@zerothreatai/vulnerability-registry 9.0.1 → 9.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/dist/compliance-codes.d.ts +7 -1
  2. package/dist/compliance-codes.js +7 -0
  3. package/dist/compliances/compliance-by-vulnerabilities.js +6 -0
  4. package/dist/compliances/index.d.ts +1 -0
  5. package/dist/compliances/index.js +1 -0
  6. package/dist/compliances/iso27001.d.ts +8 -0
  7. package/dist/compliances/iso27001.js +91 -0
  8. package/dist/index.d.ts +3 -2
  9. package/dist/index.js +3 -2
  10. package/dist/types.d.ts +2 -1
  11. package/dist/types.js +1 -0
  12. package/dist-cjs/compliance-codes.js +7 -0
  13. package/dist-cjs/compliances/compliance-by-vulnerabilities.js +6 -0
  14. package/dist-cjs/compliances/index.js +3 -1
  15. package/dist-cjs/compliances/iso27001.js +94 -0
  16. package/dist-cjs/index.js +3 -1
  17. package/dist-cjs/types.js +1 -0
  18. package/package.json +1 -1
  19. package/src/compliance-codes.ts +8 -0
  20. package/src/compliances/compliance-by-vulnerabilities.ts +22 -16
  21. package/src/compliances/index.ts +1 -0
  22. package/src/compliances/iso27001.ts +97 -0
  23. package/src/index.ts +20 -18
  24. package/src/types.ts +1 -0
package/dist/compliance-codes.d.ts CHANGED
@@ -203,5 +203,11 @@ export declare enum ComplianceCode {
203
203
  SANS_TOP_25_CWE_798_HARDCODED_CREDS = "SANS_TOP_25_CWE_798_HARDCODED_CREDS",
204
204
  SANS_TOP_25_CWE_190_INTEGER_OVERFLOW = "SANS_TOP_25_CWE_190_INTEGER_OVERFLOW",
205
205
  SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION = "SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION",
206
- SANS_TOP_25_CWE_306_MISSING_AUTH = "SANS_TOP_25_CWE_306_MISSING_AUTH"
206
+ SANS_TOP_25_CWE_306_MISSING_AUTH = "SANS_TOP_25_CWE_306_MISSING_AUTH",
207
+ ISO27001_A9_ACCESS_CONTROL = "ISO27001_A9_ACCESS_CONTROL",
208
+ ISO27001_A10_CRYPTOGRAPHY = "ISO27001_A10_CRYPTOGRAPHY",
209
+ ISO27001_A12_OPERATIONS_SECURITY = "ISO27001_A12_OPERATIONS_SECURITY",
210
+ ISO27001_A13_COMMUNICATIONS_SECURITY = "ISO27001_A13_COMMUNICATIONS_SECURITY",
211
+ ISO27001_A14_SYSTEM_ACQUISITION_DEV = "ISO27001_A14_SYSTEM_ACQUISITION_DEV",
212
+ ISO27001_A18_COMPLIANCE = "ISO27001_A18_COMPLIANCE"
207
213
  }
package/dist/compliance-codes.js CHANGED
@@ -210,4 +210,11 @@ export var ComplianceCode;
210
210
  ComplianceCode["SANS_TOP_25_CWE_190_INTEGER_OVERFLOW"] = "SANS_TOP_25_CWE_190_INTEGER_OVERFLOW";
211
211
  ComplianceCode["SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION"] = "SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION";
212
212
  ComplianceCode["SANS_TOP_25_CWE_306_MISSING_AUTH"] = "SANS_TOP_25_CWE_306_MISSING_AUTH";
213
+ // --- ISO/IEC 27001 (ComplianceId: 5) ---
214
+ ComplianceCode["ISO27001_A9_ACCESS_CONTROL"] = "ISO27001_A9_ACCESS_CONTROL";
215
+ ComplianceCode["ISO27001_A10_CRYPTOGRAPHY"] = "ISO27001_A10_CRYPTOGRAPHY";
216
+ ComplianceCode["ISO27001_A12_OPERATIONS_SECURITY"] = "ISO27001_A12_OPERATIONS_SECURITY";
217
+ ComplianceCode["ISO27001_A13_COMMUNICATIONS_SECURITY"] = "ISO27001_A13_COMMUNICATIONS_SECURITY";
218
+ ComplianceCode["ISO27001_A14_SYSTEM_ACQUISITION_DEV"] = "ISO27001_A14_SYSTEM_ACQUISITION_DEV";
219
+ ComplianceCode["ISO27001_A18_COMPLIANCE"] = "ISO27001_A18_COMPLIANCE";
213
220
  })(ComplianceCode || (ComplianceCode = {}));
package/dist/compliances/compliance-by-vulnerabilities.js CHANGED
@@ -3,6 +3,7 @@ import { accessControlIds, allAppSecIds as hallAppSecIds, authAndCookieIds as ha
3
3
  import { owaspA1Ids, owaspA2Ids, owaspA3Ids, owaspA5Ids, owaspA7Ids, owaspA8Ids } from './owasp.js';
4
4
  import { allAppSecIds as pciAllAppSecIds, misconfigIds as pciMisconfigIds, accessControlIds as pciAccessControlIds, cryptoIds as pciCryptoIds, injectionAndXssIds as pciInjectionAndXssIds, authAndCookieIds as pciAuthAndCookieIds } from './pci-dss.js';
5
5
  import { authIds as sauthIds, accessControlIds as saccessControlIds, cmdiIds as scmdiIds, deserializationIds as sdeserializationIds, disclosureIds as sdisclosureIds, injectionIds as sinjectionIds, lfiIds as slfiIds, sqliIds, ssrfIds as ssrfids, sstiIds as ssstiIds, xssIds as sxssIds } from './sans-top-25.js';
