@mitre/hdf-converters 2.5.1

package/lib/data/aws-config-mapping.csv

@@ -0,0 +1,107 @@
+AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev
+SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
+IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
+IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
+ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4
+IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
+SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
+IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
+S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
+EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
+S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
+INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
+RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
+INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4
+VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
+VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
+ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
+EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
+EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
+INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
+CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
+EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4
+IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4
+ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
+REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
+CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
+S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
+CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4
+EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
+RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4
+EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
+EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
+EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4
+EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4
+ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4
+CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4
+EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
+DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
+ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4
+RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4
+S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4
+VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4
+ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
+ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4
+MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
+IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4
+GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
+CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4
+AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4
+RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4
+ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
+ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
+CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4
+KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
+API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
+EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4
+ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4
+ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4
+RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4
+S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
+SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
+SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
+SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4
+DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4
+S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4
+EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4
+RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4
+CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4

package/lib/data/cwe-nist-mapping.csv

@@ -0,0 +1,203 @@
+CWE-ID,CWE Name,NIST-ID,Rev,NIST Name
+5, J2EE Misconfiguration: Data Transmission Without Encryption,SC-8,4,Transmission Confidentiality and Integrity
+6, J2EE Misconfiguration: Insufficient Session-ID Length,SC-23,4,Session Authenticity
+7, J2EE Misconfiguration: Missing Custom Error Page,SI-11,4,Error Handling
+8, J2EE Misconfiguration: Entity Bean Declared Remote,AC-3,4,Access Enforcement
