componentDidMount() {
this.mounted = true;
- if (this.props.open) {
+
+ // load standards.json only if the facet is open, or there is a selected value
+ if (
+ this.props.open ||
+ this.props.owaspTop10.length > 0 ||
+ this.props.cwe.length > 0 ||
+ this.props.sansTop25.length > 0
+ ) {
this.loadStandards();
}
}
getValues = () => {
return [
- ...this.props.owaspTop10.map(item => renderOwaspTop10Category(this.state.standards, item)),
- ...this.props.sansTop25.map(item => renderSansTop25Category(this.state.standards, item)),
+ ...this.props.owaspTop10.map(item =>
+ renderOwaspTop10Category(this.state.standards, item, true)
+ ),
+ ...this.props.sansTop25.map(item =>
+ renderSansTop25Category(this.state.standards, item, true)
+ ),
...this.props.cwe.map(item => renderCWECategory(this.state.standards, item))
];
};
cwe: ['42', '1111', 'unknown']
});
checkValues('standards', [
- 'A1 - a1 title',
- 'A3',
+ 'OWASP A1 - a1 title',
+ 'OWASP A3',
'Not OWAPS',
- 'Risky Resource Management',
- 'foo',
+ 'SANS Risky Resource Management',
+ 'SANS foo',
'CWE-42 - cwe-42 title',
'CWE-1111',
'Unknown CWE'
open={true}
values={
Array [
- "A3",
- "Risky Resource Management",
+ "OWASP A3",
+ "SANS Risky Resource Management",
"CWE-42 - cwe-42 title",
]
}
cwe: { [x: string]: { title: string; description?: string } };
}
-export function renderOwaspTop10Category(standards: Standards, category: string): string {
+export function renderOwaspTop10Category(
+ standards: Standards,
+ category: string,
+ withPrefix = false
+): string {
const record = standards.owaspTop10[category];
if (!record) {
- return category.toUpperCase();
+ return addPrefix(category.toUpperCase(), 'OWASP', withPrefix);
} else if (category === 'unknown') {
return record.title;
} else {
- return `${category.toUpperCase()} - ${record.title}`;
+ return addPrefix(`${category.toUpperCase()} - ${record.title}`, 'OWASP', withPrefix);
}
}
}
}
-export function renderSansTop25Category(standards: Standards, category: string): string {
+export function renderSansTop25Category(
+ standards: Standards,
+ category: string,
+ withPrefix = false
+): string {
const record = standards.sansTop25[category];
- return record ? record.title : category;
+ return addPrefix(record ? record.title : category, 'SANS', withPrefix);
+}
+
+function addPrefix(title: string, prefix: string, withPrefix: boolean) {
+ return withPrefix ? `${prefix} ${title}` : title;
}
handleTransition = (issue /*: Issue */) => {
this.props.onChange(issue);
- if (['FALSE-POSITIVE', 'WONTFIX'].includes(issue.resolution)) {
+ if (
+ issue.resolution === 'FALSE-POSITIVE' ||
+ (issue.resolution === 'WONTFIX' && issue.type !== 'SECURITY_HOTSPOT')
+ ) {
this.toggleComment(true, translate('issue.comment.tell_why'));
}
};
"a1": {
"title": "Injection",
"description":
- "Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."
+ "Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."
},
"a2": {
"title": "Broken Authentication",
"description":
- "Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently."
+ "Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently."
},
"a3": {
"title": "Sensitive Data Exposure",
"a5": {
"title": "Broken Access Control",
"description":
- "Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc."
+ "Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc."
},
"a6": {
"title": "Security Misconfiguration",
"a7": {
"title": "Cross-Site Scripting (XSS)",
"description":
- "XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites."
+ "XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites."
},
"a8": {
"title": "Insecure Deserialization",
issue.transition.wontfix=Resolve as won't fix
issue.transition.wontfix.description=This issue can be ignored because the rule is irrelevant in this context. Its effort won't be counted.
issue.transition.detect=Detect
-issue.transition.detect.description=This security hotspot is actually a real vulnerability and must be fixed.
+issue.transition.detect.description=A Vulnerability exists here and must be fixed.
issue.transition.dismiss=Dismiss
issue.transition.dismiss.description=This vulnerability can't be fixed as is and needs more details from a security expert.
issue.transition.reject=Reject