@zerothreatai/vulnerability-registry 5.0.0 → 6.0.0

package/dist/compliances/pci-dss.js

@@ -0,0 +1,260 @@
+import { ComplianceCode } from '../compliance-codes';
+import { ComplianceCategory } from '../types';
+import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
+const authIds = idsByCategory('authentication');
+const injectionIds = idsByCategory('injection');
+const xssIds = idsByCategory('xss');
+const ssrfIds = idsByCategory('ssrf');
+const configIds = idsByCategory('configuration');
+const disclosureIds = idsByCategory('information_disclosure');
+const cookieIds = idsByCodePrefix(['COOKIE_']);
+const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
+const jwtIds = idsByCodePrefix(['JWT_']);
+const hstsIds = idsByCodes([
+    'HEADER_MISSING_HSTS',
+    'HEADER_HSTS_BAD_MAX_AGE',
+    'HEADER_HSTS_SHORT_MAX_AGE',
+    'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
+    'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
+    'HEADER_DRIFT_HSTS',
+]);
+const cookieSecureIds = idsByCodes([
+    'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
+    'COOKIE_SESSION_MISSING_SECURE',
+    'COOKIE_MISSING_SECURE',
+    'COOKIE_HOST_PREFIX_INVALID',
+    'COOKIE_SECURE_PREFIX_INVALID',
+]);
+const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
+const misconfigIds = mergeIds(configIds, disclosureIds);
+const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
+const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
+const injectionAndXssIds = mergeIds(injectionIds, xssIds);
+const authAndCookieIds = mergeIds(authIds, cookieIds);
+export const PCI_DSS_COMPLIANCE = {
+    [ComplianceCode.PCI_REQ_1_INSTALL_FIREWALL]: {
+        id: 74,
+        code: ComplianceCode.PCI_REQ_1_INSTALL_FIREWALL,
+        title: 'Requirement 1 Install and Maintain a Firewall Configuration',
+        description: 'Set up and maintain a firewall to create a secure barrier between cardholder data and any external threats. This protects sensitive information from unauthorized access by controlling the incoming and outgoing network traffic.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS]: {
+        id: 75,
+        code: ComplianceCode.PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS,
+        title: 'Requirement 2.1 Change Vendor-Supplied Default Passwords',
+        description: 'Always replace default passwords and remove or disable default accounts provided by vendors before setting up a system. This applies to all types of default passwords, such as those for operating systems, security software, point-of-sale terminals, and other system services, to prevent unauthorized access.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION]: {
+        id: 76,
+        code: ComplianceCode.PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION,
+        title: 'Requirement 2.2.1 One Primary Function Per Server',
+        description: 'Implement only one primary function per server (e.g., web server, database server, DNS) to avoid coexisting functions with different security levels. If using virtualization, ensure each virtual system component performs a single function.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES]: {
+        id: 77,
+        code: ComplianceCode.PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES,
+        title: 'Requirement 2.2.2 Enable Only Necessary Services and Protocols',
+        description: 'Activate only the essential services, protocols, and daemons needed for the system to function. This minimizes potential vulnerabilities by reducing the number of unnecessary services that could be exploited by attackers.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: misconfigIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES]: {
+        id: 78,
+        code: ComplianceCode.PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES,
+        title: 'Requirement 2.2.3 Implement Additional Security Features for Insecure Services',
+        description: 'Apply extra security measures to secure any necessary services, protocols, or daemons identified as insecure. For environments using SSL/early TLS, adhere to the requirements specified in Appendix A2 to mitigate vulnerabilities.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS]: {
+        id: 79,
+        code: ComplianceCode.PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS,
+        title: 'Requirement 2.2.4 Configure System Security Parameters',
+        description: 'Configure system security parameters to prevent misuse, ensuring systems are protected from unauthorized actions.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: misconfigIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES]: {
+        id: 80,
+        code: ComplianceCode.PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES,
+        title: 'Requirement 2.2.5 Strengthen Security for Insecure Services',