6
+ import { isoAccessControlIds, isoCryptoIds, isoOpsSecurityIds, isoCommunicationsSecurityIds, isoSecureDevelopmentIds, isoComplianceIds } from './iso27001.js';
6
7
  export const COMPLIANCE_BY_VULNERABILITIES = [
7
8
  {
8
9
  id: 3,
@@ -28,5 +29,10 @@ export const COMPLIANCE_BY_VULNERABILITIES = [
28
29
  id: 6,
29
30
  title: 'SANS Top 25',
30
31
  vulnerabilities: [...sauthIds, ...saccessControlIds, ...scmdiIds, ...sdeserializationIds, ...sdisclosureIds, ...sinjectionIds, ...slfiIds, ...sqliIds, ...ssrfids, ...ssstiIds, ...sxssIds]
32
+ },
33
+ {
34
+ id: 5,
35
+ title: 'ISO 27001',
36
+ vulnerabilities: [...isoAccessControlIds, ...isoCryptoIds, ...isoOpsSecurityIds, ...isoCommunicationsSecurityIds, ...isoSecureDevelopmentIds, ...isoComplianceIds]
31
37
  }
32
38
  ];
package/dist/compliances/index.d.ts CHANGED
@@ -3,4 +3,5 @@ export { HIPAA_COMPLIANCE } from './hipaa.js';
3
3
  export { GDPR_COMPLIANCE } from './gdpr.js';
4
4
  export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
5
5
  export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';
6
+ export { ISO27001_COMPLIANCE } from './iso27001.js';
6
7
  export { COMPLIANCE_BY_VULNERABILITIES } from './compliance-by-vulnerabilities.js';
package/dist/compliances/index.js CHANGED
@@ -3,4 +3,5 @@ export { HIPAA_COMPLIANCE } from './hipaa.js';
3
3
  export { GDPR_COMPLIANCE } from './gdpr.js';
4
4
  export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
5
5
  export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';
6
+ export { ISO27001_COMPLIANCE } from './iso27001.js';
6
7
  export { COMPLIANCE_BY_VULNERABILITIES } from './compliance-by-vulnerabilities.js';
package/dist/compliances/iso27001.d.ts ADDED
@@ -0,0 +1,8 @@
1
+ import { ComplianceRegistry } from '../types';
2
+ export declare const isoAccessControlIds: number[];
3
+ export declare const isoCryptoIds: number[];
4
+ export declare const isoOpsSecurityIds: number[];
5
+ export declare const isoCommunicationsSecurityIds: number[];
6
+ export declare const isoSecureDevelopmentIds: number[];
7
+ export declare const isoComplianceIds: number[];
8
+ export declare const ISO27001_COMPLIANCE: ComplianceRegistry;
package/dist/compliances/iso27001.js ADDED
@@ -0,0 +1,91 @@
1
+ import { ComplianceCode } from '../compliance-codes';
2
+ import { ComplianceCategory } from '../types';
3
+ import { idsByCategory, idsByCodePrefix, idsByCodes, mergeIds } from './helpers.js';
4
+ const authIds = idsByCategory('authentication');
5
+ const injectionIds = idsByCategory('injection');
6
+ const xssIds = idsByCategory('xss');
7
+ const ssrfIds = idsByCategory('ssrf');
8
+ const configIds = idsByCategory('configuration');
9
+ const disclosureIds = idsByCategory('information_disclosure');
10
+ const cryptoIds = idsByCategory('cryptographic');
11
+ const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
12
+ const jwtIds = idsByCodePrefix(['JWT_']);
13
+ const cookieIds = idsByCodePrefix(['COOKIE_']);
14
+ const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
15
+ const hstsIds = idsByCodes([
16
+ 'HEADER_MISSING_HSTS',
17
+ 'HEADER_HSTS_BAD_MAX_AGE',
18
+ 'HEADER_HSTS_SHORT_MAX_AGE',
19
+ 'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
20
+ 'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
21
+ 'HEADER_DRIFT_HSTS',
22
+ ]);
23
+ const cookieSecureIds = idsByCodes([
24
+ 'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
25
+ 'COOKIE_SESSION_MISSING_SECURE',
26
+ 'COOKIE_MISSING_SECURE',
27
+ 'COOKIE_HOST_PREFIX_INVALID',
28
+ 'COOKIE_SECURE_PREFIX_INVALID',
29
+ ]);
30
+ export const isoAccessControlIds = mergeIds(accessControlIds, authIds, jwtIds, cookieIds);
31
+ export const isoCryptoIds = mergeIds(cryptoIds, hstsIds, cookieSecureIds);
32
+ export const isoOpsSecurityIds = mergeIds(configIds, disclosureIds, dirbrowseIds);
33