+9, J2EE Misconfiguration: Weak Access Permissions for EJB Methods,AC-3,4,Access Enforcement
+11, ASP.NET Misconfiguration: Creating Debug Binary,SI-11,4,Error Handling
+14, Compiler Removal of Code to Clear Buffers,SI-16,4,Memory Protection
+15, External Control of System or Configuration Setting,SI-10,4,Information Input Validation
+20, Improper Input Validation,SI-10,4,Information Input Validation
+22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),SI-10,4,Information Input Validation
+23, Relative Path Traversal,SI-10,4,Information Input Validation
+36, Absolute Path Traversal,SI-10,4,Information Input Validation
+73, External Control of File Name or Path,SI-10,4,Information Input Validation
+77, Improper Neutralization of Special Elements used in a Command ('Command Injection'),SI-10,4,Information Input Validation
+78, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'),SI-10,4,Information Input Validation
+79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),SI-10,4,Information Input Validation
+89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'),SI-10,4,Information Input Validation
+90, Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'),SI-10,4,Information Input Validation
+91, XML Injection (aka Blind XPath Injection),SI-10,4,Information Input Validation
+94, Improper Control of Generation of Code ('Code Injection'),SI-10,4,Information Input Validation
+95, Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'),SI-10,4,Information Input Validation
+99, Improper Control of Resource Identifiers ('Resource Injection'),SI-10,4,Information Input Validation
+101, Struts Validation Problems,SI-10,4,Information Input Validation
+102, Struts: Duplicate Validation Forms,SI-10,4,Information Input Validation
+103, Struts: Incomplete validate() Method Definition,SI-10,4,Information Input Validation
+104, Struts: Form Bean Does Not Extend Validation Class,SI-10,4,Information Input Validation
+105, Struts: Form Field Without Validator,SI-10,4,Information Input Validation
+106, Struts: Plug-in Framework not in Use,SI-10,4,Information Input Validation
+107, Struts: Unused Validation Form,SI-10,4,Information Input Validation
+108, Struts: Unvalidated Action Form,SI-10,4,Information Input Validation
+109, Struts: Validator Turned Off,SI-10,4,Information Input Validation
+110, Struts: Validator Without Form Field,SI-10,4,Information Input Validation
+111, Direct Use of Unsafe JNI,SI-10,4,Information Input Validation
+112, Missing XML Validation,SI-10,4,Information Input Validation
+113, Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'),SI-10,4,Information Input Validation
+114, Process Control,SI-10,4,Information Input Validation
+117, Improper Output Neutralization for Logs,SI-10,4,Information Input Validation
+119, Improper Restriction of Operations within the Bounds of a Memory Buffer,SI-10,4,Information Input Validation
+120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'),SI-10,4,Information Input Validation
+125, Out-of-bounds Read,SI-10,4,Information Input Validation
+126, Buffer Over-read,SI-10,4,Information Input Validation
+129, Improper Validation of Array Index,,4,
+131, Incorrect Calculation of Buffer Size,SI-10,4,Information Input Validation
+134, Uncontrolled Format String,SI-10,4,Information Input Validation
+170, Improper Null Termination,SI-10,4,Information Input Validation
+176, Improper Handling of Unicode Encoding,,4,
+185, Incorrect Regular Expression,,4,
+189, Numeric Errors,SA-11,4,Developer Security Testing and Evaluation
+190, Integer Overflow or Wraparound,SI-10,4,Information Input Validation
+195, Signed to Unsigned Conversion Error,,4,
+200, Information Exposure,SC-8,4,Transmission Confidentiality and Integrity
+209, Information Exposure Through an Error Message,,4,
+215, Information Exposure Through Debug Information,SI-11,4,Error Handling
+226, Sensitive Information Uncleared Before Release,SC-4,4,Information in Shared Resources
+235, Improper Handling of Extra Parameters,SI-10,4,Information Input Validation
+242, Use of Inherently Dangerous Function,,4,
+243, Creation of chroot Jail Without Changing Working Directory,AC-3,4,Access Enforcement
+244, Improper Cleaning of Heap Memory,SC-4,4,Information in Shared Resources
+245, J2EE Bad Practices: Direct Management of Connections,,4,
+246, J2EE Bad Practices: Direct Use of Sockets,,4,