+        description: 'For services, protocols, or daemons that are deemed insecure, extra security features should be added to protect them. This is particularly important when using SSL or early TLS; specific guidelines from Appendix A2 must be followed to ensure proper security.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN]: {
+        id: 81,
+        code: ComplianceCode.PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN,
+        title: 'Requirement 2.3 Encrypt Non-Console Administrative Access',
+        description: 'Use strong encryption to secure all administrative access, especially when accessing systems remotely. If SSL or early TLS is used, follow the additional requirements in Appendix A2 to ensure secure communication.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_3_1_MINIMIZE_DATA_STORAGE]: {
+        id: 86,
+        code: ComplianceCode.PCI_REQ_3_1_MINIMIZE_DATA_STORAGE,
+        title: 'Requirement 3.1 Minimize Cardholder Data Storage',
+        description: 'Implement policies and procedures to store only the necessary cardholder data and securely dispose of it when no longer needed, to reduce risk and ensure compliance with data retention standards.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: disclosureIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION]: {
+        id: 95,
+        code: ComplianceCode.PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION,
+        title: 'Requirement 4.1 Use Strong Cryptography for Cardholder Data Transmission',
+        description: 'Ensure the use of strong cryptography and secure protocols to protect cardholder data during transmission over open, public networks. Only trusted keys and certificates should be used, and the protocol must support secure configurations with appropriate encryption strength.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES]: {
+        id: 99,
+        code: ComplianceCode.PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES,
+        title: 'Requirement 6.1 Identify and Rank Security Vulnerabilities',
+        description: 'Establish a process to regularly identify security vulnerabilities in systems and applications, using trusted external sources for vulnerability information. Once identified, assign a risk ranking (e.g., high, medium, or low) to each vulnerability to prioritize remediation efforts based on potential impact. This helps ensure that the most critical security flaws are addressed first.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_6_2_INSTALL_SECURITY_PATCHES]: {
+        id: 100,
+        code: ComplianceCode.PCI_REQ_6_2_INSTALL_SECURITY_PATCHES,
+        title: 'Requirement 6.2 Install Vendor-Supplied Security Patches',
+        description: 'Protect all system components and software from known vulnerabilities by installing security patches provided by the vendor. Ensure that critical security patches are installed within one month of their release to minimize the risk of exploitation from known threats. This helps keep systems secure and up to date with the latest protections.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT]: {
+        id: 101,
+        code: ComplianceCode.PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT,
+        title: 'Requirement 6.3.1 Secure Software Development Practices',
+        description: 'Develop and maintain secure software applications by following best practices for security throughout the development lifecycle. This applies to all software, whether created internally or custom-built by third parties, including securing web-based access and protecting against potential vulnerabilities.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: injectionAndXssIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_6_5_1_PREVENT_INJECTION]: {
+        id: 107,
+        code: ComplianceCode.PCI_REQ_6_5_1_PREVENT_INJECTION,
+        title: 'Requirement 6.5.1 Prevent Injection Flaws in Applications',
+        description: 'Ensure that applications are protected from injection attacks, such as SQL injection and other types like OS Command, LDAP, and XPath injection, by implementing proper input validation, escaping user inputs, and using parameterized queries to prevent malicious code from being executed.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: injectionAndXssIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW]: {
+        id: 108,
+        code: ComplianceCode.PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW,
+        title: 'Requirement 6.5.2 Protect Against Buffer Overflow Vulnerabilities',
+        description: 'Safeguard applications from buffer overflow attacks by ensuring proper bounds checking and input validation, preventing attackers from writing data outside allocated memory spaces and exploiting vulnerabilities in software.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE]: {
+        id: 109,
+        code: ComplianceCode.PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE,
+        title: 'Requirement 6.5.3 Secure Cryptographic Storage',
