 |             "CWE-250"
 616 |           ]
 617 |         },
 618 |         {
 619 |           "id": "poorly_configured_disk_encryption",
 620 |           "cwe": [
 621 |             "CWE-326"
 622 |           ]
 623 |         },
 624 |         {
 625 |           "id": "poorly_configured_operating_system_security",
 626 |           "cwe": [
 627 |             "CWE-16"
 628 |           ]
 629 |         },
 630 |         {
 631 |           "id": "recovery_of_disk_contains_sensitive_material",
 632 |           "cwe": [
 633 |             "CWE-522"
 634 |           ]
 635 |         },
 636 |         {
 637 |           "id": "shared_credentials_on_storage",
 638 |           "cwe": [
 639 |             "CWE-798"
 640 |           ]
 641 |         },
 642 |         {
 643 |           "id": "weakness_in_firmware_updates",
 644 |           "children": [
 645 |             {
 646 |               "id": "firmware_cannot_be_updated",
 647 |               "cwe": [
 648 |                 "CWE-434"
 649 |               ]
 650 |             },
 651 |             {
 652 |               "id": "firmware_does_not_validate_update_integrity",
 653 |               "cwe": [
 654 |                 "CWE-434"
 655 |               ]
 656 |             },
 657 |             {
 658 |               "id": "firmware_is_not_encrypted",
 659 |               "cwe": [
 660 |                 "CWE-434"
 661 |               ]
 662 |             }
 663 |           ]
 664 |         }
 665 |       ]
 666 |     },
 667 |     {
 668 |       "id": "insufficient_security_configurability",
 669 |       "cwe": [
 670 |         "CWE-16"
 671 |       ],
 672 |       "children": [
 673 |         {
 674 |           "id": "no_password_policy",
 675 |           "cwe": [
 676 |             "CWE-521"
 677 |           ]
 678 |         },
 679 |         {
 680 |           "id": "password_policy_bypass",
 681 |           "cwe": [
 682 |             "CWE-521"
 683 |           ]
 684 |         },
 685 |         {
 686 |           "id": "weak_password_policy",
 687 |           "cwe": [
 688 |             "CWE-521"
 689 |           ]
 690 |         },
 691 |         {
 692 |           "id": "weak_password_reset_implementation",
 693 |           "cwe": [
 694 |             "CWE-640"
 695 |           ]
 696 |         }
 697 |       ]
 698 |     },
 699 |     {
 700 |       "id": "lack_of_binary_hardening",
 701 |       "cwe": [
 702 |         "CWE-693"
 703 |       ]
 704 |     },
 705 |     {
 706 |       "id": "misinterpretation_biases",
 707 |       "cwe": null,
 708 |       "children": [
 709 |         {
 710 |           "id": "context_ignorance",
 711 |           "cwe": null
 712 |         }
 713 |       ]
 714 |     },
 715 |     {
 716 |       "id": "mobile_security_misconfiguration",
 717 |       "cwe": [
 718 |         "CWE-919"
 719 |       ]
 720 |     },
 721 |     {
 722 |       "id": "network_security_misconfiguration",
 723 |       "cwe": [
 724 |         "CWE-16"
 725 |       ]
 726 |     },
 727 |     {
 728 |       "id": "physical_security_issues",
 729 |       "children": [
 730 |         {
 731 |           "id": "bypass_of_physical_access_control",
 732 |           "cwe": [
 733 |             "CWE-1300"
 734 |           ]
 735 |         },
 736 |         {
 737 |           "id": "weakness_in_physical_access_control",
 738 |           "children": [
 739 |             {
 740 |               "id": "cloneable_key",
 741 |               "cwe": [
 742 |                 "CWE-1300"
 743 |               ]
 744 |             },
 745 |             {
 746 |               "id": "commonly_keyed_system",
 747 |               "cwe": [
 748 |                 "CWE-284"
 749 |               ]
 750 |             },
 751 |             {
 752 |               "id": "master_key_identification",
 753 |               "cwe": [
 754 |                 "CWE-284"
 755 |               ]
 756 |             }
 757 |           ]
 758 |         }
 759 |       ]
 760 |     },
 761 |     {
 762 |       "id": "privacy_concerns",
 763 |       "cwe": [
 764 |         "CWE-359"
 765 |       ]
 766 |     },
 767 |     {
 768 |       "id": "protocol_specific_misconfiguration",
 769 |       "cwe": null
 770 |     },
 771 |     {
 772 |       "id": "sensitive_data_exposure",
 773 |       "cwe": [
 774 |         "CWE-934"
 775 |       ],
 776 |       "children": [
 777 |         {
 778 |           "id": "disclosure_of_known_public_information",
 779 |           "cwe": [
