@zerothreatai/vulnerability-registry 7.0.0 → 9.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/compliances/compliance-by-vulnerabilities.d.ts +5 -0
- package/dist/compliances/compliance-by-vulnerabilities.js +32 -0
- package/dist/compliances/gdpr.d.ts +7 -0
- package/dist/compliances/gdpr.js +7 -7
- package/dist/compliances/helpers.js +1 -1
- package/dist/compliances/hipaa.d.ts +5 -0
- package/dist/compliances/hipaa.js +5 -5
- package/dist/compliances/index.d.ts +1 -0
- package/dist/compliances/index.js +1 -0
- package/dist/compliances/owasp.d.ts +6 -0
- package/dist/compliances/owasp.js +6 -6
- package/dist/compliances/pci-dss.d.ts +6 -0
- package/dist/compliances/pci-dss.js +6 -6
- package/dist/compliances/sans-top-25.d.ts +12 -0
- package/dist/compliances/sans-top-25.js +12 -12
- package/dist/index.d.ts +2 -5
- package/dist/index.js +2 -13
- package/dist/registry.d.ts +6 -0
- package/dist/registry.js +18 -0
- package/dist-cjs/compliances/compliance-by-vulnerabilities.js +35 -0
- package/dist-cjs/compliances/gdpr.js +24 -24
- package/dist-cjs/compliances/helpers.js +3 -3
- package/dist-cjs/compliances/hipaa.js +19 -19
- package/dist-cjs/compliances/index.js +3 -1
- package/dist-cjs/compliances/owasp.js +13 -13
- package/dist-cjs/compliances/pci-dss.js +26 -26
- package/dist-cjs/compliances/sans-top-25.js +28 -28
- package/dist-cjs/index.js +9 -19
- package/dist-cjs/registry.js +21 -0
- package/package.json +1 -1
- package/src/compliances/compliance-by-vulnerabilities.ts +32 -0
- package/src/compliances/gdpr.ts +130 -130
- package/src/compliances/helpers.ts +1 -2
- package/src/compliances/hipaa.ts +89 -89
- package/src/compliances/index.ts +1 -0
- package/src/compliances/owasp.ts +59 -59
- package/src/compliances/pci-dss.ts +134 -134
- package/src/compliances/sans-top-25.ts +12 -12
- package/src/index.ts +7 -19
- package/src/registry.ts +20 -0
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
import { accessRestrictionIds, allAppSecIds, authAndCookieIds, cryptoPolicyIds, infoLeakageIds, inputValidationIds, outputValidationIds } from './gdpr.js';
|
|
2
|
+
import { accessControlIds, allAppSecIds as hallAppSecIds, authAndCookieIds as hauthAnCookieIds, cryptoIds, integrityIds } from './hipaa.js';
|
|
3
|
+
import { owaspA1Ids, owaspA2Ids, owaspA3Ids, owaspA5Ids, owaspA7Ids, owaspA8Ids } from './owasp.js';
|
|
4
|
+
import { allAppSecIds as pciAllAppSecIds, misconfigIds as pciMisconfigIds, accessControlIds as pciAccessControlIds, cryptoIds as pciCryptoIds, injectionAndXssIds as pciInjectionAndXssIds, authAndCookieIds as pciAuthAndCookieIds } from './pci-dss.js';
|
|
5
|
+
import { authIds as sauthIds, accessControlIds as saccessControlIds, cmdiIds as scmdiIds, deserializationIds as sdeserializationIds, disclosureIds as sdisclosureIds, injectionIds as sinjectionIds, lfiIds as slfiIds, sqliIds, ssrfIds as ssrfids, sstiIds as ssstiIds, xssIds as sxssIds } from './sans-top-25.js';
|
|
6
|
+
export const COMPLIANCE_BY_VULNERABILITIES = [
|
|
7
|
+
{
|
|
8
|
+
id: 3,
|
|
9
|
+
title: 'GDPR',
|
|
10
|
+
vulnerabilities: [...accessRestrictionIds, ...allAppSecIds, ...authAndCookieIds, ...cryptoPolicyIds, ...infoLeakageIds, ...inputValidationIds, ...outputValidationIds]
|
|
11
|
+
},
|
|
12
|
+
{
|
|
13
|
+
id: 2,
|
|
14
|
+
title: 'HIPAA',
|
|
15
|
+
vulnerabilities: [accessControlIds, ...hallAppSecIds, ...hauthAnCookieIds, ...cryptoIds, ...integrityIds]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
id: 1,
|
|
19
|
+
title: 'OWASP',
|
|
20
|
+
vulnerabilities: [...owaspA1Ids, ...owaspA2Ids, ...owaspA3Ids, ...owaspA5Ids, ...owaspA7Ids, ...owaspA8Ids]
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
id: 4,
|
|
24
|
+
title: 'PCI-DSS',
|
|
25
|
+
vulnerabilities: [...pciAllAppSecIds, ...pciMisconfigIds, ...pciAccessControlIds, ...pciCryptoIds, ...pciInjectionAndXssIds, ...pciAuthAndCookieIds]
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
id: 6,
|
|
29
|
+
title: 'SANS Top 25',
|
|
30
|
+
vulnerabilities: [...sauthIds, ...saccessControlIds, ...scmdiIds, ...sdeserializationIds, ...sdisclosureIds, ...sinjectionIds, ...slfiIds, ...sqliIds, ...ssrfids, ...ssstiIds, ...sxssIds]
|
|
31
|
+
}
|
|
32
|
+
];
|
|
@@ -1,2 +1,9 @@
|
|
|
1
1
|
import { ComplianceRegistry } from '../types';
