@zerothreatai/vulnerability-registry 5.0.0 → 7.0.0

package/dist/compliances/gdpr.js

@@ -0,0 +1,252 @@
+import { ComplianceCode } from '../compliance-codes';
+import { ComplianceCategory } from '../types';
+import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
+const authIds = idsByCategory('authentication');
+const injectionIds = idsByCategory('injection');
+const xssIds = idsByCategory('xss');
+const ssrfIds = idsByCategory('ssrf');
+const configIds = idsByCategory('configuration');
+const disclosureIds = idsByCategory('information_disclosure');
+const cookieIds = idsByCodePrefix(['COOKIE_']);
+const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
+const jwtIds = idsByCodePrefix(['JWT_']);
+const hstsIds = idsByCodes([
+    'HEADER_MISSING_HSTS',
+    'HEADER_HSTS_BAD_MAX_AGE',
+    'HEADER_HSTS_SHORT_MAX_AGE',
+    'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
+    'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
+    'HEADER_DRIFT_HSTS',
+]);
+const cookieSecureIds = idsByCodes([
+    'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
+    'COOKIE_SESSION_MISSING_SECURE',
+    'COOKIE_MISSING_SECURE',
+    'COOKIE_HOST_PREFIX_INVALID',
+    'COOKIE_SECURE_PREFIX_INVALID',
+]);
+const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
+const authAndCookieIds = mergeIds(authIds, cookieIds);
+const accessRestrictionIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
+const cryptoPolicyIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
+const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
+const outputValidationIds = mergeIds(injectionIds, xssIds);
+const infoLeakageIds = mergeIds(configIds, disclosureIds);
+export const GDPR_COMPLIANCE = {
+    [ComplianceCode.GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES]: {
+        id: 1,
+        code: ComplianceCode.GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES,
+        title: 'A.10.1.1 Documented Operating Procedures',
+        description: 'Clear instructions for how systems and processes work should be written down, kept up to date, and shared with anyone who needs them.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_10_1_2_CHANGE_MANAGEMENT]: {
+        id: 2,
+        code: ComplianceCode.GDPR_A_10_1_2_CHANGE_MANAGEMENT,
+        title: 'A.10.1.2 Change Management',
+        description: 'Any updates or changes to systems and IT infrastructure should be carefully managed and monitored to avoid problems.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_10_1_3_SEGREGATION_OF_DUTIES]: {
+        id: 3,
+        code: ComplianceCode.GDPR_A_10_1_3_SEGREGATION_OF_DUTIES,
+        title: 'A.10.1.3 Segregation of Duties',
+        description: 'Responsibilities should be divided among different people to prevent unauthorized actions or mistakes that could harm the organization.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_10_1_4_SEPARATION_DEV_TEST_OPS]: {
+        id: 4,
+        code: ComplianceCode.GDPR_A_10_1_4_SEPARATION_DEV_TEST_OPS,
+        title: 'A.10.1.4  Separation of Development, Testing, and Operations',
+        description: 'The environments for creating, testing, and running software should be kept separate to minimize risks like unauthorized access or accidental changes to live systems.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_10_2_1_SERVICE_DELIVERY]: {
+        id: 5,
+        code: ComplianceCode.GDPR_A_10_2_1_SERVICE_DELIVERY,
+        title: 'A.10.2.1 Service delivery',
+        description: 'Make sure that any security rules, service standards, and delivery expectations agreed with a third party are followed and maintained by them.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_10_3_2_SYSTEM_ACCEPTANCE]: {
+        id: 9,
+        code: ComplianceCode.GDPR_A_10_3_2_SYSTEM_ACCEPTANCE,
+        title: 'A.10.3.2 System acceptance',
+        description: 'Before fully using updated systems, ensure they meet security and performance standards through thorough testing.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_11_2_3_USER_PASSWORD_MANAGEMENT]: {
+        id: 36,
+        code: ComplianceCode.GDPR_A_11_2_3_USER_PASSWORD_MANAGEMENT,
+        title: 'A.11.2.3 User Password Management',
+        description: 'Manage password distribution securely through a formal process.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_3_1_PASSWORD_USE]: {
+        id: 38,
+        code: ComplianceCode.GDPR_A_11_3_1_PASSWORD_USE,
+        title: 'A.11.3.1 Password Use',
+        description: 'Users must follow strong security practices when creating and using passwords.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_4_4_REMOTE_DIAGNOSTIC_PORT_PROTECTION]: {
+        id: 44,
+        code: ComplianceCode.GDPR_A_11_4_4_REMOTE_DIAGNOSTIC_PORT_PROTECTION,
+        title: 'A.11.4.4 Remote Diagnostic and Configuration Port Protection',
+        description: 'Control both physical and logical access to ports used for remote diagnostics and system configuration.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: disclosureIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_11_5_3_PASSWORD_MANAGEMENT_SYSTEM]: {
+        id: 50,
+        code: ComplianceCode.GDPR_A_11_5_3_PASSWORD_MANAGEMENT_SYSTEM,
+        title: 'A.11.5.3 Password Management System',
+        description: 'Use an interactive system to manage passwords, ensuring they are strong and meet security standards.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_5_4_USE_OF_SYSTEM_UTILITIES]: {
+        id: 51,
+        code: ComplianceCode.GDPR_A_11_5_4_USE_OF_SYSTEM_UTILITIES,
+        title: 'A.11.5.4 Use of System Utilities',