 780 |             "CWE-200"
 781 |           ]
 782 |         },
 783 |         {
 784 |           "id": "disclosure_of_secrets",
 785 |           "children": [
 786 |             {
 787 |               "id": "pii_leakage_exposure",
 788 |               "cwe": [
 789 |                 "CWE-200"
 790 |               ]
 791 |             }
 792 |           ]
 793 |         },
 794 |         {
 795 |           "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
 796 |           "cwe": [
 797 |             "CWE-200"
 798 |           ]
 799 |         },
 800 |         {
 801 |           "id": "non_sensitive_token_in_url",
 802 |           "cwe": [
 803 |             "CWE-200"
 804 |           ]
 805 |         },
 806 |         {
 807 |           "id": "sensitive_token_in_url",
 808 |           "cwe": [
 809 |             "CWE-200"
 810 |           ]
 811 |         },
 812 |         {
 813 |           "id": "token_leakage_via_referer",
 814 |           "cwe": [
 815 |             "CWE-200"
 816 |           ]
 817 |         },
 818 |         {
 819 |           "id": "via_localstorage_sessionstorage",
 820 |           "cwe": [
 821 |             "CWE-922"
 822 |           ]
 823 |         },
 824 |         {
 825 |           "id": "visible_detailed_error_page",
 826 |           "cwe": [
 827 |             "CWE-209",
 828 |             "CWE-215"
 829 |           ]
 830 |         },
 831 |         {
 832 |           "id": "weak_password_reset_implementation",
 833 |           "cwe": [
 834 |             "CWE-640"
 835 |           ]
 836 |         }
 837 |       ]
 838 |     },
 839 |     {
 840 |       "id": "server_security_misconfiguration",
 841 |       "cwe": [
 842 |         "CWE-16"
 843 |       ],
 844 |       "children": [
 845 |         {
 846 |           "id": "cache_poisoning",
 847 |           "cwe": [
 848 |             "CWE-444"
 849 |           ]
 850 |         },
 851 |         {
 852 |           "id": "captcha",
 853 |           "cwe": [
 854 |             "CWE-804"
 855 |           ]
 856 |         },
 857 |         {
 858 |           "id": "clickjacking",
 859 |           "cwe": [
 860 |             "CWE-451"
 861 |           ]
 862 |         },
 863 |         {
 864 |           "id": "dbms_misconfiguration",
 865 |           "children": [
 866 |             {
 867 |               "id": "excessively_privileged_user_dba",
 868 |               "cwe": [
 869 |                 "CWE-250"
 870 |               ]
 871 |             }
 872 |           ]
 873 |         },
 874 |         {
 875 |           "id": "directory_listing_enabled",
 876 |           "cwe": [
 877 |             "CWE-548"
 878 |           ]
 879 |         },
 880 |         {
 881 |           "id": "insecure_ssl",
 882 |           "children": [
 883 |             {
 884 |               "id": "insecure_cipher_suite",
 885 |               "cwe": [
 886 |                 "CWE-326"
 887 |               ]
 888 |             }
 889 |           ]
 890 |         },
 891 |         {
 892 |           "id": "lack_of_password_confirmation",
 893 |           "children": [
 894 |             {
 895 |               "id": "change_password",
 896 |               "cwe": [
 897 |                 "CWE-620"
 898 |               ]
 899 |             }
 900 |           ]
 901 |         },
 902 |         {
 903 |           "id": "lack_of_security_headers",
 904 |           "children": [
 905 |             {
 906 |               "id": "cache_control_for_a_non_sensitive_page",
 907 |               "cwe": [
 908 |                 "CWE-525"
 909 |               ]
 910 |             },
 911 |             {
 912 |               "id": "cache_control_for_a_sensitive_page",
 913 |               "cwe": [
 914 |                 "CWE-525"
 915 |               ]
 916 |             }
 917 |           ]
 918 |         },
 919 |         {
 920 |           "id": "misconfigured_dns",
 921 |           "children": [
 922 |             {
 923 |               "id": "zone_transfer",
 924 |               "cwe": [
 925 |                 "CWE-669"
 926 |               ]
 927 |             }
 928 |           ]
 929 |         },
 930 |         {
 931 |           "id": "missing_secure_or_httponly_cookie_flag",
 932 |           "cwe": [
 933 |             "CWE-614",
 934 |             "CWE-1004"
 935 |           ]
 936 |         },
 937 |         {
 938 |           "id": "no_rate_limiting_on_form",
 939 |           "cwe": [
 940 |             "CWE-799"
 941 |           ],