|
|
2
|
+
export declare const allAppSecIds: number[];
|
|
3
|
+
export declare const authAndCookieIds: number[];
|
|
4
|
+
export declare const accessRestrictionIds: number[];
|
|
5
|
+
export declare const cryptoPolicyIds: number[];
|
|
6
|
+
export declare const inputValidationIds: number[];
|
|
7
|
+
export declare const outputValidationIds: number[];
|
|
8
|
+
export declare const infoLeakageIds: number[];
|
|
2
9
|
export declare const GDPR_COMPLIANCE: ComplianceRegistry;
|
package/dist/compliances/gdpr.js
CHANGED
|
@@ -25,13 +25,13 @@ const cookieSecureIds = idsByCodes([
|
|
|
25
25
|
'COOKIE_HOST_PREFIX_INVALID',
|
|
26
26
|
'COOKIE_SECURE_PREFIX_INVALID',
|
|
27
27
|
]);
|
|
28
|
-
const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
-
const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
30
|
-
const accessRestrictionIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
31
|
-
const cryptoPolicyIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
-
const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
|
|
33
|
-
const outputValidationIds = mergeIds(injectionIds, xssIds);
|
|
34
|
-
const infoLeakageIds = mergeIds(configIds, disclosureIds);
|
|
28
|
+
export const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
+
export const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
30
|
+
export const accessRestrictionIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
31
|
+
export const cryptoPolicyIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
export const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
|
|
33
|
+
export const outputValidationIds = mergeIds(injectionIds, xssIds);
|
|
34
|
+
export const infoLeakageIds = mergeIds(configIds, disclosureIds);
|
|
35
35
|
export const GDPR_COMPLIANCE = {
|
|
36
36
|
[ComplianceCode.GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES]: {
|
|
37
37
|
id: 1,
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { VULNERABILITY_REGISTRY } from '../
|
|
1
|
+
import { VULNERABILITY_REGISTRY } from '../registry.js';
|
|
2
2
|
// Lazy getter to avoid circular dependency issues at module load time
|
|
3
3
|
const getAllVulnerabilities = () => Object.values(VULNERABILITY_REGISTRY);
|
|
4
4
|
const uniqueSorted = (ids) => Array.from(new Set(ids)).sort((a, b) => a - b);
|
|
@@ -1,2 +1,7 @@
|
|
|
1
1
|
import { ComplianceRegistry } from '../types';
|
|
2
|
+
export declare const allAppSecIds: number[];
|
|
3
|
+
export declare const accessControlIds: number[];
|
|
4
|
+
export declare const authAndCookieIds: number[];
|
|
5
|
+
export declare const cryptoIds: number[];
|
|
6
|
+
export declare const integrityIds: number[];
|
|
2
7
|
export declare const HIPAA_COMPLIANCE: ComplianceRegistry;
|
|
@@ -25,11 +25,11 @@ const cookieSecureIds = idsByCodes([
|
|
|
25
25
|
'COOKIE_HOST_PREFIX_INVALID',
|
|
26
26
|
'COOKIE_SECURE_PREFIX_INVALID',
|
|
27
27
|
]);
|
|
28
|
-
const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
-
const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
30
|
-
const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
31
|
-
const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
-
const integrityIds = mergeIds(injectionIds, xssIds);
|
|
28
|
+
export const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
+
export const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
30
|
+
export const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
31
|
+
export const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
export const integrityIds = mergeIds(injectionIds, xssIds);
|
|
33
33
|
export const HIPAA_COMPLIANCE = {
|
|
34
34
|
[ComplianceCode.HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO]: {
|
|
35
35
|
id: 164,
|
|
@@ -3,3 +3,4 @@ export { HIPAA_COMPLIANCE } from './hipaa.js';
|
|
|
3
3
|
export { GDPR_COMPLIANCE } from './gdpr.js';
|
|
4
4
|
export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
|
|
5
5
|
export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';
|
|
6
|
+
export { COMPLIANCE_BY_VULNERABILITIES } from './compliance-by-vulnerabilities.js';
|
|
@@ -3,3 +3,4 @@ export { HIPAA_COMPLIANCE } from './hipaa.js';
|
|
|
3
3
|
export { GDPR_COMPLIANCE } from './gdpr.js';
|
|
4
4
|