+        description: 'Ensure sensitive data is securely stored using strong encryption techniques to protect it from unauthorized access or disclosure, minimizing the risk of data breaches or misuse.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_4_SECURE_COMM_CHANNELS]: {
+        id: 110,
+        code: ComplianceCode.PCI_REQ_6_5_4_SECURE_COMM_CHANNELS,
+        title: 'Requirement 6.5.4 Secure Communication Channels',
+        description: 'Use strong encryption protocols to protect sensitive data during transmission over networks, ensuring it cannot be intercepted or tampered with during communication.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_5_PROPER_ERROR_HANDLING]: {
+        id: 111,
+        code: ComplianceCode.PCI_REQ_6_5_5_PROPER_ERROR_HANDLING,
+        title: 'Requirement 6.5.5 Proper Error Handling Practices',
+        description: 'Ensure that error messages do not reveal sensitive information that could be exploited by attackers. Implement secure error handling to log issues without exposing system details or data to unauthorized users.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: injectionAndXssIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS]: {
+        id: 112,
+        code: ComplianceCode.PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS,
+        title: 'Requirement 6.5.6 Address High-Risk Vulnerabilities Promptly',
+        description: 'Identify and address all "high risk" vulnerabilities as part of the security vulnerability process to prevent potential breaches and protect sensitive data.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_6_5_7_PREVENT_XSS]: {
+        id: 113,
+        code: ComplianceCode.PCI_REQ_6_5_7_PREVENT_XSS,
+        title: 'Requirement 6.5.7 Prevent Cross-Site Scripting (XSS) Vulnerabilities',
+        description: 'Ensure that web applications are secure against XSS attacks, where attackers inject malicious scripts into web pages. Implement input validation and output encoding to prevent scripts from being executed in a user\'s browser.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: xssIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS]: {
+        id: 114,
+        code: ComplianceCode.PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS,
+        title: 'Requirement 6.5.8 Prevent Improper Access Control Vulnerabilities',
+        description: 'Ensure that web applications properly control access to sensitive resources. Implement strong access control mechanisms to prevent unauthorized users from accessing or modifying data they shouldn t, and avoid vulnerabilities like insecure direct object references, directory traversal, or unrestricted URL access.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_9_PREVENT_CSRF]: {
+        id: 115,
+        code: ComplianceCode.PCI_REQ_6_5_9_PREVENT_CSRF,
+        title: 'Requirement 6.5.9 Prevent Cross-Site Request Forgery (CSRF)',
+        description: 'Implement security measures to prevent CSRF attacks, where an attacker tricks a user into making unwanted requests to a website on which the user is authenticated. Use anti-CSRF tokens and ensure that user actions are properly validated and protected from being exploited through malicious requests.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH]: {
+        id: 116,
+        code: ComplianceCode.PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH,
+        title: 'Requirement 6.5.10 Prevent Broken Authentication and Session Management',
+        description: 'Secure user authentication and session management processes to prevent unauthorized access. This includes using strong, multi-factor authentication methods, enforcing session timeouts, and ensuring that session identifiers are securely generated, stored, and invalidated after use.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW]: {
+        id: 119,
+        code: ComplianceCode.PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW,
+        title: 'Requirement 7 Restrict Access to System Components and Cardholder Data by Business Need-to-Know',
+        description: 'Access to sensitive system components and cardholder data should be limited only to those individuals whose job responsibilities require it. Permissions should be granted based on business needs, following the principle of least privilege to minimize security risks.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS]: {
+        id: 126,
+        code: ComplianceCode.PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS,
+        title: 'Requirement 8.1.1 Assign Unique IDs for All Users',
+        description: 'Ensure every user is assigned a unique identification (ID) before they are granted access to system components or cardholder data. This helps track user activities and ensures accountability.',
+        complianceStandard: ComplianceCategory.PCIDSS,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+};