 942 |           "children": [
 943 |             {
 944 |               "id": "login",
 945 |               "cwe": [
 946 |                 "CWE-307"
 947 |               ]
 948 |             }
 949 |           ]
 950 |         },
 951 |         {
 952 |           "id": "oauth_misconfiguration",
 953 |           "cwe": [
 954 |             "CWE-303"
 955 |           ],
 956 |           "children": [
 957 |             {
 958 |               "id": "insecure_redirect_uri",
 959 |               "cwe": [
 960 |                 "CWE-601"
 961 |               ]
 962 |             },
 963 |             {
 964 |               "id": "missing_state_parameter",
 965 |               "cwe": [
 966 |                 "CWE-352"
 967 |               ]
 968 |             }
 969 |           ]
 970 |         },
 971 |         {
 972 |           "id": "path_traversal",
 973 |           "cwe": [
 974 |             "CWE-22",
 975 |             "CWE-73"
 976 |           ]
 977 |         },
 978 |         {
 979 |           "id": "race_condition",
 980 |           "cwe": [
 981 |             "CWE-362",
 982 |             "CWE-366",
 983 |             "CWE-368",
 984 |             "CWE-421"
 985 |           ]
 986 |         },
 987 |         {
 988 |           "id": "request_smuggling",
 989 |           "cwe": [
 990 |             "CWE-444"
 991 |           ]
 992 |         },
 993 |         {
 994 |           "id": "server_side_request_forgery_ssrf",
 995 |           "cwe": [
 996 |             "CWE-918",
 997 |             "CWE-441"
 998 |           ]
 999 |         },
1000 |         {
1001 |           "id": "ssl_attack_breach_poodle_etc",
1002 |           "cwe": [
1003 |             "CWE-310"
1004 |           ]
1005 |         },
1006 |         {
1007 |           "id": "unsafe_cross_origin_resource_sharing",
1008 |           "cwe": [
1009 |             "CWE-942"
1010 |           ]
1011 |         },
1012 |         {
1013 |           "id": "unsafe_file_upload",
1014 |           "children": [
1015 |             {
1016 |               "id": "file_extension_filter_bypass",
1017 |               "cwe": [
1018 |                 "CWE-434",
1019 |                 "CWE-646"
1020 |               ]
1021 |             }
1022 |           ]
1023 |         },
1024 |         {
1025 |           "id": "username_enumeration",
1026 |           "cwe": [
1027 |             "CWE-204"
1028 |           ]
1029 |         },
1030 |         {
1031 |           "id": "using_default_credentials",
1032 |           "cwe": [
1033 |             "CWE-255",
1034 |             "CWE-521"
1035 |           ]
1036 |         }
1037 |       ]
1038 |     },
1039 |     {
1040 |       "id": "server_side_injection",
1041 |       "cwe": [
1042 |         "CWE-929"
1043 |       ],
1044 |       "children": [
1045 |         {
1046 |           "id": "content_spoofing",
1047 |           "cwe": [
1048 |             "CWE-451"
1049 |           ],
1050 |           "children": [
1051 |             {
1052 |               "id": "homograph_idn_based",
1053 |               "cwe": [
1054 |                 "CWE-1007"
1055 |               ]
1056 |             }
1057 |           ]
1058 |         },
1059 |         {
1060 |           "id": "file_inclusion",
1061 |           "cwe": [
1062 |             "CWE-73",
1063 |             "CWE-714"
1064 |           ]
1065 |         },
1066 |         {
1067 |           "id": "http_response_manipulation",
1068 |           "children": [
1069 |             {
1070 |               "id": "response_splitting_crlf",
1071 |               "cwe": [
1072 |                 "CWE-113"
1073 |               ]
1074 |             }
1075 |           ]
1076 |         },
1077 |         {
1078 |           "id": "ldap_injection",
1079 |           "cwe": [
1080 |             "CWE-90"
1081 |           ]
1082 |         },
1083 |         {
1084 |           "id": "remote_code_execution_rce",
1085 |           "cwe": [
1086 |             "CWE-77",
1087 |             "CWE-78",
1088 |             "CWE-94",
1089 |             "CWE-95"
1090 |           ]
1091 |         },
1092 |         {
1093 |           "id": "sql_injection",
1094 |           "cwe": [
1095 |             "CWE-89"
1096 |           ]
1097 |         },
1098 |         {
1099 |           "id": "ssti",
1100 |           "cwe": [
1101 |             "CWE-94"
1102 |           ]
1103 |         },
1104 |         {
1105 |           "id": "xml_external_entity_injection_xxe",
1106 |           "cwe": [