+ export const isoCommunicationsSecurityIds = mergeIds(hstsIds, cookieSecureIds);
34
+ export const isoSecureDevelopmentIds = mergeIds(injectionIds, xssIds, ssrfIds);
35
+ export const isoComplianceIds = mergeIds(accessControlIds, configIds, disclosureIds);
36
+ export const ISO27001_COMPLIANCE = {
37
+ [ComplianceCode.ISO27001_A9_ACCESS_CONTROL]: {
38
+ id: 206,
39
+ code: ComplianceCode.ISO27001_A9_ACCESS_CONTROL,
40
+ title: 'A.9 Access Control',
41
+ description: 'Access to information and application functions must be restricted based on business and security requirements, ensuring users can only perform authorized actions.',
42
+ complianceStandard: ComplianceCategory.ISO27001,
43
+ relatedVulnerabilityIds: isoAccessControlIds,
44
+ isNotApplicable: false,
45
+ },
46
+ [ComplianceCode.ISO27001_A10_CRYPTOGRAPHY]: {
47
+ id: 207,
48
+ code: ComplianceCode.ISO27001_A10_CRYPTOGRAPHY,
49
+ title: 'A.10 Cryptography',
50
+ description: 'Cryptographic controls must be used to protect the confidentiality, authenticity, and integrity of information in transit and at rest.',
51
+ complianceStandard: ComplianceCategory.ISO27001,
52
+ relatedVulnerabilityIds: isoCryptoIds,
53
+ isNotApplicable: isoCryptoIds.length === 0,
54
+ },
55
+ [ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY]: {
56
+ id: 208,
57
+ code: ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY,
58
+ title: 'A.12 Operations Security',
59
+ description: 'Operational procedures and controls should prevent misconfiguration and leakage that expose sensitive information or system internals.',
60
+ complianceStandard: ComplianceCategory.ISO27001,
61
+ relatedVulnerabilityIds: isoOpsSecurityIds,
62
+ isNotApplicable: false,
63
+ },
64
+ [ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY]: {
65
+ id: 209,
66
+ code: ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY,
67
+ title: 'A.13 Communications Security',
68
+ description: 'Network and communications must be protected to prevent interception, downgrade, or weak transport protections.',
69
+ complianceStandard: ComplianceCategory.ISO27001,
70
+ relatedVulnerabilityIds: isoCommunicationsSecurityIds,
71
+ isNotApplicable: false,
72
+ },
73
+ [ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV]: {
74
+ id: 210,
75
+ code: ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV,
76
+ title: 'A.14 System Acquisition, Development and Maintenance',
77
+ description: 'Security must be integrated into the software development lifecycle to prevent common injection and input handling flaws.',
78
+ complianceStandard: ComplianceCategory.ISO27001,
79
+ relatedVulnerabilityIds: isoSecureDevelopmentIds,
80
+ isNotApplicable: false,
81
+ },
82
+ [ComplianceCode.ISO27001_A18_COMPLIANCE]: {
83
+ id: 211,
84
+ code: ComplianceCode.ISO27001_A18_COMPLIANCE,
85
+ title: 'A.18 Compliance',
86
+ description: 'Security controls should be verified to ensure regulatory and contractual requirements for access restriction and data protection are met.',
87
+ complianceStandard: ComplianceCategory.ISO27001,
88
+ relatedVulnerabilityIds: isoComplianceIds,
89
+ isNotApplicable: false,
90
+ },
91
+ };
package/dist/index.d.ts CHANGED
@@ -14,7 +14,7 @@ import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
14
14
  import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
15
15
  import { CATEGORY_REGISTRY } from './category.js';
16
16
  import { SCANNER_REGISTRY } from './scanner.js';
17
- import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
17
+ import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, ISO27001_COMPLIANCE, COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
18
18
  /**
19
19
  * Get vulnerability definition by code
20
20
  */
@@ -45,7 +45,7 @@ export declare function getVulnerabilityCount(): number;
45
45
  export declare function createFinding(code: VulnerabilityCode | string, overrides?: Partial<VulnerabilityDefinition>): VulnerabilityDefinition | null;
46
46
  export { VulnerabilityCode } from './error-codes.js';
47
47