export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
|
|
5
5
|
export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';
|
|
6
|
+
export { COMPLIANCE_BY_VULNERABILITIES } from './compliance-by-vulnerabilities.js';
|
|
@@ -1,2 +1,8 @@
|
|
|
1
1
|
import { ComplianceRegistry } from '../types';
|
|
2
|
+
export declare const owaspA1Ids: number[];
|
|
3
|
+
export declare const owaspA2Ids: number[];
|
|
4
|
+
export declare const owaspA3Ids: number[];
|
|
5
|
+
export declare const owaspA5Ids: number[];
|
|
6
|
+
export declare const owaspA7Ids: number[];
|
|
7
|
+
export declare const owaspA8Ids: number[];
|
|
2
8
|
export declare const OWASP_COMPLIANCE: ComplianceRegistry;
|
|
@@ -27,12 +27,12 @@ const cookieSecureIds = idsByCodes([
|
|
|
27
27
|
'COOKIE_HOST_PREFIX_INVALID',
|
|
28
28
|
'COOKIE_SECURE_PREFIX_INVALID',
|
|
29
29
|
]);
|
|
30
|
-
const owaspA1Ids = mergeIds(accessControlIds, dirbrowseIds);
|
|
31
|
-
const owaspA2Ids = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
-
const owaspA3Ids = mergeIds(injectionIds, xssIds);
|
|
33
|
-
const owaspA5Ids = mergeIds(configIds, disclosureIds);
|
|
34
|
-
const owaspA7Ids = mergeIds(authIds, cookieIds);
|
|
35
|
-
const owaspA8Ids = deserializationIds;
|
|
30
|
+
export const owaspA1Ids = mergeIds(accessControlIds, dirbrowseIds);
|
|
31
|
+
export const owaspA2Ids = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
export const owaspA3Ids = mergeIds(injectionIds, xssIds);
|
|
33
|
+
export const owaspA5Ids = mergeIds(configIds, disclosureIds);
|
|
34
|
+
export const owaspA7Ids = mergeIds(authIds, cookieIds);
|
|
35
|
+
export const owaspA8Ids = deserializationIds;
|
|
36
36
|
export const OWASP_COMPLIANCE = {
|
|
37
37
|
[ComplianceCode.OWASP_A1_BROKEN_ACCESS_CONTROL]: {
|
|
38
38
|
id: 154,
|
|
@@ -1,2 +1,8 @@
|
|
|
1
1
|
import { ComplianceRegistry } from '../types';
|
|
2
|
+
export declare const allAppSecIds: number[];
|
|
3
|
+
export declare const misconfigIds: number[];
|
|
4
|
+
export declare const accessControlIds: number[];
|
|
5
|
+
export declare const cryptoIds: number[];
|
|
6
|
+
export declare const injectionAndXssIds: number[];
|
|
7
|
+
export declare const authAndCookieIds: number[];
|
|
2
8
|
export declare const PCI_DSS_COMPLIANCE: ComplianceRegistry;
|
|
@@ -25,12 +25,12 @@ const cookieSecureIds = idsByCodes([
|
|
|
25
25
|
'COOKIE_HOST_PREFIX_INVALID',
|
|
26
26
|
'COOKIE_SECURE_PREFIX_INVALID',
|
|
27
27
|
]);
|
|
28
|
-
const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
-
const misconfigIds = mergeIds(configIds, disclosureIds);
|
|
30
|
-
const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
31
|
-
const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
-
const injectionAndXssIds = mergeIds(injectionIds, xssIds);
|
|
33
|
-
const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
28
|
+
export const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
+
export const misconfigIds = mergeIds(configIds, disclosureIds);
|
|
30
|
+
export const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
31
|
+
export const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
export const injectionAndXssIds = mergeIds(injectionIds, xssIds);
|
|
33
|
+
export const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
34
34
|
export const PCI_DSS_COMPLIANCE = {
|
|
35
35
|
[ComplianceCode.PCI_REQ_1_INSTALL_FIREWALL]: {
|
|
36
36
|
id: 74,
|
|
@@ -1,2 +1,14 @@
|
|
|
1
1
|
import { ComplianceRegistry } from '../types';
|
|
2
|
+
export declare const authIds: number[];
|
|
3
|
+
export declare const injectionIds: number[];
|
|
4
|
+
export declare const xssIds: number[];
|
|
5
|
+
export declare const ssrfIds: number[];
|
|
6
|
+
export declare const disclosureIds: number[];
|
|
7
|
+
export declare const accessControlIds: number[];
|
|
8
|
+
export declare const sqliIds: number[];
|
|
9
|
+
export declare const cmdiIds: number[];
|
|
10
|
+
export declare const sstiIds: number[];
|
|
11
|
+
export declare const lfiIds: number[];
|
|
12
|
+
export declare const deserializationIds: number[];
|
|
13
|
+
export declare const inputValidationIds: number[];
|
|
2
14
|
export declare const SANS_TOP_25_COMPLIANCE: ComplianceRegistry;
|
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