+        description: 'Restrict and control the use of utility programs that can bypass system or application security.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: accessRestrictionIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_5_5_SESSION_TIMEOUT]: {
+        id: 52,
+        code: ComplianceCode.GDPR_A_11_5_5_SESSION_TIMEOUT,
+        title: 'A.11.5.5 Session Time-out',
+        description: 'Automatically log users out after a period of inactivity to protect the system.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_5_6_LIMITATION_CONNECTION_TIME]: {
+        id: 53,
+        code: ComplianceCode.GDPR_A_11_5_6_LIMITATION_CONNECTION_TIME,
+        title: 'A.11.5.6 Limitation of Connection Time',
+        description: 'Limit connection times, especially for high-risk applications, to enhance security.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_11_6_1_INFORMATION_ACCESS_RESTRICTION]: {
+        id: 54,
+        code: ComplianceCode.GDPR_A_11_6_1_INFORMATION_ACCESS_RESTRICTION,
+        title: 'A.11.6.1 Information Access Restriction',
+        description: 'Limit access to information and system functions based on the access control policy for users and support staff.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: accessRestrictionIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_1_1_SECURITY_REQUIREMENTS_ANALYSIS]: {
+        id: 58,
+        code: ComplianceCode.GDPR_A_12_1_1_SECURITY_REQUIREMENTS_ANALYSIS,
+        title: 'A.12.1.1 Security Requirements Analysis and Specification',
+        description: 'When defining business requirements for new or updated information systems, include specific security control requirements to ensure protection.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_12_2_1_INPUT_DATA_VALIDATION]: {
+        id: 59,
+        code: ComplianceCode.GDPR_A_12_2_1_INPUT_DATA_VALIDATION,
+        title: 'A.12.2.1 Input Data Validation',
+        description: 'Validate all data entered into applications to ensure it\'s accurate and appropriate.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: inputValidationIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_2_4_OUTPUT_DATA_VALIDATION]: {
+        id: 62,
+        code: ComplianceCode.GDPR_A_12_2_4_OUTPUT_DATA_VALIDATION,
+        title: 'A.12.2.4 Output Data Validation',
+        description: 'Validate the data output from applications to confirm that the processed information is correct and relevant.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: outputValidationIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_3_1_POLICY_CRYPTOGRAPHIC_CONTROLS]: {
+        id: 63,
+        code: ComplianceCode.GDPR_A_12_3_1_POLICY_CRYPTOGRAPHIC_CONTROLS,
+        title: 'A.12.3.1 Policy on the Use of Cryptographic Controls',
+        description: 'Develop and implement a policy for using cryptographic methods to protect information.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: cryptoPolicyIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_3_2_KEY_MANAGEMENT]: {
+        id: 64,
+        code: ComplianceCode.GDPR_A_12_3_2_KEY_MANAGEMENT,
+        title: 'A.12.3.2 Key Management',
+        description: 'Establish a key management system to support the organization\'s use of encryption and cryptographic techniques.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: cryptoPolicyIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_4_3_ACCESS_CONTROL_SOURCE_CODE]: {
+        id: 67,
+        code: ComplianceCode.GDPR_A_12_4_3_ACCESS_CONTROL_SOURCE_CODE,
+        title: 'A.12.4.3 Access Control to Program Source Code',
+        description: 'Restrict access to the source code of programs to authorized personnel only.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: accessRestrictionIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_12_5_3_RESTRICTIONS_CHANGES_SOFTWARE]: {
+        id: 70,
+        code: ComplianceCode.GDPR_A_12_5_3_RESTRICTIONS_CHANGES_SOFTWARE,
+        title: 'A.12.5.3 Restrictions on Changes to Software Packages',
+        description: 'Limit modifications to software packages to necessary changes only, and tightly control all adjustments.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: accessRestrictionIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_12_5_4_INFORMATION_LEAKAGE]: {
+        id: 71,
+        code: ComplianceCode.GDPR_A_12_5_4_INFORMATION_LEAKAGE,
+        title: 'A.12.5.4  Information Leakage',
+        description: 'Prevent any opportunities that could lead to unauthorized information leakage.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: infoLeakageIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.GDPR_A_12_5_5_OUTSOURCED_SOFTWARE_DEV]: {
+        id: 72,
+        code: ComplianceCode.GDPR_A_12_5_5_OUTSOURCED_SOFTWARE_DEV,
+        title: 'A.12.5.5 Outsourced Software Development',
+        description: 'Supervise and monitor outsourced software development activities to ensure they meet the organization s security and quality standards.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: false,
+    },
+    [ComplianceCode.GDPR_A_12_6_1_CONTROL_TECHNICAL_VULNERABILITIES]: {
+        id: 73,
+        code: ComplianceCode.GDPR_A_12_6_1_CONTROL_TECHNICAL_VULNERABILITIES,
+        title: 'A.12.6.1 Control of Technical Vulnerabilities',
+        description: 'Stay informed about technical vulnerabilities in the systems being used, assess the organization\'s exposure to them, and take necessary actions to manage the associated risks.',
+        complianceStandard: ComplianceCategory.GDPR,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: true,
+    },
+};