  export type { VulnerabilityDefinition, VulnerabilityLookup, CVSSProfile, CWEReference, OWASPReference, Severity, VulnerabilityCategory, } from './types.js';
48
- export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, COMPLIANCE_BY_VULNERABILITIES };
48
+ export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, ISO27001_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, COMPLIANCE_BY_VULNERABILITIES };
49
49
  declare const _default: {
50
50
  VulnerabilityCode: typeof VulnerabilityCode;
51
51
  VULNERABILITY_REGISTRY: Record<string, VulnerabilityDefinition>;
@@ -61,6 +61,7 @@ declare const _default: {
61
61
  GDPR_COMPLIANCE: import("./types.js").ComplianceRegistry;
62
62
  PCI_DSS_COMPLIANCE: import("./types.js").ComplianceRegistry;
63
63
  SANS_TOP_25_COMPLIANCE: import("./types.js").ComplianceRegistry;
64
+ ISO27001_COMPLIANCE: import("./types.js").ComplianceRegistry;
64
65
  CATEGORY_REGISTRY: Record<string, {
65
66
  title: string;
66
67
  }>;
package/dist/index.js CHANGED
@@ -13,7 +13,7 @@ import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
13
13
  import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
14
14
  import { CATEGORY_REGISTRY } from './category.js';
15
15
  import { SCANNER_REGISTRY } from './scanner.js';
16
- import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
16
+ import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, ISO27001_COMPLIANCE, COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
17
17
  /**
18
18
  * Get vulnerability definition by code
19
19
  */
@@ -70,7 +70,7 @@ export function createFinding(code, overrides) {
70
70
  // Re-export all types and enums
71
71
  export { VulnerabilityCode } from './error-codes.js';
72
72
  // Export category definitions for direct access
73
- export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, COMPLIANCE_BY_VULNERABILITIES };
73
+ export { INJECTION_VULNERABILITIES, XSS_VULNERABILITIES, SSRF_VULNERABILITIES, AUTH_VULNERABILITIES, CONFIG_VULNERABILITIES, SENSITIVE_PATH_VULNERABILITIES, VULNERABILITY_REGISTRY, OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, ISO27001_COMPLIANCE, CATEGORY_REGISTRY, SCANNER_REGISTRY, COMPLIANCE_BY_VULNERABILITIES };
74
74
  export default {
75
75
  VulnerabilityCode,
76
76
  VULNERABILITY_REGISTRY,
@@ -86,6 +86,7 @@ export default {
86
86
  GDPR_COMPLIANCE,
87
87
  PCI_DSS_COMPLIANCE,
88
88
  SANS_TOP_25_COMPLIANCE,
89
+ ISO27001_COMPLIANCE,
89
90
  CATEGORY_REGISTRY,
90
91
  SCANNER_REGISTRY,
91
92
  };
package/dist/types.d.ts CHANGED
@@ -94,7 +94,8 @@ export declare enum ComplianceCategory {
94
94
  HIPAA = "HIPAA",
95
95
  GDPR = "GDPR",
96
96
  PCIDSS = "PCIDSS",
97
- SANS_TOP_25 = "SANS_TOP_25"
97
+ SANS_TOP_25 = "SANS_TOP_25",
98
+ ISO27001 = "ISO27001"
98
99
  }
99
100
  /**
100
101
  * Compliance rule definition
package/dist/types.js CHANGED
@@ -13,4 +13,5 @@ export var ComplianceCategory;
13
13
  ComplianceCategory["GDPR"] = "GDPR";
14
14
  ComplianceCategory["PCIDSS"] = "PCIDSS";
15
15
  ComplianceCategory["SANS_TOP_25"] = "SANS_TOP_25";
16
+ ComplianceCategory["ISO27001"] = "ISO27001";
16
17
  })(ComplianceCategory || (ComplianceCategory = {}));
package/dist-cjs/compliance-codes.js CHANGED
@@ -213,4 +213,11 @@ var ComplianceCode;
213
213
  ComplianceCode["SANS_TOP_25_CWE_190_INTEGER_OVERFLOW"] = "SANS_TOP_25_CWE_190_INTEGER_OVERFLOW";
214
214
  ComplianceCode["SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION"] = "SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION";
215
215
  ComplianceCode["SANS_TOP_25_CWE_306_MISSING_AUTH"] = "SANS_TOP_25_CWE_306_MISSING_AUTH";
216
+ // --- ISO/IEC 27001 (ComplianceId: 5) ---
217
+ ComplianceCode["ISO27001_A9_ACCESS_CONTROL"] = "ISO27001_A9_ACCESS_CONTROL";
218
+ ComplianceCode["ISO27001_A10_CRYPTOGRAPHY"] = "ISO27001_A10_CRYPTOGRAPHY";
219
+ ComplianceCode["ISO27001_A12_OPERATIONS_SECURITY"] = "ISO27001_A12_OPERATIONS_SECURITY";
220
+ ComplianceCode["ISO27001_A13_COMMUNICATIONS_SECURITY"] = "ISO27001_A13_COMMUNICATIONS_SECURITY";