import { ComplianceCode } from '../compliance-codes';
|
|
2
2
|
import { ComplianceCategory } from '../types';
|
|
3
3
|
import { idsByCategory, idsByCodePrefix, mergeIds } from './helpers.js';
|
|
4
|
-
const authIds = idsByCategory('authentication');
|
|
5
|
-
const injectionIds = idsByCategory('injection');
|
|
6
|
-
const xssIds = idsByCategory('xss');
|
|
7
|
-
const ssrfIds = idsByCategory('ssrf');
|
|
8
|
-
const disclosureIds = idsByCategory('information_disclosure');
|
|
9
|
-
const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
|
|
10
|
-
const sqliIds = idsByCodePrefix(['SQLI_']);
|
|
11
|
-
const cmdiIds = idsByCodePrefix(['CMDI_']);
|
|
12
|
-
const sstiIds = idsByCodePrefix(['SSTI_']);
|
|
13
|
-
const lfiIds = idsByCodePrefix(['LFI_']);
|
|
14
|
-
const deserializationIds = idsByCodePrefix(['DESER_']);
|
|
15
|
-
const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
|
|
4
|
+
export const authIds = idsByCategory('authentication');
|
|
5
|
+
export const injectionIds = idsByCategory('injection');
|
|
6
|
+
export const xssIds = idsByCategory('xss');
|
|
7
|
+
export const ssrfIds = idsByCategory('ssrf');
|
|
8
|
+
export const disclosureIds = idsByCategory('information_disclosure');
|
|
9
|
+
export const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
|
|
10
|
+
export const sqliIds = idsByCodePrefix(['SQLI_']);
|
|
11
|
+
export const cmdiIds = idsByCodePrefix(['CMDI_']);
|
|
12
|
+
export const sstiIds = idsByCodePrefix(['SSTI_']);
|
|
13
|
+
export const lfiIds = idsByCodePrefix(['LFI_']);
|
|
14
|
+
export const deserializationIds = idsByCodePrefix(['DESER_']);
|
|
15
|
+
export const inputValidationIds = mergeIds(injectionIds, xssIds, ssrfIds);
|
|
16
16
|
export const SANS_TOP_25_COMPLIANCE = {
|
|
17
17
|
[ComplianceCode.SANS_TOP_25_CWE_79_XSS]: {
|
|
18
18
|
id: 181,
|
package/dist/index.d.ts
CHANGED
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
*/
|
|
6
6
|
import { VulnerabilityCode } from './error-codes.js';
|
|
7
7
|
import type { VulnerabilityDefinition, VulnerabilityLookup, Severity, VulnerabilityCategory } from './types.js';
|
|
8
|
+
import { VULNERABILITY_REGISTRY } from './registry.js';
|
|
8
9
|
import { INJECTION_VULNERABILITIES } from './categories/injection.js';
|
|
9
10
|
import { XSS_VULNERABILITIES } from './categories/xss.js';
|
|
10
11
|
import { SSRF_VULNERABILITIES } from './categories/ssrf.js';
|
|
@@ -14,10 +15,6 @@ import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js'
|
|
|
14
15
|
import { CATEGORY_REGISTRY } from './category.js';
|
|
15
16
|
import { SCANNER_REGISTRY } from './scanner.js';
|
|
16
17
|
import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE } from './compliances/index.js';
|
|
17
|
-
/**
|
|
18
|
-
* Complete vulnerability registry combining all categories
|
|
19
|
-
*/
|
|
20
|
-
export declare const VULNERABILITY_REGISTRY: Record<string, VulnerabilityDefinition>;
|
|
21
18
|
/**
|
|
22
19
|
* Get vulnerability definition by code
|
|
23
20
|
*/
|
|
@@ -48,7 +45,7 @@ export declare function getVulnerabilityCount(): number;
|
|
|
48
45
|
export declare function createFinding(code: VulnerabilityCode | string, overrides?: Partial<VulnerabilityDefinition>): VulnerabilityDefinition | null;
|
|
49
46
|
export { VulnerabilityCode } from './error-codes.js';
|
|
50
47
|
export type { VulnerabilityDefinition, VulnerabilityLookup, CVSSProfile, CWEReference, OWASPReference, Severity, VulnerabilityCategory, } from './types.js';
|
|
51
|
-
export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
|
|
48
|
+
export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
|
|
52
49
|
declare const _default: {
|
|
53
50
|
VulnerabilityCode: typeof VulnerabilityCode;
|
|
54
51
|
VULNERABILITY_REGISTRY: Record<string, VulnerabilityDefinition>;
|
package/dist/index.js
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* Exports all vulnerability codes, definitions, and lookup utilities
|
|
5
5
|
*/
|
|
6
6
|
import { VulnerabilityCode } from './error-codes.js';
|
|
7
|
-
|
|
7
|
+
import { VULNERABILITY_REGISTRY } from './registry.js';
|
|
8
8
|
import { INJECTION_VULNERABILITIES } from './categories/injection.js';
|
|
9
9
|
import { XSS_VULNERABILITIES } from './categories/xss.js';
|
|
10
10
|