package/dist/compliances/helpers.d.ts

@@ -0,0 +1,6 @@
+import type { VulnerabilityCategory } from '../types.js';
+export declare const allVulnerabilityIds: () => number[];
+export declare const idsByCategory: (category: VulnerabilityCategory) => number[];
+export declare const idsByCodes: (codes: string[]) => number[];
+export declare const idsByCodePrefix: (prefixes: string[]) => number[];
+export declare const mergeIds: (...lists: number[][]) => number[];

package/dist/compliances/helpers.js

@@ -0,0 +1,12 @@
+import { VULNERABILITY_REGISTRY } from '../index.js';
+// Lazy getter to avoid circular dependency issues at module load time
+const getAllVulnerabilities = () => Object.values(VULNERABILITY_REGISTRY);
+const uniqueSorted = (ids) => Array.from(new Set(ids)).sort((a, b) => a - b);
+export const allVulnerabilityIds = () => uniqueSorted(getAllVulnerabilities().map(v => v.id));
+export const idsByCategory = (category) => uniqueSorted(getAllVulnerabilities().filter(v => v.category === category).map(v => v.id));
+export const idsByCodes = (codes) => uniqueSorted(codes
+    .map(code => VULNERABILITY_REGISTRY[code]?.id)
+    .filter((id) => typeof id === 'number'));
+export const idsByCodePrefix = (prefixes) => uniqueSorted(getAllVulnerabilities().filter(v => prefixes.some(prefix => v.code.startsWith(prefix)))
+    .map(v => v.id));
+export const mergeIds = (...lists) => uniqueSorted(lists.flat());

package/dist/compliances/hipaa.d.ts

@@ -0,0 +1,2 @@
+import { ComplianceRegistry } from '../types';
+export declare const HIPAA_COMPLIANCE: ComplianceRegistry;