+248, Uncaught Exception,,4,
+250, Execution with Unnecessary Privileges,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+251, Often Misused: String Management,,4,
+252, Unchecked Return Value,,4,
+256, Plaintext Storage of a Password,SC-28,4,Protection of Information at Rest
+257, Storing Passwords in a Recoverable Format,IA-5,4,Authenticator Management
+258, Empty Password in Configuration File,SC-28,4,Protection of Information at Rest
+259, Use of Hard-coded Password,,4,
+260, Password in Configuration File,SC-28,4,Protection of Information at Rest
+261, Weak Cryptography for Passwords,SC-13,4,Cryptographic Protection
+262, Not Using Password Aging,IA-5,4,Authenticator Management
+263, Password Aging with Long Expiration,IA-5,4,Authenticator Management
+265, Privilege / Sandbox Issues,AC-6,4,Least Privilege
+269, Improper Privilege Management,AC-4,4,Information Flow Enforcement
+272, Least Privilege Violation,AC-6,4,Least Privilege: Privilege Levels for Code Execution -8
+275, Permission Issues,AC-3,4,Access Enforcement
+284, Improper Access Control,AC-3,4,Access Enforcement
+285, Improper Authorization,AC-3,4,Access Enforcement
+288, Authentication Bypass Using an Alternate Path or Channel,IA-8,4,Identification and Authentication (Non-Organizational Users)
+297, Improper Validation of Certificate with Host Mismatch,SC-8,4,Transmission Confidentiality and Integrity
+302, Authentication Bypass by Assumed-Immutable Data,SC-23,4,Session Authenticity
+305, Authentication Bypass by Primary Weakness,IA-8,4,Identification and Authentication (Non-Organizational Users)
+306, Missing Authentication for Critical Function,AC-3,4,Access Enforcement
+307, Improper Restriction of Excessive Authentication Attempts,AC-7,4,Unsuccessful Logon Attempts
+310, Cryptographic Issues,SC-13,4,Cryptographic Protection
+311, Missing Encryption of Sensitive Data,SC-8,4,Transmission Confidentiality and Integrity
+321, Use of Hard-coded Cryptographic Key,SC-12,4,Cryptographic Key Establishment and Management
+325, Missing Required Cryptographic Step,SC-13,4,Cryptographic Protection
+326, Inadequate Encryption Strength,SC-12,4,Cryptographic Key Establishment and Management
+327, Use of a Broken or Risky Cryptographic Algorithm,SC-13,4,Cryptographic Protection
+328, Reversible One-Way Hash,SC-13,4,Cryptographic Protection
+329, Not Using a Random IV with CBC Mode,SC-12,4,Cryptographic Key Establishment and Management
+330, Use of Insufficiently Random Values,SC-13,4,Cryptographic Protection
+331, Insufficient Entropy,SC-13,4,Cryptographic Protection
+335, PRNG Seed Error,SC-13,4,Cryptographic Protection
+336, Same Seed in PRNG,SC-13,4,Cryptographic Protection
+338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG),SC-13,4,Cryptographic Protection
+345, Insufficient Verification of Data Authenticity,SC-8,4,Transmission Confidentiality and Integrity
+350, Reliance on Reverse DNS Resolution for a Security-Critical Function,SI-10,4,Information Input Validation
+352, Cross-Site Request Forgery (CSRF),AC-3,4,Access Enforcement
+358, Improperly Implemented Security Check for Standard,AC-3,4,Access Enforcement
+359, Exposure of Private Information ('Privacy Violation'),SC-28,4,Protection of Information at Rest
+362, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'),SC-4,4,Information in Shared Resources
+364, Signal Handler Race Condition,,4,
+369, Divide by Zero,,4,
+377, Insecure Temporary File,SC-4,4,Information in Shared Resources (P1)
+382, J2EE Bad Practices: Use of System.exit(),,4,
+383, J2EE Bad Practices: Direct Use of Threads,,4,
+384, Session Fixation,SC-23,4,Session Authenticity
+388, Error Handling,SI-11,4,Error Handling
+391, Unchecked Error Condition,SI-11,4,Error Handling
+395, Use of NullPointerException Catch to Detect NULL Pointer Dereference,SI-11,4,Error Handling
+396, Declaration of Catch for Generic Exception,SI-11,4,Error Handling
+397, Declaration of Throws for Generic Exception,SI-11,4,Error Handling
+398, Indicator of Poor Code Quality,,4,
+400, Uncontrolled Resource Consumption ('Resource Exhaustion'),SI-10,4,Information Input Validation
+401, Improper Release of Memory Before Removing Last Reference,,4,
+404, Improper Resource Shutdown or Release,,4,
+415, Double Free,,4,
+416, Use after Free,SC-4,4,Information in Shared Resources