1107 |             "CWE-611"
1108 |           ]
1109 |         }
1110 |       ]
1111 |     },
1112 |     {
1113 |       "id": "smart_contract_misconfiguration",
1114 |       "cwe": null
1115 |     },
1116 |     {
1117 |       "id": "societal_biases",
1118 |       "cwe": null,
1119 |       "children": [
1120 |         {
1121 |           "id": "confirmation_bias",
1122 |           "cwe": null
1123 |         },
1124 |         {
1125 |           "id": "systemic_bias",
1126 |           "cwe": null
1127 |         }
1128 |       ]
1129 |     },
1130 |     {
1131 |       "id": "unvalidated_redirects_and_forwards",
1132 |       "cwe": [
1133 |         "CWE-601"
1134 |       ],
1135 |       "children": [
1136 |         {
1137 |           "id": "open_redirect",
1138 |           "cwe": [
1139 |             "CWE-601"
1140 |           ]
1141 |         },
1142 |         {
1143 |           "id": "tabnabbing",
1144 |           "cwe": [
1145 |             "CWE-1022"
1146 |           ]
1147 |         }
1148 |       ]
1149 |     },
1150 |     {
1151 |       "id": "using_components_with_known_vulnerabilities",
1152 |       "cwe": [
1153 |         "CWE-937"
1154 |       ]
1155 |     },
1156 |     {
1157 |       "id": "zero_knowledge_security_misconfiguration",
1158 |       "cwe": null
1159 |     }
1160 |   ]
1161 | }


--------------------------------------------------------------------------------
/mappings/cwe/cwe.schema.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json-schema.org/draft-04/schema#",
 3 |   "title": "VRT to CWE Mapping",
 4 |   "description": "Mapping from the Vulnerability Rating Taxonomy to CWE",
 5 |   "definitions": {
 6 |     "MappingMetadata": {
 7 |       "type": "object",
 8 |       "properties": {
 9 |         "default": { "type": "null" }
10 |       },
11 |       "required": ["default"]
12 |     },
13 |     "VRTid": { "type": "string", "pattern": "^[a-z_]*$" },
14 |     "CWE": { "type" : [ "array", "null" ],
15 |       "items" : { "type": "string", "pattern": "^CWE-[0-9]*$" },
16 |       "minItems": 1,
17 |       "uniqueItems": true
18 |     },
19 |     "Mapping": {
20 |       "type": "object",
21 |       "properties": {
22 |         "id": { "$ref": "#/definitions/VRTid" },
23 |         "cwe" : { "$ref": "#/definitions/CWE" }
24 |       },
25 |       "required": ["id", "cwe"],
26 |       "additionalProperties": false
27 |     },
28 |     "MappingParent": {
29 |       "type": "object",
30 |       "properties": {
31 |         "id": { "$ref": "#/definitions/VRTid" },
32 |         "children": {
33 |           "type": "array",
34 |           "items" : {
35 |             "anyOf": [
36 |               { "$ref": "#/definitions/MappingParent" },
37 |               { "$ref": "#/definitions/Mapping" }
38 |             ]
39 |           }
40 |         },
41 |         "cwe" : { "$ref": "#/definitions/CWE" }
42 |       },
43 |       "required": ["id", "children"],
44 |       "additionalProperties": false
45 |     }
46 |   },
47 |   "type": "object",
48 |   "required": ["metadata", "content"],
49 |   "properties": {
50 |     "metadata": {
51 |       "$ref": "#/definitions/MappingMetadata"
52 |     },
53 |     "content": {
54 |       "type": "array",
55 |       "items" : {
56 |         "anyOf": [
57 |           { "$ref": "#/definitions/MappingParent" },
58 |           { "$ref": "#/definitions/Mapping" }
59 |         ]
60 |       }
61 |     }
62 |   }
63 | }
64 | 


--------------------------------------------------------------------------------
/mappings/remediation_advice/remediation_advice.schema.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json-schema.org/draft-04/schema#",
 3 |   "title": "VRT to Remediation Advice",
 4 |   "description": "Mapping from the Vulnerability Rating Taxonomy to Remediation Advice",
 5 |   "definitions": {
 6 |     "MappingMetadata": {
 7 |       "type": "object",
 8 |       "properties": {
 9 |         "default": { "type": "null" },
10 |         "keys": { "type": "array",
11 |           "items": { "type": "string", "enum": ["remediation_advice", "references"] },
12 |           "minItems": 2,
13 |           "uniqueItems": true
14 |         }
15 |       },
16 |       "required": ["default", "keys"]
17 |     },
18 |     "VRTid": { "type": "string", "pattern": "^[a-z_]*$" },
19 |     "RemediationAdvice": { "type": "string" },
20 |     "References": { "type" : "array",
21 |       "items" : { "type": "string", "pattern": "^http[s]?:\/\/.*$" },
22 |       "minItems": 1,