package/dist/compliances/hipaa.js

@@ -0,0 +1,187 @@
+import { ComplianceCode } from '../compliance-codes';
+import { ComplianceCategory } from '../types';
+import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
+const authIds = idsByCategory('authentication');
+const injectionIds = idsByCategory('injection');
+const xssIds = idsByCategory('xss');
+const ssrfIds = idsByCategory('ssrf');
+const configIds = idsByCategory('configuration');
+const disclosureIds = idsByCategory('information_disclosure');
+const cookieIds = idsByCodePrefix(['COOKIE_']);
+const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
+const jwtIds = idsByCodePrefix(['JWT_']);
+const hstsIds = idsByCodes([
+    'HEADER_MISSING_HSTS',
+    'HEADER_HSTS_BAD_MAX_AGE',
+    'HEADER_HSTS_SHORT_MAX_AGE',
+    'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
+    'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
+    'HEADER_DRIFT_HSTS',
+]);
+const cookieSecureIds = idsByCodes([
+    'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
+    'COOKIE_SESSION_MISSING_SECURE',
+    'COOKIE_MISSING_SECURE',
+    'COOKIE_HOST_PREFIX_INVALID',
+    'COOKIE_SECURE_PREFIX_INVALID',
+]);
+const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
+const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
+const authAndCookieIds = mergeIds(authIds, cookieIds);
+const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
+const integrityIds = mergeIds(injectionIds, xssIds);
+export const HIPAA_COMPLIANCE = {
+    [ComplianceCode.HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO]: {
+        id: 164,
+        code: ComplianceCode.HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO,
+        title: 'S.Rule - Part 164, Subpart A, 164.105 Protect Private Health Info',
+        description: 'Make sure private electronic health information is kept safe and secure from anyone who shouldn’t see it.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_306_A_1_KEEP_INFO_SAFE]: {
+        id: 165,
+        code: ComplianceCode.HIPAA_164_306_A_1_KEEP_INFO_SAFE,
+        title: 'S.Rule - Part 164, Subpart C, 164.306(a)(1) Keep Info Safe and Available',
+        description: 'Make sure health info stays private, accurate, and ready to use when needed.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS]: {
+        id: 166,
+        code: ComplianceCode.HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS,
+        title: 'S.Rule - Part 164, Subpart C, 164.306(a)(2) Protect Against Threats',
+        description: 'Put systems in place to stop hackers or anything else that might harm the health info.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS]: {
+        id: 167,
+        code: ComplianceCode.HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS,
+        title: 'S.Rule - Part 164, Subpart C, 164.306(a)(3) Stop Unauthorized Access',
+        description: 'Make sure no one can use or see health info without permission.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS]: {
+        id: 168,
+        code: ComplianceCode.HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(1) (i) Prevent and Fix Problems',
+        description: 'Create rules to spot and fix security problems before they cause damage.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS]: {
+        id: 169,
+        code: ComplianceCode.HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(1)(ii)(B) Lower Security Risks',
+        description: 'Take steps to make sure the risk of problems, like data leaks, is as low as possible.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: allAppSecIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_308_A_5_II_B_BLOCK_MALWARE]: {
+        id: 170,
+        code: ComplianceCode.HIPAA_164_308_A_5_II_B_BLOCK_MALWARE,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(B) Block Viruses and Malware',