221
+ ComplianceCode["ISO27001_A14_SYSTEM_ACQUISITION_DEV"] = "ISO27001_A14_SYSTEM_ACQUISITION_DEV";
222
+ ComplianceCode["ISO27001_A18_COMPLIANCE"] = "ISO27001_A18_COMPLIANCE";
216
223
  })(ComplianceCode || (exports.ComplianceCode = ComplianceCode = {}));
package/dist-cjs/compliances/compliance-by-vulnerabilities.js CHANGED
@@ -6,6 +6,7 @@ const hipaa_js_1 = require("./hipaa.js");
6
6
  const owasp_js_1 = require("./owasp.js");
7
7
  const pci_dss_js_1 = require("./pci-dss.js");
8
8
  const sans_top_25_js_1 = require("./sans-top-25.js");
9
+ const iso27001_js_1 = require("./iso27001.js");
9
10
  exports.COMPLIANCE_BY_VULNERABILITIES = [
10
11
  {
11
12
  id: 3,
@@ -31,5 +32,10 @@ exports.COMPLIANCE_BY_VULNERABILITIES = [
31
32
  id: 6,
32
33
  title: 'SANS Top 25',
33
34
  vulnerabilities: [...sans_top_25_js_1.authIds, ...sans_top_25_js_1.accessControlIds, ...sans_top_25_js_1.cmdiIds, ...sans_top_25_js_1.deserializationIds, ...sans_top_25_js_1.disclosureIds, ...sans_top_25_js_1.injectionIds, ...sans_top_25_js_1.lfiIds, ...sans_top_25_js_1.sqliIds, ...sans_top_25_js_1.ssrfIds, ...sans_top_25_js_1.sstiIds, ...sans_top_25_js_1.xssIds]
35
+ },
36
+ {
37
+ id: 5,
38
+ title: 'ISO 27001',
39
+ vulnerabilities: [...iso27001_js_1.isoAccessControlIds, ...iso27001_js_1.isoCryptoIds, ...iso27001_js_1.isoOpsSecurityIds, ...iso27001_js_1.isoCommunicationsSecurityIds, ...iso27001_js_1.isoSecureDevelopmentIds, ...iso27001_js_1.isoComplianceIds]
34
40
  }
35
41
  ];
package/dist-cjs/compliances/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.COMPLIANCE_BY_VULNERABILITIES = exports.SANS_TOP_25_COMPLIANCE = exports.PCI_DSS_COMPLIANCE = exports.GDPR_COMPLIANCE = exports.HIPAA_COMPLIANCE = exports.OWASP_COMPLIANCE = void 0;
3
+ exports.COMPLIANCE_BY_VULNERABILITIES = exports.ISO27001_COMPLIANCE = exports.SANS_TOP_25_COMPLIANCE = exports.PCI_DSS_COMPLIANCE = exports.GDPR_COMPLIANCE = exports.HIPAA_COMPLIANCE = exports.OWASP_COMPLIANCE = void 0;
4
4
  var owasp_js_1 = require("./owasp.js");
5
5
  Object.defineProperty(exports, "OWASP_COMPLIANCE", { enumerable: true, get: function () { return owasp_js_1.OWASP_COMPLIANCE; } });
6
6
  var hipaa_js_1 = require("./hipaa.js");
@@ -11,5 +11,7 @@ var pci_dss_js_1 = require("./pci-dss.js");
11
11
  Object.defineProperty(exports, "PCI_DSS_COMPLIANCE", { enumerable: true, get: function () { return pci_dss_js_1.PCI_DSS_COMPLIANCE; } });
12
12
  var sans_top_25_js_1 = require("./sans-top-25.js");
13
13
  Object.defineProperty(exports, "SANS_TOP_25_COMPLIANCE", { enumerable: true, get: function () { return sans_top_25_js_1.SANS_TOP_25_COMPLIANCE; } });
14
+ var iso27001_js_1 = require("./iso27001.js");
15
+ Object.defineProperty(exports, "ISO27001_COMPLIANCE", { enumerable: true, get: function () { return iso27001_js_1.ISO27001_COMPLIANCE; } });
14
16
  var compliance_by_vulnerabilities_js_1 = require("./compliance-by-vulnerabilities.js");
15
17
  Object.defineProperty(exports, "COMPLIANCE_BY_VULNERABILITIES", { enumerable: true, get: function () { return compliance_by_vulnerabilities_js_1.COMPLIANCE_BY_VULNERABILITIES; } });
package/dist-cjs/compliances/iso27001.js ADDED
@@ -0,0 +1,94 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.ISO27001_COMPLIANCE = exports.isoComplianceIds = exports.isoSecureDevelopmentIds = exports.isoCommunicationsSecurityIds = exports.isoOpsSecurityIds = exports.isoCryptoIds = exports.isoAccessControlIds = void 0;
4
+ const compliance_codes_1 = require("../compliance-codes");
5
+ const types_1 = require("../types");
6
+ const helpers_js_1 = require("./helpers.js");
7
+ const authIds = (0, helpers_js_1.idsByCategory)('authentication');
8
+ const injectionIds = (0, helpers_js_1.idsByCategory)('injection');
9
+ const xssIds = (0, helpers_js_1.idsByCategory)('xss');
10
+ const ssrfIds = (0, helpers_js_1.idsByCategory)('ssrf');
11
+ const configIds = (0, helpers_js_1.idsByCategory)('configuration');
12
+ const disclosureIds = (0, helpers_js_1.idsByCategory)('information_disclosure');