import { SSRF_VULNERABILITIES } from './categories/ssrf.js';
|
|
@@ -14,17 +14,6 @@ import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js'
|
|
|
14
14
|
import { CATEGORY_REGISTRY } from './category.js';
|
|
15
15
|
import { SCANNER_REGISTRY } from './scanner.js';
|
|
16
16
|
import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE } from './compliances/index.js';
|
|
17
|
-
/**
|
|
18
|
-
* Complete vulnerability registry combining all categories
|
|
19
|
-
*/
|
|
20
|
-
export const VULNERABILITY_REGISTRY = {
|
|
21
|
-
...INJECTION_VULNERABILITIES,
|
|
22
|
-
...XSS_VULNERABILITIES,
|
|
23
|
-
...SSRF_VULNERABILITIES,
|
|
24
|
-
...AUTH_VULNERABILITIES,
|
|
25
|
-
...CONFIG_VULNERABILITIES,
|
|
26
|
-
...SENSITIVE_PATH_VULNERABILITIES,
|
|
27
|
-
};
|
|
28
17
|
/**
|
|
29
18
|
* Get vulnerability definition by code
|
|
30
19
|
*/
|
|
@@ -81,7 +70,7 @@ export function createFinding(code, overrides) {
|
|
|
81
70
|
// Re-export all types and enums
|
|
82
71
|
export { VulnerabilityCode } from './error-codes.js';
|
|
83
72
|
// Export category definitions for direct access
|
|
84
|
-
export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
|
|
73
|
+
export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, };
|
|
85
74
|
export default {
|
|
86
75
|
VulnerabilityCode,
|
|
87
76
|
VULNERABILITY_REGISTRY,
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import type { VulnerabilityDefinition } from './types.js';
|
|
2
|
+
/**
|
|
3
|
+
* Complete vulnerability registry combining all categories.
|
|
4
|
+
* Kept in a standalone module to avoid circular imports with compliances.
|
|
5
|
+
*/
|
|
6
|
+
export declare const VULNERABILITY_REGISTRY: Record<string, VulnerabilityDefinition>;
|
package/dist/registry.js
ADDED
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { INJECTION_VULNERABILITIES } from './categories/injection.js';
|
|
2
|
+
import { XSS_VULNERABILITIES } from './categories/xss.js';
|
|
3
|
+
import { SSRF_VULNERABILITIES } from './categories/ssrf.js';
|
|
4
|
+
import { AUTH_VULNERABILITIES } from './categories/authentication.js';
|
|
5
|
+
import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
|
|
6
|
+
import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
|
|
7
|
+
/**
|
|
8
|
+
* Complete vulnerability registry combining all categories.
|
|
9
|
+
* Kept in a standalone module to avoid circular imports with compliances.
|
|
10
|
+
*/
|
|
11
|
+
export const VULNERABILITY_REGISTRY = {
|
|
12
|
+
...INJECTION_VULNERABILITIES,
|
|
13
|
+
...XSS_VULNERABILITIES,
|
|
14
|
+
...SSRF_VULNERABILITIES,
|
|
15
|
+
...AUTH_VULNERABILITIES,
|
|
16
|
+
...CONFIG_VULNERABILITIES,
|
|
17
|
+
...SENSITIVE_PATH_VULNERABILITIES,
|
|
18
|
+
};
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.COMPLIANCE_BY_VULNERABILITIES = void 0;
|
|
4
|
+
const gdpr_js_1 = require("./gdpr.js");
|
|
5
|
+
const hipaa_js_1 = require("./hipaa.js");
|
|
6
|
+
const owasp_js_1 = require("./owasp.js");
|
|
7
|
+
const pci_dss_js_1 = require("./pci-dss.js");
|
|
8
|
+
const sans_top_25_js_1 = require("./sans-top-25.js");
|
|
9
|
+
exports.COMPLIANCE_BY_VULNERABILITIES = [
|
|
10
|
+
{
|
|
11
|
+
id: 3,
|
|
12
|
+
title: 'GDPR',
|
|
13
|
+
vulnerabilities: [...gdpr_js_1.accessRestrictionIds, ...gdpr_js_1.allAppSecIds, ...gdpr_js_1.authAndCookieIds, ...gdpr_js_1.cryptoPolicyIds, ...gdpr_js_1.infoLeakageIds, ...gdpr_js_1.inputValidationIds, ...gdpr_js_1.outputValidationIds]
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: 2,
|
|
17
|
+
title: 'HIPAA',
|
|
18
|
+
vulnerabilities: [hipaa_js_1.accessControlIds, ...hipaa_js_1.allAppSecIds, ...hipaa_js_1.authAndCookieIds, ...hipaa_js_1.cryptoIds, ...hipaa_js_1.integrityIds]
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
id: 1,
|
|
22
|
+
title: 'OWASP',
|
|
23
|
+
vulnerabilities: [...owasp_js_1.owaspA1Ids, ...owasp_js_1.owaspA2Ids, ...owasp_js_1.owaspA3Ids, ...owasp_js_1.owaspA5Ids, ...owasp_js_1.owaspA7Ids, ...owasp_js_1.owaspA8Ids]
|
|
24
|
+
},
|
|
25
|
+
{
|
|
26
|
+
id: 4,
|
|
27
|
+
title: 'PCI-DSS',
|
|
28
|
+
vulnerabilities: [...pci_dss_js_1.allAppSecIds, ...pci_dss_js_1.misconfigIds, ...pci_dss_js_1.accessControlIds, ...pci_dss_js_1.cryptoIds, ...pci_dss_js_1.injectionAndXssIds, ...pci_dss_js_1.authAndCookieIds]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