+        description: 'Set up tools to block harmful software like viruses and ransomware.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_308_A_5_II_C_WATCH_LOGINS]: {
+        id: 171,
+        code: ComplianceCode.HIPAA_164_308_A_5_II_C_WATCH_LOGINS,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(C) Watch Logins',
+        description: 'Keep track of who’s logging in and report anything that seems suspicious.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS]: {
+        id: 172,
+        code: ComplianceCode.HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(D) Protect Passwords',
+        description: 'Make sure passwords are strong, secure, and regularly updated.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_308_A_7_I_PLAN_EMERGENCIES]: {
+        id: 173,
+        code: ComplianceCode.HIPAA_164_308_A_7_I_PLAN_EMERGENCIES,
+        title: 'S.Rule - Part 164, Subpart C, 164.308(a)(7)(i) Plan for Emergencies',
+        description: 'Have a backup plan ready if something happens, like a power outage or system crash, so health info stays safe.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_312_A_1_CONTROL_ACCESS]: {
+        id: 174,
+        code: ComplianceCode.HIPAA_164_312_A_1_CONTROL_ACCESS,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(a)(1) Control Who Can See Info',
+        description: 'Limit access to health info to only those who really need it.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: accessControlIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_312_C_1_PREVENT_CHANGES]: {
+        id: 175,
+        code: ComplianceCode.HIPAA_164_312_C_1_PREVENT_CHANGES,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(c)(1) Prevent Changes or Deletion',
+        description: 'Make sure no one can change or delete health info without permission.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_312_D_VERIFY_IDENTITY]: {
+        id: 176,
+        code: ComplianceCode.HIPAA_164_312_D_VERIFY_IDENTITY,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(d) Double-Check Who’s Asking for Access',
+        description: 'Confirm that anyone asking to see health info is who they say they are.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: authAndCookieIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_312_E_1_PROTECT_ONLINE_INFO]: {
+        id: 177,
+        code: ComplianceCode.HIPAA_164_312_E_1_PROTECT_ONLINE_INFO,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(e)(1) Protect Info Sent Online',
+        description: 'Make sure health info is safe when sent over the internet.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES]: {
+        id: 178,
+        code: ComplianceCode.HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(e)(2)(i) Prevent Unauthorized Changes',
+        description: 'Ensure health info sent electronically isn’t changed without anyone knowing.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: integrityIds,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.HIPAA_164_312_E_2_II_USE_ENCRYPTION]: {
+        id: 179,
+        code: ComplianceCode.HIPAA_164_312_E_2_II_USE_ENCRYPTION,
+        title: 'S.Rule - Part 164, Subpart C, 164.312(e)(2)(ii) Use Encryption to Keep Info Safe',
+        description: 'Encrypt health info when it’s sent online to keep it private.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: cryptoIds,
+        isNotApplicable: true,
+    },
+    [ComplianceCode.HIPAA_164_530_C_2_I_KEEP_INFO_SHARED]: {
+        id: 180,
+        code: ComplianceCode.HIPAA_164_530_C_2_I_KEEP_INFO_SHARED,
+        title: 'P.Rule - Part 164, Subpart E, 164.530(c)(2)(i) Keep Info From Being Shared',
+        description: 'Take care to stop health info from being shared accidentally or on purpose with the wrong people.',
+        complianceStandard: ComplianceCategory.HIPAA,
+        relatedVulnerabilityIds: mergeIds(disclosureIds, accessControlIds),
+        isNotApplicable: true,
+    },
+};