13
+ const cryptoIds = (0, helpers_js_1.idsByCategory)('cryptographic');
14
+ const accessControlIds = (0, helpers_js_1.idsByCodePrefix)(['BAC_', 'MASSASSIGN_']);
15
+ const jwtIds = (0, helpers_js_1.idsByCodePrefix)(['JWT_']);
16
+ const cookieIds = (0, helpers_js_1.idsByCodePrefix)(['COOKIE_']);
17
+ const dirbrowseIds = (0, helpers_js_1.idsByCodePrefix)(['DIRBROWSE_']);
18
+ const hstsIds = (0, helpers_js_1.idsByCodes)([
19
+ 'HEADER_MISSING_HSTS',
20
+ 'HEADER_HSTS_BAD_MAX_AGE',
21
+ 'HEADER_HSTS_SHORT_MAX_AGE',
22
+ 'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
23
+ 'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
24
+ 'HEADER_DRIFT_HSTS',
25
+ ]);
26
+ const cookieSecureIds = (0, helpers_js_1.idsByCodes)([
27
+ 'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
28
+ 'COOKIE_SESSION_MISSING_SECURE',
29
+ 'COOKIE_MISSING_SECURE',
30
+ 'COOKIE_HOST_PREFIX_INVALID',
31
+ 'COOKIE_SECURE_PREFIX_INVALID',
32
+ ]);
33
+ exports.isoAccessControlIds = (0, helpers_js_1.mergeIds)(accessControlIds, authIds, jwtIds, cookieIds);
34
+ exports.isoCryptoIds = (0, helpers_js_1.mergeIds)(cryptoIds, hstsIds, cookieSecureIds);
35
+ exports.isoOpsSecurityIds = (0, helpers_js_1.mergeIds)(configIds, disclosureIds, dirbrowseIds);
36
+ exports.isoCommunicationsSecurityIds = (0, helpers_js_1.mergeIds)(hstsIds, cookieSecureIds);
37
+ exports.isoSecureDevelopmentIds = (0, helpers_js_1.mergeIds)(injectionIds, xssIds, ssrfIds);
38
+ exports.isoComplianceIds = (0, helpers_js_1.mergeIds)(accessControlIds, configIds, disclosureIds);
39
+ exports.ISO27001_COMPLIANCE = {
40
+ [compliance_codes_1.ComplianceCode.ISO27001_A9_ACCESS_CONTROL]: {
41
+ id: 206,
42
+ code: compliance_codes_1.ComplianceCode.ISO27001_A9_ACCESS_CONTROL,
43
+ title: 'A.9 Access Control',
44
+ description: 'Access to information and application functions must be restricted based on business and security requirements, ensuring users can only perform authorized actions.',
45
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
46
+ relatedVulnerabilityIds: exports.isoAccessControlIds,
47
+ isNotApplicable: false,
48
+ },
49
+ [compliance_codes_1.ComplianceCode.ISO27001_A10_CRYPTOGRAPHY]: {
50
+ id: 207,
51
+ code: compliance_codes_1.ComplianceCode.ISO27001_A10_CRYPTOGRAPHY,
52
+ title: 'A.10 Cryptography',
53
+ description: 'Cryptographic controls must be used to protect the confidentiality, authenticity, and integrity of information in transit and at rest.',
54
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
55
+ relatedVulnerabilityIds: exports.isoCryptoIds,
56
+ isNotApplicable: exports.isoCryptoIds.length === 0,
57
+ },
58
+ [compliance_codes_1.ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY]: {
59
+ id: 208,
60
+ code: compliance_codes_1.ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY,
61
+ title: 'A.12 Operations Security',
62
+ description: 'Operational procedures and controls should prevent misconfiguration and leakage that expose sensitive information or system internals.',
63
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
64
+ relatedVulnerabilityIds: exports.isoOpsSecurityIds,
65
+ isNotApplicable: false,
66
+ },
67
+ [compliance_codes_1.ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY]: {
68
+ id: 209,
69
+ code: compliance_codes_1.ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY,
70
+ title: 'A.13 Communications Security',
71
+ description: 'Network and communications must be protected to prevent interception, downgrade, or weak transport protections.',
72
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
73
+ relatedVulnerabilityIds: exports.isoCommunicationsSecurityIds,
74
+ isNotApplicable: false,
75
+ },
76
+ [compliance_codes_1.ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV]: {
77
+ id: 210,
78
+ code: compliance_codes_1.ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV,
79
+ title: 'A.14 System Acquisition, Development and Maintenance',
80