package/dist/compliances/sans-top-25.d.ts

@@ -0,0 +1,2 @@
+import { ComplianceRegistry } from '../types';
+export declare const SANS_TOP_25_COMPLIANCE: ComplianceRegistry;

package/dist/compliances/sans-top-25.js

@@ -0,0 +1,242 @@
+import { ComplianceCode } from '../compliance-codes';
+import { ComplianceCategory } from '../types';
+import { idsByCategory, idsByCodePrefix, mergeIds } from './helpers.js';
+const authIds = idsByCategory('authentication');
+const injectionIds = idsByCategory('injection');
+const xssIds = idsByCategory('xss');
+const ssrfIds = idsByCategory('ssrf');
+const disclosureIds = idsByCategory('information_disclosure');
+const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
+const sqliIds = idsByCodePrefix(['SQLI_']);
+const cmdiIds = idsByCodePrefix(['CMDI_']);
+const sstiIds = idsByCodePrefix(['SSTI_']);
+const lfiIds = idsByCodePrefix(['LFI_']);
+const deserializationIds = idsByCodePrefix(['DESER_']);
+const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
+export const SANS_TOP_25_COMPLIANCE = {
+    [ComplianceCode.SANS_TOP_25_CWE_79_XSS]: {
+        id: 181,
+        code: ComplianceCode.SANS_TOP_25_CWE_79_XSS,
+        title: 'CWE-79 Cross-site Scripting',
+        description: 'Improper Neutralization of Input During Web Page Generation (Cross-site Scripting).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: xssIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_787_OOB_WRITE]: {
+        id: 182,
+        code: ComplianceCode.SANS_TOP_25_CWE_787_OOB_WRITE,
+        title: 'CWE-787 Out-of-bounds Write',
+        description: 'Out-of-bounds Write.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_89_SQLI]: {
+        id: 183,
+        code: ComplianceCode.SANS_TOP_25_CWE_89_SQLI,
+        title: 'CWE-89 SQL Injection',
+        description: 'Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: sqliIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_352_CSRF]: {
+        id: 184,
+        code: ComplianceCode.SANS_TOP_25_CWE_352_CSRF,
+        title: 'CWE-352 Cross-Site Request Forgery',
+        description: 'Cross-Site Request Forgery (CSRF).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_22_PATH_TRAVERSAL]: {
+        id: 185,
+        code: ComplianceCode.SANS_TOP_25_CWE_22_PATH_TRAVERSAL,
+        title: 'CWE-22 Path Traversal',
+        description: 'Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: lfiIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_125_OOB_READ]: {
+        id: 186,
+        code: ComplianceCode.SANS_TOP_25_CWE_125_OOB_READ,
+        title: 'CWE-125 Out-of-bounds Read',
+        description: 'Out-of-bounds Read.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION]: {
+        id: 187,
+        code: ComplianceCode.SANS_TOP_25_CWE_78_OS_COMMAND_INJECTION,
+        title: 'CWE-78 OS Command Injection',
+        description: 'Improper Neutralization of Special Elements used in an OS Command (OS Command Injection).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: cmdiIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_416_USE_AFTER_FREE]: {
+        id: 188,
+        code: ComplianceCode.SANS_TOP_25_CWE_416_USE_AFTER_FREE,
+        title: 'CWE-416 Use After Free',
+        description: 'Use After Free.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_862_MISSING_AUTHZ]: {
+        id: 189,
+        code: ComplianceCode.SANS_TOP_25_CWE_862_MISSING_AUTHZ,
+        title: 'CWE-862 Missing Authorization',
+        description: 'Missing Authorization.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD]: {
+        id: 190,
+        code: ComplianceCode.SANS_TOP_25_CWE_434_UNRESTRICTED_UPLOAD,
+        title: 'CWE-434 Unrestricted File Upload',
+        description: 'Unrestricted Upload of File with Dangerous Type.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_94_CODE_INJECTION]: {
+        id: 191,
+        code: ComplianceCode.SANS_TOP_25_CWE_94_CODE_INJECTION,
+        title: 'CWE-94 Code Injection',
+        description: 'Improper Control of Generation of Code (Code Injection).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: sstiIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_20_INPUT_VALIDATION]: {
+        id: 192,
+        code: ComplianceCode.SANS_TOP_25_CWE_20_INPUT_VALIDATION,