id: 6,
|
|
32
|
+
title: 'SANS Top 25',
|
|
33
|
+
vulnerabilities: [...sans_top_25_js_1.authIds, ...sans_top_25_js_1.accessControlIds, ...sans_top_25_js_1.cmdiIds, ...sans_top_25_js_1.deserializationIds, ...sans_top_25_js_1.disclosureIds, ...sans_top_25_js_1.injectionIds, ...sans_top_25_js_1.lfiIds, ...sans_top_25_js_1.sqliIds, ...sans_top_25_js_1.ssrfIds, ...sans_top_25_js_1.sstiIds, ...sans_top_25_js_1.xssIds]
|
|
34
|
+
}
|
|
35
|
+
];
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.GDPR_COMPLIANCE = void 0;
|
|
3
|
+
exports.GDPR_COMPLIANCE = exports.infoLeakageIds = exports.outputValidationIds = exports.inputValidationIds = exports.cryptoPolicyIds = exports.accessRestrictionIds = exports.authAndCookieIds = exports.allAppSecIds = void 0;
|
|
4
4
|
const compliance_codes_1 = require("../compliance-codes");
|
|
5
5
|
const types_1 = require("../types");
|
|
6
6
|
const helpers_js_1 = require("./helpers.js");
|
|
@@ -28,13 +28,13 @@ const cookieSecureIds = (0, helpers_js_1.idsByCodes)([
|
|
|
28
28
|
'COOKIE_HOST_PREFIX_INVALID',
|
|
29
29
|
'COOKIE_SECURE_PREFIX_INVALID',
|
|
30
30
|
]);
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
31
|
+
exports.allAppSecIds = (0, helpers_js_1.mergeIds)(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
32
|
+
exports.authAndCookieIds = (0, helpers_js_1.mergeIds)(authIds, cookieIds);
|
|
33
|
+
exports.accessRestrictionIds = (0, helpers_js_1.mergeIds)(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
34
|
+
exports.cryptoPolicyIds = (0, helpers_js_1.mergeIds)(jwtIds, hstsIds, cookieSecureIds);
|
|
35
|
+
exports.inputValidationIds = (0, helpers_js_1.mergeIds)(injectionIds, xssIds, ssrfIds);
|
|
36
|
+
exports.outputValidationIds = (0, helpers_js_1.mergeIds)(injectionIds, xssIds);
|
|
37
|
+
exports.infoLeakageIds = (0, helpers_js_1.mergeIds)(configIds, disclosureIds);
|
|
38
38
|
exports.GDPR_COMPLIANCE = {
|
|
39
39
|
[compliance_codes_1.ComplianceCode.GDPR_A_10_1_1_DOCUMENTED_OPERATING_PROCEDURES]: {
|
|
40
40
|
id: 1,
|
|
@@ -87,7 +87,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
87
87
|
title: 'A.10.3.2 System acceptance',
|
|
88
88
|
description: 'Before fully using updated systems, ensure they meet security and performance standards through thorough testing.',
|
|
89
89
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
90
|
-
relatedVulnerabilityIds: allAppSecIds,
|
|
90
|
+
relatedVulnerabilityIds: exports.allAppSecIds,
|
|
91
91
|
isNotApplicable: false,
|
|
92
92
|
},
|
|
93
93
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_2_3_USER_PASSWORD_MANAGEMENT]: {
|
|
@@ -96,7 +96,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
96
96
|
title: 'A.11.2.3 User Password Management',
|
|
97
97
|
description: 'Manage password distribution securely through a formal process.',
|
|
98
98
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
99
|
-
relatedVulnerabilityIds: authAndCookieIds,
|
|
99
|
+
relatedVulnerabilityIds: exports.authAndCookieIds,
|
|
100
100
|
isNotApplicable: true,
|
|
101
101
|
},
|
|
102
102
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_3_1_PASSWORD_USE]: {
|
|
@@ -105,7 +105,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
105
105
|
title: 'A.11.3.1 Password Use',
|
|
106
106
|
description: 'Users must follow strong security practices when creating and using passwords.',
|
|
107
107
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
108
|
-
relatedVulnerabilityIds: authAndCookieIds,
|
|
108
|
+
relatedVulnerabilityIds: exports.authAndCookieIds,
|
|
109
109
|
isNotApplicable: true,
|
|
110
110
|
},
|
|
111
111
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_4_4_REMOTE_DIAGNOSTIC_PORT_PROTECTION]: {
|
|
@@ -123,7 +123,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
123
123
|
title: 'A.11.5.3 Password Management System',
|
|
124
124
|
description: 'Use an interactive system to manage passwords, ensuring they are strong and meet security standards.',
|
|
125
125
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
126
|
-
relatedVulnerabilityIds: authAndCookieIds,
|
|
126
|
+
relatedVulnerabilityIds: exports.authAndCookieIds,
|
|
127
127
|
isNotApplicable: true,
|
|
128
128