package/dist/compliances/index.d.ts

@@ -0,0 +1,5 @@
+export { OWASP_COMPLIANCE } from './owasp.js';
+export { HIPAA_COMPLIANCE } from './hipaa.js';
+export { GDPR_COMPLIANCE } from './gdpr.js';
+export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
+export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';

package/dist/compliances/index.js

@@ -0,0 +1,5 @@
+export { OWASP_COMPLIANCE } from './owasp.js';
+export { HIPAA_COMPLIANCE } from './hipaa.js';
+export { GDPR_COMPLIANCE } from './gdpr.js';
+export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
+export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';

package/dist/compliances/owasp.d.ts

@@ -0,0 +1,2 @@
+import { ComplianceRegistry } from '../types';
+export declare const OWASP_COMPLIANCE: ComplianceRegistry;

package/dist/compliances/owasp.js

@@ -0,0 +1,127 @@
+import { ComplianceCode } from '../compliance-codes';
+import { ComplianceCategory } from '../types';
+import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
+const authIds = idsByCategory('authentication');
+const injectionIds = idsByCategory('injection');
+const xssIds = idsByCategory('xss');
+const ssrfIds = idsByCategory('ssrf');
+const configIds = idsByCategory('configuration');
+const disclosureIds = idsByCategory('information_disclosure');
+const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
+const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
+const jwtIds = idsByCodePrefix(['JWT_']);
+const cookieIds = idsByCodePrefix(['COOKIE_']);
+const deserializationIds = idsByCodePrefix(['DESER_']);
+const hstsIds = idsByCodes([
+    'HEADER_MISSING_HSTS',
+    'HEADER_HSTS_BAD_MAX_AGE',
+    'HEADER_HSTS_SHORT_MAX_AGE',
+    'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
+    'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
+    'HEADER_DRIFT_HSTS',
+]);
+const cookieSecureIds = idsByCodes([
+    'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
+    'COOKIE_SESSION_MISSING_SECURE',
+    'COOKIE_MISSING_SECURE',
+    'COOKIE_HOST_PREFIX_INVALID',
+    'COOKIE_SECURE_PREFIX_INVALID',
+]);
+const owaspA1Ids = mergeIds(accessControlIds, dirbrowseIds);
+const owaspA2Ids = mergeIds(jwtIds, hstsIds, cookieSecureIds);
+const owaspA3Ids = mergeIds(injectionIds, xssIds);
+const owaspA5Ids = mergeIds(configIds, disclosureIds);
+const owaspA7Ids = mergeIds(authIds, cookieIds);
+const owaspA8Ids = deserializationIds;
+export const OWASP_COMPLIANCE = {
+    [ComplianceCode.OWASP_A1_BROKEN_ACCESS_CONTROL]: {
+        id: 154,
+        code: ComplianceCode.OWASP_A1_BROKEN_ACCESS_CONTROL,
+        title: 'A1 Broken Access Control',
+        description: 'Many web applications fail to properly enforce rules on what authenticated users are allowed to access or do. This creates vulnerabilities where attackers can exploit the flaws to gain unauthorized access. For example, they might be able to log into someone else’s account, view sensitive files they shouldn’t have access to, modify other users\' data, or change their own access rights to gain additional privileges. To prevent these kinds of attacks, web applications must ensure that every user’s actions are carefully restricted based on their role and permission level, ensuring they can only interact with the parts of the system they are authorized to access.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA1Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A2_CRYPTOGRAPHIC_FAILURES]: {
+        id: 155,
+        code: ComplianceCode.OWASP_A2_CRYPTOGRAPHIC_FAILURES,
+        title: 'A2 Cryptographic Failures',
+        description: 'Many web applications and APIs fail to properly protect sensitive information, like financial details, health records, or personal identification data. When this data isn’t secured correctly, attackers can steal or alter it, leading to crimes like credit card fraud or identity theft. Sensitive data should always be encrypted, whether it’s being stored (encryption at rest) or transferred over the internet (encryption in transit). Extra care must also be taken when this data is exchanged between the user and the browser to prevent it from being compromised.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA2Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A3_INJECTION_FLAWS]: {
+        id: 156,
+        code: ComplianceCode.OWASP_A3_INJECTION_FLAWS,
+        title: 'A3 Injection Flaws',
+        description: 'Injection flaws happen when untrusted or harmful data is sent to a system as part of a command or query. This can occur with different types of data, like SQL (used for databases), NoSQL, OS (operating system commands), or LDAP (used for directory services). Attackers can exploit these flaws by sending malicious data that tricks the system into executing commands it wasn’t supposed to, or accessing data without permission. This can allow attackers to gain unauthorized control or information from the system.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA3Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A4_INSECURE_DESIGN]: {
+        id: 157,
+        code: ComplianceCode.OWASP_A4_INSECURE_DESIGN,
+        title: 'A4 Insecure Design',
+        description: 'Insecure design refers to weaknesses in the overall design of a system or software, where essential security controls are missing or not effective. This is different from implementation flaws, which are mistakes made while building the system. A system with insecure design has security gaps from the start, which can’t be fully fixed later, no matter how well the system is built. For example, if the system wasn’t designed with proper security in mind, even a perfect implementation won’t fix it. A key factor in insecure design is not properly assessing the risks the software or system might face, which leads to a failure in designing the necessary security protections.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.OWASP_A5_SECURITY_MISCONFIGURATION]: {