+        title: 'CWE-20 Improper Input Validation',
+        description: 'Improper Input Validation.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: inputValidationIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_77_COMMAND_INJECTION]: {
+        id: 193,
+        code: ComplianceCode.SANS_TOP_25_CWE_77_COMMAND_INJECTION,
+        title: 'CWE-77 Command Injection',
+        description: 'Improper Neutralization of Special Elements used in a Command (Command Injection).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: cmdiIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_287_IMPROPER_AUTH]: {
+        id: 194,
+        code: ComplianceCode.SANS_TOP_25_CWE_287_IMPROPER_AUTH,
+        title: 'CWE-287 Improper Authentication',
+        description: 'Improper Authentication.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: authIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_269_PRIVILEGE_MGMT]: {
+        id: 195,
+        code: ComplianceCode.SANS_TOP_25_CWE_269_PRIVILEGE_MGMT,
+        title: 'CWE-269 Improper Privilege Management',
+        description: 'Improper Privilege Management.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_502_UNTRUSTED_DESER]: {
+        id: 196,
+        code: ComplianceCode.SANS_TOP_25_CWE_502_UNTRUSTED_DESER,
+        title: 'CWE-502 Deserialization of Untrusted Data',
+        description: 'Deserialization of Untrusted Data.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: deserializationIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_200_INFO_EXPOSURE]: {
+        id: 197,
+        code: ComplianceCode.SANS_TOP_25_CWE_200_INFO_EXPOSURE,
+        title: 'CWE-200 Exposure of Sensitive Information',
+        description: 'Exposure of Sensitive Information to an Unauthorized Actor.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: disclosureIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_863_INCORRECT_AUTHZ]: {
+        id: 198,
+        code: ComplianceCode.SANS_TOP_25_CWE_863_INCORRECT_AUTHZ,
+        title: 'CWE-863 Incorrect Authorization',
+        description: 'Incorrect Authorization.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_918_SSRF]: {
+        id: 199,
+        code: ComplianceCode.SANS_TOP_25_CWE_918_SSRF,
+        title: 'CWE-918 Server-Side Request Forgery',
+        description: 'Server-Side Request Forgery (SSRF).',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: ssrfIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_119_MEMORY_BOUNDS]: {
+        id: 200,
+        code: ComplianceCode.SANS_TOP_25_CWE_119_MEMORY_BOUNDS,
+        title: 'CWE-119 Memory Buffer Bounds',
+        description: 'Improper Restriction of Operations within the Bounds of a Memory Buffer.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_476_NULL_DEREF]: {
+        id: 201,
+        code: ComplianceCode.SANS_TOP_25_CWE_476_NULL_DEREF,
+        title: 'CWE-476 NULL Pointer Dereference',
+        description: 'NULL Pointer Dereference.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_798_HARDCODED_CREDS]: {
+        id: 202,
+        code: ComplianceCode.SANS_TOP_25_CWE_798_HARDCODED_CREDS,
+        title: 'CWE-798 Use of Hard-coded Credentials',
+        description: 'Use of Hard-coded Credentials.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_190_INTEGER_OVERFLOW]: {
+        id: 203,
+        code: ComplianceCode.SANS_TOP_25_CWE_190_INTEGER_OVERFLOW,
+        title: 'CWE-190 Integer Overflow or Wraparound',
+        description: 'Integer Overflow or Wraparound.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION]: {
+        id: 204,
+        code: ComplianceCode.SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION,
+        title: 'CWE-400 Uncontrolled Resource Consumption',
+        description: 'Uncontrolled Resource Consumption.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.SANS_TOP_25_CWE_306_MISSING_AUTH]: {
+        id: 205,
+        code: ComplianceCode.SANS_TOP_25_CWE_306_MISSING_AUTH,
+        title: 'CWE-306 Missing Authentication for Critical Function',
+        description: 'Missing Authentication for Critical Function.',
+        complianceStandard: ComplianceCategory.SANS_TOP_25,
+        relatedVulnerabilityIds: authIds,
+        isNotApplicable: true,
+    },
+};