|
},
|
|
129
129
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_5_4_USE_OF_SYSTEM_UTILITIES]: {
|
|
@@ -132,7 +132,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
132
132
|
title: 'A.11.5.4 Use of System Utilities',
|
|
133
133
|
description: 'Restrict and control the use of utility programs that can bypass system or application security.',
|
|
134
134
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
135
|
-
relatedVulnerabilityIds: accessRestrictionIds,
|
|
135
|
+
relatedVulnerabilityIds: exports.accessRestrictionIds,
|
|
136
136
|
isNotApplicable: true,
|
|
137
137
|
},
|
|
138
138
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_5_5_SESSION_TIMEOUT]: {
|
|
@@ -141,7 +141,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
141
141
|
title: 'A.11.5.5 Session Time-out',
|
|
142
142
|
description: 'Automatically log users out after a period of inactivity to protect the system.',
|
|
143
143
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
144
|
-
relatedVulnerabilityIds: authAndCookieIds,
|
|
144
|
+
relatedVulnerabilityIds: exports.authAndCookieIds,
|
|
145
145
|
isNotApplicable: true,
|
|
146
146
|
},
|
|
147
147
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_5_6_LIMITATION_CONNECTION_TIME]: {
|
|
@@ -150,7 +150,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
150
150
|
title: 'A.11.5.6 Limitation of Connection Time',
|
|
151
151
|
description: 'Limit connection times, especially for high-risk applications, to enhance security.',
|
|
152
152
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
153
|
-
relatedVulnerabilityIds: authAndCookieIds,
|
|
153
|
+
relatedVulnerabilityIds: exports.authAndCookieIds,
|
|
154
154
|
isNotApplicable: true,
|
|
155
155
|
},
|
|
156
156
|
[compliance_codes_1.ComplianceCode.GDPR_A_11_6_1_INFORMATION_ACCESS_RESTRICTION]: {
|
|
@@ -159,7 +159,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
159
159
|
title: 'A.11.6.1 Information Access Restriction',
|
|
160
160
|
description: 'Limit access to information and system functions based on the access control policy for users and support staff.',
|
|
161
161
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
162
|
-
relatedVulnerabilityIds: accessRestrictionIds,
|
|
162
|
+
relatedVulnerabilityIds: exports.accessRestrictionIds,
|
|
163
163
|
isNotApplicable: false,
|
|
164
164
|
},
|
|
165
165
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_1_1_SECURITY_REQUIREMENTS_ANALYSIS]: {
|
|
@@ -177,7 +177,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
177
177
|
title: 'A.12.2.1 Input Data Validation',
|
|
178
178
|
description: 'Validate all data entered into applications to ensure it\'s accurate and appropriate.',
|
|
179
179
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
180
|
-
relatedVulnerabilityIds: inputValidationIds,
|
|
180
|
+
relatedVulnerabilityIds: exports.inputValidationIds,
|
|
181
181
|
isNotApplicable: false,
|
|
182
182
|
},
|
|
183
183
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_2_4_OUTPUT_DATA_VALIDATION]: {
|
|
@@ -186,7 +186,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
186
186
|
title: 'A.12.2.4 Output Data Validation',
|
|
187
187
|
description: 'Validate the data output from applications to confirm that the processed information is correct and relevant.',
|
|
188
188
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
189
|
-
relatedVulnerabilityIds: outputValidationIds,
|
|
189
|
+
relatedVulnerabilityIds: exports.outputValidationIds,
|
|
190
190
|
isNotApplicable: false,
|
|
191
191
|
},
|
|
192
192
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_3_1_POLICY_CRYPTOGRAPHIC_CONTROLS]: {
|
|
@@ -195,7 +195,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
195
195
|
title: 'A.12.3.1 Policy on the Use of Cryptographic Controls',
|
|
196
196
|
description: 'Develop and implement a policy for using cryptographic methods to protect information.',
|
|
197
197
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
198
|
-
relatedVulnerabilityIds: cryptoPolicyIds,
|
|
198
|
+
relatedVulnerabilityIds: exports.cryptoPolicyIds,
|
|
199
199
|
isNotApplicable: false,
|
|
200
200
|
},
|
|
201
201
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_3_2_KEY_MANAGEMENT]: {
|
|