+        id: 158,
+        code: ComplianceCode.OWASP_A5_SECURITY_MISCONFIGURATION,
+        title: 'A5 Security Misconfiguration',
+        description: 'Security misconfiguration is one of the most common issues found in web applications and systems. It happens when systems are not set up securely or configured properly. This can include things like using insecure default settings, incomplete configurations, or leaving cloud storage open to the public. Other examples include misconfigured security settings like HTTP headers and error messages that reveal sensitive information about the system. To protect against these risks, all components—such as operating systems, frameworks, libraries, and applications—must be securely configured from the beginning. Additionally, they need to be regularly updated and patched to fix any vulnerabilities and ensure they remain secure over time.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA5Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS]: {
+        id: 159,
+        code: ComplianceCode.OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS,
+        title: 'A6 Vulnerable and Outdated Components',
+        description: 'Many web applications rely on components like libraries, frameworks, or other software modules to run. These components operate with the same permissions as the rest of the application. If any of these components have known security weaknesses, attackers can exploit them to cause serious issues, such as data loss or taking control of the server. Using outdated components with known vulnerabilities can undermine the security of the entire application, making it easier for attackers to launch attacks or cause other damage. To avoid this, it’s important to regularly update and patch these components to keep the application secure.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.OWASP_A7_IDENTIFICATION_AUTH_FAILURE]: {
+        id: 160,
+        code: ComplianceCode.OWASP_A7_IDENTIFICATION_AUTH_FAILURE,
+        title: 'A7 Identification and Authentication Failure',
+        description: 'Many applications have weaknesses in how they handle user login and session management. These flaws can allow attackers to steal or guess passwords, keys, or session tokens, and use them to impersonate other users. In some cases, attackers might be able to take over someone’s account temporarily or permanently. Properly securing authentication processes and session management is crucial to prevent unauthorized access and protect user identities.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA7Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE]: {
+        id: 161,
+        code: ComplianceCode.OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE,
+        title: 'A8 Software and Data Integrity Failure',
+        description: 'Software and data integrity failures occur when code or systems aren’t protected from changes that could compromise their security. For example, if an application uses plugins, libraries, or modules from untrusted sources or repositories, attackers could introduce malicious code. Insecure continuous integration/continuous deployment (CI/CD) pipelines also pose a risk, as they could allow unauthorized access or introduce harmful code. Many apps also have auto-update features, but if the updates aren’t properly verified, attackers could upload malicious updates that get applied to all users’ installations. Another risk is when data is encoded or serialized in a way that attackers can manipulate, which could lead to vulnerabilities like insecure deserialization.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: owaspA8Ids,
+        isNotApplicable: false,
+    },
+    [ComplianceCode.OWASP_A9_LOGGING_MONITORING_FAILURES]: {
+        id: 162,
+        code: ComplianceCode.OWASP_A9_LOGGING_MONITORING_FAILURES,
+        title: 'A9 Security Logging and Monitoring Failures',
+        description: 'When an application or system doesn’t properly log or monitor activity, it becomes easier for attackers to continue their attacks unnoticed. Without effective monitoring, attackers can maintain access, move through different systems, and tamper with or steal data. Studies of security breaches show that it often takes over 200 days to detect a breach, and many breaches are first discovered by external parties, not by the system’s internal monitoring. Proper logging and real-time monitoring are crucial for detecting and responding to attacks before they cause significant damage.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: [],
+        isNotApplicable: true,
+    },
+    [ComplianceCode.OWASP_A10_SSRF]: {
+        id: 163,
+        code: ComplianceCode.OWASP_A10_SSRF,
+        title: 'A10 Server-Side Request Forgery (SSRF)',
+        description: 'SSRF flaws happen when a web application accepts a user-supplied URL to fetch a remote resource but doesn’t properly validate it. This allows attackers to trick the application into sending a request to an unexpected destination, even if there are security measures like firewalls, VPNs, or network access controls in place. As a result, attackers can target internal systems or services that would normally be protected from external access.',
+        complianceStandard: ComplianceCategory.OWASP,
+        relatedVulnerabilityIds: ssrfIds,
+        isNotApplicable: false,
+    },
+};

package/dist/compliances/pci-dss.d.ts

@@ -0,0 +1,2 @@
+import { ComplianceRegistry } from '../types';
+export declare const PCI_DSS_COMPLIANCE: ComplianceRegistry;