+434, Unrestricted Upload of File with Dangerous Type,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+444, Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'),SI-10,4,Information Input Validation
+457, Use of Uninitialized Variable,,4,
+466, Return of Pointer Value Outside of Expected Range,,4,
+470, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'),SI-10,4,Information Input Validation
+471, Modification of Assumed-Immutable DATA (MAID),AC-3,4,Access Enforcement
+474, Use of Function with Inconsistent Implementations,,4,
+475, Undefined Behavior for Input to API,,4,
+476, NULL Pointer Dereference,SI-10,4,Information Input Validation
+477, Use of Obsolete Functions,,4,
+478, Missing Default Case in Switch Statement,,4,
+492, Use of Inner Class Containing Sensitive Data,AC-3,4,Access Enforcement
+493, Critical Public Variable Without Final Modifier,SI-11,4,Error Handling
+494, Download of Code Without Integrity Check,SI-10,4,Information Input Validation
+495, Private Array-Typed Field Returned From A Public Method,AC-3,4,Access Enforcement
+497, Exposure of System Data to an Unauthorized Control Sphere,SI-11,4,Error Handling
+501, Trust Boundary Violation,SI-10,4,Information Input Validation
+502, Deserialization of Untrusted Data,SI-10,4,Information Input Validation 
+521, Weak Password Requirements,IA-5,4,Authenticator Management : -1 Password-based Authentication
+522, Insufficiently Protected Credentials,SC-8,4,Transmission Confidentiality and Integrity
+539, Information Exposure Through Persistent Cookies,SC-23,4,Session Authenticity
+546, Suspicious Comment,,4,
+557, Concurrency Issues,,4,
+560, Use of umask() with chmod-style Argument,,4,
+561, Dead Code,,4,
+562, Return of Stack Variable Address,,4,
+563, Assigntment to Variable without Use,,4,
+564, SQL Injection: Hibernate,SI-10,4,Information Input Validation
+566, Authorization Bypass Through User-Controlled SQL Primary Key,AC-3,4,Access Enforcement
+568, finalize() Method without super.finalize(),,4,
+574, EJB Bad Practices: Use of Synchronization Primitives,,4,
+575, EJB Bad Practices: Use of AWT Swing,,4,
+576, EJB Bad Practices: Use of java I/O,,4,
+577, EJB Bad Practices: Use of Sockets,,4,
+578, EJB Bad Practices: Use of Class Loader,,4,
+579, J2EE Bad Practices: Non-serializable Object Stored in Session,,4,
+580, clone() Method Without super.clone(),,4,
+581, Object Model Violation: Just One of Equals and Hashcode Defined,,4,
+582, Array Declared Public,AC-3,4,Access Enforcement
+583, finalize() Method Declared Public,AC-3,4,Access Enforcement
+584, Return Inside Finally Block,SI-11,4,Error Handling
+586, Explicit Call to Finalize(),,4,
+590, Free of Memory not on the Heap,,4,
+591, Sensitive Data Storage in Improperly Locked Memory,SC-4,4,Information in Shared Resources
+601, URL Redirection to Untrusted Site ('Open Redirect'),SI-10,4,Information Input Validation
+607, Public Static Final Field References Mutable Object,,4,
+609, Double-Checked Locking,,4,
+611, Improper Restriction of XML External Entity Reference ('XXE'),SI-10,4,Information Input Validation
+613, Insufficient Session Expiration,AC-12,4,Session Termination
+614, Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,SC-8,4,Transmission Confidentiality and Integrity
+615, Information Exposure Through Comments,AC-3,4,Access Enforcement : -5 Security-Relevant Information
+639, Authorization Bypass Through User-Controlled Key,AC-3,4,Access Enforcement
+642, External Control of Critical State Data,,4,
+643, Improper Neutralization of Data within XPath Expressions ('XPath Injection'),SI-10,4,Information Input Validation
+651, Information Exposure Through WSDL File,,4,
+652, Improper Neutralization of Data within XQuery Expressions ('XQuery Injection'),SI-10,4,Information Input Validation
+662, Improper Synchonization,,4,
+667, Improper Locking,,4,
+676, Use of Potentially Dangerous Function,,4,
+690, Unchecked Return Value to NULL Pointer Dereference,,4,
+691, Insufficient Control Flow Management,SI-11,4,Error Handling
+693, Protection Mechanism Failure,IA-5,4,Authenticator Management
+694, Use of Multiple Resources with Duplicate Identifier,,4,
+732, Incorrect Permission Assignment for Critical Resource,AC-3,4,Access Enforcement
+733, Compiler Optimization Removal or Modification of Security-critical Code,,4,
+759, Use of a One-Way Hash without a Salt,SC-13,4,Cryptographic Protection