@@ -204,7 +204,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
204
204
|
title: 'A.12.3.2 Key Management',
|
|
205
205
|
description: 'Establish a key management system to support the organization\'s use of encryption and cryptographic techniques.',
|
|
206
206
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
207
|
-
relatedVulnerabilityIds: cryptoPolicyIds,
|
|
207
|
+
relatedVulnerabilityIds: exports.cryptoPolicyIds,
|
|
208
208
|
isNotApplicable: false,
|
|
209
209
|
},
|
|
210
210
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_4_3_ACCESS_CONTROL_SOURCE_CODE]: {
|
|
@@ -213,7 +213,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
213
213
|
title: 'A.12.4.3 Access Control to Program Source Code',
|
|
214
214
|
description: 'Restrict access to the source code of programs to authorized personnel only.',
|
|
215
215
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
216
|
-
relatedVulnerabilityIds: accessRestrictionIds,
|
|
216
|
+
relatedVulnerabilityIds: exports.accessRestrictionIds,
|
|
217
217
|
isNotApplicable: true,
|
|
218
218
|
},
|
|
219
219
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_5_3_RESTRICTIONS_CHANGES_SOFTWARE]: {
|
|
@@ -222,7 +222,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
222
222
|
title: 'A.12.5.3 Restrictions on Changes to Software Packages',
|
|
223
223
|
description: 'Limit modifications to software packages to necessary changes only, and tightly control all adjustments.',
|
|
224
224
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
225
|
-
relatedVulnerabilityIds: accessRestrictionIds,
|
|
225
|
+
relatedVulnerabilityIds: exports.accessRestrictionIds,
|
|
226
226
|
isNotApplicable: true,
|
|
227
227
|
},
|
|
228
228
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_5_4_INFORMATION_LEAKAGE]: {
|
|
@@ -231,7 +231,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
231
231
|
title: 'A.12.5.4 Information Leakage',
|
|
232
232
|
description: 'Prevent any opportunities that could lead to unauthorized information leakage.',
|
|
233
233
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
234
|
-
relatedVulnerabilityIds: infoLeakageIds,
|
|
234
|
+
relatedVulnerabilityIds: exports.infoLeakageIds,
|
|
235
235
|
isNotApplicable: true,
|
|
236
236
|
},
|
|
237
237
|
[compliance_codes_1.ComplianceCode.GDPR_A_12_5_5_OUTSOURCED_SOFTWARE_DEV]: {
|
|
@@ -249,7 +249,7 @@ exports.GDPR_COMPLIANCE = {
|
|
|
249
249
|
title: 'A.12.6.1 Control of Technical Vulnerabilities',
|
|
250
250
|
description: 'Stay informed about technical vulnerabilities in the systems being used, assess the organization\'s exposure to them, and take necessary actions to manage the associated risks.',
|
|
251
251
|
complianceStandard: types_1.ComplianceCategory.GDPR,
|
|
252
|
-
relatedVulnerabilityIds: allAppSecIds,
|
|
252
|
+
relatedVulnerabilityIds: exports.allAppSecIds,
|
|
253
253
|
isNotApplicable: true,
|
|
254
254
|
},
|
|
255
255
|
};
|
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.mergeIds = exports.idsByCodePrefix = exports.idsByCodes = exports.idsByCategory = exports.allVulnerabilityIds = void 0;
|
|
4
|
-
const
|
|
4
|
+
const registry_js_1 = require("../registry.js");
|
|
5
5
|
// Lazy getter to avoid circular dependency issues at module load time
|
|
6
|
-
const getAllVulnerabilities = () => Object.values(
|
|
6
|
+
const getAllVulnerabilities = () => Object.values(registry_js_1.VULNERABILITY_REGISTRY);
|
|
7
7
|
const uniqueSorted = (ids) => Array.from(new Set(ids)).sort((a, b) => a - b);
|
|
8
8
|
const allVulnerabilityIds = () => uniqueSorted(getAllVulnerabilities().map(v => v.id));
|
|
9
9
|
exports.allVulnerabilityIds = allVulnerabilityIds;
|
|
10
10
|
const idsByCategory = (category) => uniqueSorted(getAllVulnerabilities().filter(v => v.category === category).map(v => v.id));
|
|
11
11
|
exports.idsByCategory = idsByCategory;
|
|
12
12
|
const idsByCodes = (codes) => uniqueSorted(codes
|
|
13
|
-
.map(code =>
|
|
13
|
+
.map(code => registry_js_1.VULNERABILITY_REGISTRY[code]?.id)
|
|
14
14
|
.filter((id) => typeof id === 'number'));
|
|
15
15
|
exports.idsByCodes = idsByCodes;
|
|
16
16
|
const idsByCodePrefix = (prefixes) => uniqueSorted(getAllVulnerabilities().filter(v => prefixes.some(prefix => v.code.startsWith(prefix)))
|