23 |       "uniqueItems": true
24 |     },
25 |     "Mapping": {
26 |       "type": "object",
27 |       "properties": {
28 |         "id": { "$ref": "#/definitions/VRTid" },
29 |         "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
30 |         "references" : { "$ref": "#/definitions/References" }
31 |       },
32 |       "required": ["id"],
33 |       "anyOf": [
34 |         { "required": ["remediation_advice"] },
35 |         { "required": ["references"] }
36 |       ],
37 |       "additionalProperties": false
38 |     },
39 |     "MappingParent": {
40 |       "type": "object",
41 |       "properties": {
42 |         "id": { "$ref": "#/definitions/VRTid" },
43 |         "children": {
44 |           "type": "array",
45 |           "items" : {
46 |             "anyOf": [
47 |               { "$ref": "#/definitions/MappingParent" },
48 |               { "$ref": "#/definitions/Mapping" }
49 |             ]
50 |           }
51 |         },
52 |         "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
53 |         "references" : { "$ref": "#/definitions/References" }
54 |       },
55 |       "required": ["id", "children"],
56 |       "additionalProperties": false
57 |     }
58 |   },
59 |   "type": "object",
60 |   "required": ["metadata", "content"],
61 |   "properties": {
62 |     "metadata": {
63 |       "$ref": "#/definitions/MappingMetadata"
64 |     },
65 |     "content": {
66 |       "type": "array",
67 |       "items" : {
68 |         "anyOf": [
69 |           { "$ref": "#/definitions/MappingParent" },
70 |           { "$ref": "#/definitions/Mapping" }
71 |         ]
72 |       }
73 |     }
74 |   }
75 | }
76 | 


--------------------------------------------------------------------------------
/sort_all_jsons.py:
--------------------------------------------------------------------------------
1 | from lib.utils.utils import sort_jsons
2 | 
3 | if __name__ == '__main__':
4 |     sort_jsons()


--------------------------------------------------------------------------------
/vrt.schema.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "http://json-schema.org/draft-04/schema#",
 3 |     "title": "Vulnerability Rating Taxonomy",
 4 |     "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
 5 |     "definitions": {
 6 |       "VRTmetadata": {
 7 |         "type": "object",
 8 |         "properties": {
 9 |           "release_date":   { "type": "string", "format": "date-time" }
10 |         }
11 |       },
12 |       "VRT": {
13 |         "type": "object",
14 |         "properties": {
15 |           "id":             { "type": "string", "pattern": "^[a-z_]*$" },
16 |           "type":           { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17 |           "name":           { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18 |           "priority":       {
19 |                               "anyOf": [
20 |                                 { "type": "number", "minimum": 1, "maximum": 5 },
21 |                                 { "type": "null" }
22 |                               ]
23 |                             }
24 |         },
25 |         "required": ["id", "name", "type", "priority"]
26 |       },
27 |       "VRTparent": {
28 |         "type": "object",
29 |         "properties": {
30 |           "id":             { "type": "string", "pattern": "^[a-z_]*$" },
31 |           "name":           { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32 |           "type":           { "type": "string", "enum": [ "category", "subcategory" ] },
33 |           "children": {
34 |             "type": "array",
35 |             "items" : {
36 |               "anyOf": [
37 |                 { "$ref": "#/definitions/VRTparent" },
38 |                 { "$ref": "#/definitions/VRT" }
39 |               ]
40 |             },
41 |             "minItems": 1
42 |           }
43 |         },
44 |         "required": ["id", "name", "type", "children"]
45 |       }
46 |     },
47 |     "type": "object",
48 |     "required": ["metadata", "content"],
49 |     "properties": {
50 |       "metadata": {
51 |          "$ref": "#/definitions/VRTmetadata"
52 |       },
53 |       "content": {
54 |         "type": "array",
55 |         "items" : {
56 |           "anyOf": [
57 |             { "$ref": "#/definitions/VRTparent" },
58 |             { "$ref": "#/definitions/VRT" }
59 |           ]
60 |         }
61 |       }
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------