+760, Use of a One-Way Hash with a Predictable Salt,SC-13,4,Cryptographic Protection
+776, Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'),,4,
+780, Use of RSA Algorithm without OAEP,SC-13,4,Cryptographic Protection
+785, Use of Path Manipulation Function without Maximum-sized Buffer,SI-10,4,Information Input Validation
+787, Out-of-bounds Write,SI-10,4,Information Input Validation
+798, Use of Hard-coded Credentials,,4,
+805, Buffer Access with Incorrect Length Value,SI-10,4,Information Input Validation
+807, Reliance on Untrusted Inputs in a Security Decision,SC-23,4,Session Authenticity
+820, Missing Synchronization,,4,
+821, Incorrect Synchronization,,4,
+829, Inclusion of Functionality from Untrusted Control Sphere,,4,
+862, Missing Authorization,AC-3,4,Access Enforcement
+863, Incorrect Authorization,AC-3,4,Access Enforcement
+915, Improperly Controlled Modification of Dynamically-Determined Object Attributes,SI-10,4,Information Input Validation
+916, Use of Password Hash With Insufficient Computational Effort,SC-13,4,Cryptographic Protection
+918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation

package/lib/data/nessus-plugins-nist-mapping.csv

@@ -0,0 +1,108 @@
+pluginFamily,pluginID,NIST-ID,Rev
+AIX Local Security Checks,*,SI-2|RA-5,4
+Amazon Linux Local Security Checks,*,SI-2|RA-5,4
+CentOS Local Security Checks,*,SI-2|RA-5,4
+Debian Local Security Checks,*,SI-2|RA-5,4
+F5 Networks Local Security Checks,*,SI-2|RA-5,4
+Fedora Local Security Checks,*,SI-2|RA-5,4
+FreeBSD Local Security Checks,*,SI-2|RA-5,4
+Gentoo Local Security Checks,*,SI-2|RA-5,4
+HP-UX Local Security Checks,*,SI-2|RA-5,4
+Huawei Local Security Checks,*,SI-2|RA-5,4
+Junos Local Security Checks,*,SI-2|RA-5,4
+MacOS X Local Security Checks,*,SI-2|RA-5,4
+Mandriva Local Security Checks,*,SI-2|RA-5,4
+NewStart CGSL Local Security Checks,*,SI-2|RA-5,4
+Oracle Linux Local Security Checks,*,SI-2|RA-5,4
+OracleVM Local Security Checks,*,SI-2|RA-5,4
+Palo Alto Local Security Checks,*,SI-2|RA-5,4
+PhotonOS Local Security Checks,*,SI-2|RA-5,4
+Red Hat Local Security Checks,*,SI-2|RA-5,4
+Scientific Linux Local Security Checks,*,SI-2|RA-5,4
+Slackware Local Security Checks,*,SI-2|RA-5,4
+Solaris Local Security Checks,*,SI-2|RA-5,4
+SuSE Local Security Checks,*,SI-2|RA-5,4
+Ubuntu Local Security Checks,*,SI-2|RA-5,4
+VMware ESX Local Security Checks,*,SI-2|RA-5,4
+Virtuozzo Local Security Checks,*,SI-2|RA-5,4
+Backdoors,,,
+Brute force attacks,,,
+CGI abuses,,,
+CGI abuses : XSS,,,
+CISCO,,,
+DNS,,,
+Databases,,,
+Default Unix Accounts,,,
+Denial of Service,,,
+FTP,,,
+Firewalls,56310,SC-7,4
+Gain a shell remotely,,,
+General,133964,AC-3(4),4
+General,117530,UM-1,4
+General,110483,CM-7,4
+General,95928,AC-2,4
+General,90191,CM-8,4
+General,86420,CM-8,4
+General,70544,AC-17(2)|SC-13,4
+General,66334,SI-2|RA-5,4
+General,64582,CM-8,4
+General,57582,SC-12,4
+General,57041,AC-17(2)|SC-13,4
+General,56984,AC-17(2)|SC-13,4
+General,56468,CM-8,4
+General,55472,CM-8,4
+General,54615,CM-8,4
+General,51192,SC-12,4
+General,45590,CM-8,4
+General,45432,CM-8,4
+General,45410,SC-12,4
+General,39520,SI-2|RA-5,4
+General,35351,CM-8,4
+General,34098,CM-8,4
+General,33276,CM-8,4
+General,25220,SC-8,4
+General,25203,CM-8,4
+General,25202,CM-8,4
+General,22869,CM-8,4
+General,21643,AC-17(2)|SC-13,4
+General,12053,CM-8,4
+General,11936,CM-8,4
+General,10881,AC-17(2)|SC-13,4
+General,10863,SC-12,4
+General,10287,CM-8,4
+General,10114,CM-6,4
+Misc.,118237,CM-8,4
+Misc.,97993,CM-8,4
+Misc.,90707,CM-8,4
+Misc.,84821,AC-17(2)|SC-13,4
+Misc.,83875,AC-17(2)|SC-13,4
+Misc.,70657,AC-17(2)|SC-13,4
+Misc.,58651,AC-17,4
+Mobile Devices,,,
+Netware,,,
+Peer-To-Peer File Sharing,,,
+Policy Compliance,,,
+Port scanners,14272,CM-8,4
+RPC,53335,CM-8,4
+RPC,10223,CM-8,4
+SCADA,,,
+SMTP problems,,,
+SNMP,,,
+Service detection,121010,AC-17(2)|SC-13,4
+Service detection,104743,AC-17(2)|SC-13,4
+Service detection,25221,CM-8,4
+Service detection,22964,CM-8,4
+Service detection,11111,CM-8,4
+Service detection,10884,AU-8(1),4
+Service detection,10267,AC-17(2),4
+Settings,117887,UM-1,4
+Settings,110095,UM-1,4
+Settings,19506,UM-1,4
+Web Servers,85805,SC-8|SC-13,4
+Web Servers,84502,AC-17(2)|SC-13,4
+Web Servers,43111,CM-8,4
+Web Servers,24260,CM-8,4
+Web Servers,10107,CM-8,4
+Windows,,,
+Windows : Microsoft Bulletins,,,
+Windows : User management,,,