package/dist/index.d.ts

@@ -13,6 +13,7 @@ import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
 import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
 import { CATEGORY_REGISTRY } from './category.js';
 import { SCANNER_REGISTRY } from './scanner.js';
+import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE } from './compliances/index.js';
 /**
  * Complete vulnerability registry combining all categories
  */
@@ -47,7 +48,7 @@ export declare function getVulnerabilityCount(): number;
 export declare function createFinding(code: VulnerabilityCode | string, overrides?: Partial<VulnerabilityDefinition>): VulnerabilityDefinition | null;
 export { VulnerabilityCode } from './error-codes.js';
 export type { VulnerabilityDefinition, VulnerabilityLookup, CVSSProfile, CWEReference, OWASPReference, Severity, VulnerabilityCategory, } from './types.js';
-export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
+export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
 declare const _default: {
     VulnerabilityCode: typeof VulnerabilityCode;
     VULNERABILITY_REGISTRY: Record<string, VulnerabilityDefinition>;
@@ -58,6 +59,11 @@ declare const _default: {
     getAllVulnerabilityCodes: typeof getAllVulnerabilityCodes;
     getVulnerabilityCount: typeof getVulnerabilityCount;
     createFinding: typeof createFinding;
+    OWASP_COMPLIANCE: import("./types.js").ComplianceRegistry;
+    HIPAA_COMPLIANCE: import("./types.js").ComplianceRegistry;
+    GDPR_COMPLIANCE: import("./types.js").ComplianceRegistry;
+    PCI_DSS_COMPLIANCE: import("./types.js").ComplianceRegistry;
+    SANS_TOP_25_COMPLIANCE: import("./types.js").ComplianceRegistry;
     CATEGORY_REGISTRY: Record<string, {
         title: string;
     }>;

package/dist/index.js

@@ -13,6 +13,7 @@ import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
 import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
 import { CATEGORY_REGISTRY } from './category.js';
 import { SCANNER_REGISTRY } from './scanner.js';
+import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE } from './compliances/index.js';
 /**
  * Complete vulnerability registry combining all categories
  */
@@ -80,7 +81,7 @@ export function createFinding(code, overrides) {
 // Re-export all types and enums
 export { VulnerabilityCode } from './error-codes.js';
 // Export category definitions for direct access
-export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
+export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
 export default {
     VulnerabilityCode,
     VULNERABILITY_REGISTRY,
@@ -91,6 +92,11 @@ export default {
     getAllVulnerabilityCodes,
     getVulnerabilityCount,
     createFinding,
+    OWASP_COMPLIANCE,
+    HIPAA_COMPLIANCE,
+    GDPR_COMPLIANCE,
+    PCI_DSS_COMPLIANCE,
+    SANS_TOP_25_COMPLIANCE,
     CATEGORY_REGISTRY,
     SCANNER_REGISTRY,
 };

package/dist/types.d.ts

@@ -86,3 +86,36 @@ export interface VulnerabilityLookup {
     found: boolean;
     definition?: VulnerabilityDefinition;
 }
+/**
+ * Compliance standards
+ */
+export declare enum ComplianceCategory {
+    OWASP = "OWASP",
+    HIPAA = "HIPAA",
+    GDPR = "GDPR",
+    PCIDSS = "PCIDSS",
+    SANS_TOP_25 = "SANS_TOP_25"
+}
+/**
+ * Compliance rule definition
+ */
+export interface ComplianceDefinition {
+    /** Unique numeric identifier */
+    id: number;
+    /** Unique compliance code */
+    code: string;
+    /** Human-readable title */
+    title: string;
+    /** Detailed description */
+    description: string;
+    /** Compliance standard family */
+    complianceStandard: ComplianceCategory;
+    /** Related vulnerability IDs from the registry */
+    relatedVulnerabilityIds: number[];
+    /** Whether the rule is out-of-scope for scanner evidence */
+    isNotApplicable: boolean;
+}
+/**
+ * Compliance registry lookup
+ */
+export type ComplianceRegistry = Record<string, ComplianceDefinition>;

package/dist/types.js

@@ -3,4 +3,14 @@
  *
  * Central type definitions for all vulnerability definitions.
  */
-export {};
+/**
+ * Compliance standards
+ */
+export var ComplianceCategory;
+(function (ComplianceCategory) {
+    ComplianceCategory["OWASP"] = "OWASP";
+    ComplianceCategory["HIPAA"] = "HIPAA";
+    ComplianceCategory["GDPR"] = "GDPR";
+    ComplianceCategory["PCIDSS"] = "PCIDSS";
+    ComplianceCategory["SANS_TOP_25"] = "SANS_TOP_25";
+})(ComplianceCategory || (ComplianceCategory = {}));