+ description: 'Security must be integrated into the software development lifecycle to prevent common injection and input handling flaws.',
81
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
82
+ relatedVulnerabilityIds: exports.isoSecureDevelopmentIds,
83
+ isNotApplicable: false,
84
+ },
85
+ [compliance_codes_1.ComplianceCode.ISO27001_A18_COMPLIANCE]: {
86
+ id: 211,
87
+ code: compliance_codes_1.ComplianceCode.ISO27001_A18_COMPLIANCE,
88
+ title: 'A.18 Compliance',
89
+ description: 'Security controls should be verified to ensure regulatory and contractual requirements for access restriction and data protection are met.',
90
+ complianceStandard: types_1.ComplianceCategory.ISO27001,
91
+ relatedVulnerabilityIds: exports.isoComplianceIds,
92
+ isNotApplicable: false,
93
+ },
94
+ };
package/dist-cjs/index.js CHANGED
@@ -5,7 +5,7 @@
5
5
  * Exports all vulnerability codes, definitions, and lookup utilities
6
6
  */
7
7
  Object.defineProperty(exports, "__esModule", { value: true });
8
- exports.COMPLIANCE_BY_VULNERABILITIES = exports.SCANNER_REGISTRY = exports.CATEGORY_REGISTRY = exports.SANS_TOP_25_COMPLIANCE = exports.PCI_DSS_COMPLIANCE = exports.GDPR_COMPLIANCE = exports.HIPAA_COMPLIANCE = exports.OWASP_COMPLIANCE = exports.VULNERABILITY_REGISTRY = exports.SENSITIVE_PATH_VULNERABILITIES = exports.CONFIG_VULNERABILITIES = exports.AUTH_VULNERABILITIES = exports.SSRF_VULNERABILITIES = exports.XSS_VULNERABILITIES = exports.INJECTION_VULNERABILITIES = exports.VulnerabilityCode = void 0;
8
+ exports.COMPLIANCE_BY_VULNERABILITIES = exports.SCANNER_REGISTRY = exports.CATEGORY_REGISTRY = exports.ISO27001_COMPLIANCE = exports.SANS_TOP_25_COMPLIANCE = exports.PCI_DSS_COMPLIANCE = exports.GDPR_COMPLIANCE = exports.HIPAA_COMPLIANCE = exports.OWASP_COMPLIANCE = exports.VULNERABILITY_REGISTRY = exports.SENSITIVE_PATH_VULNERABILITIES = exports.CONFIG_VULNERABILITIES = exports.AUTH_VULNERABILITIES = exports.SSRF_VULNERABILITIES = exports.XSS_VULNERABILITIES = exports.INJECTION_VULNERABILITIES = exports.VulnerabilityCode = void 0;
9
9
  exports.getVulnerabilityDefinition = getVulnerabilityDefinition;
10
10
  exports.getVulnerabilitiesByScanner = getVulnerabilitiesByScanner;
11
11
  exports.getVulnerabilitiesByCategory = getVulnerabilitiesByCategory;
@@ -38,6 +38,7 @@ Object.defineProperty(exports, "HIPAA_COMPLIANCE", { enumerable: true, get: func
38
38
  Object.defineProperty(exports, "GDPR_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.GDPR_COMPLIANCE; } });
39
39
  Object.defineProperty(exports, "PCI_DSS_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.PCI_DSS_COMPLIANCE; } });
40
40
  Object.defineProperty(exports, "SANS_TOP_25_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.SANS_TOP_25_COMPLIANCE; } });
41
+ Object.defineProperty(exports, "ISO27001_COMPLIANCE", { enumerable: true, get: function () { return index_js_1.ISO27001_COMPLIANCE; } });
41
42
  Object.defineProperty(exports, "COMPLIANCE_BY_VULNERABILITIES", { enumerable: true, get: function () { return index_js_1.COMPLIANCE_BY_VULNERABILITIES; } });
42
43
  /**
43
44
  * Get vulnerability definition by code
@@ -110,6 +111,7 @@ exports.default = {
110
111
  GDPR_COMPLIANCE: index_js_1.GDPR_COMPLIANCE,
111
112
  PCI_DSS_COMPLIANCE: index_js_1.PCI_DSS_COMPLIANCE,
112
113
  SANS_TOP_25_COMPLIANCE: index_js_1.SANS_TOP_25_COMPLIANCE,
114
+ ISO27001_COMPLIANCE: index_js_1.ISO27001_COMPLIANCE,
113
115
  CATEGORY_REGISTRY: category_js_1.CATEGORY_REGISTRY,
114
116
  SCANNER_REGISTRY: scanner_js_1.SCANNER_REGISTRY,
115
117
  };
package/dist-cjs/types.js CHANGED
@@ -16,4 +16,5 @@ var ComplianceCategory;
16
16
  ComplianceCategory["GDPR"] = "GDPR";
17
17
  ComplianceCategory["PCIDSS"] = "PCIDSS";
18
18
  ComplianceCategory["SANS_TOP_25"] = "SANS_TOP_25";
19
+ ComplianceCategory["ISO27001"] = "ISO27001";
19
20
  })(ComplianceCategory || (exports.ComplianceCategory = ComplianceCategory = {}));
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@zerothreatai/vulnerability-registry",
3
- "version": "9.0.1",
3
+ "version": "9.0.2",
4
4
  "description": "Centralized vulnerability definitions, CVSS scores, and references for ZeroThreat scanners",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
package/src/compliance-codes.ts CHANGED
@@ -213,4 +213,12 @@ export enum ComplianceCode {
213
213
  SANS_TOP_25_CWE_190_INTEGER_OVERFLOW = 'SANS_TOP_25_CWE_190_INTEGER_OVERFLOW',
214
214
  SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION = 'SANS_TOP_25_CWE_400_RESOURCE_CONSUMPTION',
215
215
  SANS_TOP_25_CWE_306_MISSING_AUTH = 'SANS_TOP_25_CWE_306_MISSING_AUTH',
216
+
217
+ // --- ISO/IEC 27001 (ComplianceId: 5) ---
218
+ ISO27001_A9_ACCESS_CONTROL = 'ISO27001_A9_ACCESS_CONTROL',
219
+ ISO27001_A10_CRYPTOGRAPHY = 'ISO27001_A10_CRYPTOGRAPHY',
220
+ ISO27001_A12_OPERATIONS_SECURITY = 'ISO27001_A12_OPERATIONS_SECURITY',
221
+ ISO27001_A13_COMMUNICATIONS_SECURITY = 'ISO27001_A13_COMMUNICATIONS_SECURITY',
222
+ ISO27001_A14_SYSTEM_ACQUISITION_DEV = 'ISO27001_A14_SYSTEM_ACQUISITION_DEV',
223
+ ISO27001_A18_COMPLIANCE = 'ISO27001_A18_COMPLIANCE',
216
224
  }
package/src/compliances/compliance-by-vulnerabilities.ts CHANGED
@@ -1,13 +1,14 @@
1
- import {accessRestrictionIds,allAppSecIds,authAndCookieIds,cryptoPolicyIds,infoLeakageIds,inputValidationIds,outputValidationIds } from './gdpr.js'
2
- import {accessControlIds,allAppSecIds as hallAppSecIds,authAndCookieIds as hauthAnCookieIds,cryptoIds,integrityIds} from './hipaa.js'
3
- import {owaspA1Ids,owaspA2Ids,owaspA3Ids,owaspA5Ids,owaspA7Ids,owaspA8Ids} from './owasp.js'
4
- import {allAppSecIds as pciAllAppSecIds,misconfigIds as pciMisconfigIds,accessControlIds as pciAccessControlIds,cryptoIds as pciCryptoIds,injectionAndXssIds as pciInjectionAndXssIds,authAndCookieIds as pciAuthAndCookieIds} from './pci-dss.js'
5
- import { authIds as sauthIds,accessControlIds as saccessControlIds,cmdiIds as scmdiIds,deserializationIds as sdeserializationIds,disclosureIds as sdisclosureIds,injectionIds as sinjectionIds,lfiIds as slfiIds,sqliIds,ssrfIds as ssrfids ,sstiIds as ssstiIds,xssIds as sxssIds} from './sans-top-25.js'
6
- export const COMPLIANCE_BY_VULNERABILITIES = [
7
- {
8
- id:3,
9
- title:'GDPR',
10
- vulnerabilities:[...accessRestrictionIds,...allAppSecIds,...authAndCookieIds,...cryptoPolicyIds,...infoLeakageIds,...inputValidationIds,...outputValidationIds]
1
+ import {accessRestrictionIds,allAppSecIds,authAndCookieIds,cryptoPolicyIds,infoLeakageIds,inputValidationIds,outputValidationIds } from './gdpr.js'
2
+ import {accessControlIds,allAppSecIds as hallAppSecIds,authAndCookieIds as hauthAnCookieIds,cryptoIds,integrityIds} from './hipaa.js'
3
+ import {owaspA1Ids,owaspA2Ids,owaspA3Ids,owaspA5Ids,owaspA7Ids,owaspA8Ids} from './owasp.js'
4
+ import {allAppSecIds as pciAllAppSecIds,misconfigIds as pciMisconfigIds,accessControlIds as pciAccessControlIds,cryptoIds as pciCryptoIds,injectionAndXssIds as pciInjectionAndXssIds,authAndCookieIds as pciAuthAndCookieIds} from './pci-dss.js'
5
+ import { authIds as sauthIds,accessControlIds as saccessControlIds,cmdiIds as scmdiIds,deserializationIds as sdeserializationIds,disclosureIds as sdisclosureIds,injectionIds as sinjectionIds,lfiIds as slfiIds,sqliIds,ssrfIds as ssrfids ,sstiIds as ssstiIds,xssIds as sxssIds} from './sans-top-25.js'
6
+ import { isoAccessControlIds, isoCryptoIds, isoOpsSecurityIds, isoCommunicationsSecurityIds, isoSecureDevelopmentIds, isoComplianceIds } from './iso27001.js'
7
+ export const COMPLIANCE_BY_VULNERABILITIES = [
8
+ {
9
+ id:3,
10
+ title:'GDPR',
11
+ vulnerabilities:[...accessRestrictionIds,...allAppSecIds,...authAndCookieIds,...cryptoPolicyIds,...infoLeakageIds,...inputValidationIds,...outputValidationIds]
11
12
  },
12
13
  {
13
14
  id:2,
@@ -24,9 +25,14 @@ export const COMPLIANCE_BY_VULNERABILITIES = [
24
25
  title:'PCI-DSS',
25
26
  vulnerabilities:[...pciAllAppSecIds,...pciMisconfigIds,...pciAccessControlIds,...pciCryptoIds,...pciInjectionAndXssIds,...pciAuthAndCookieIds]
26
27
  },
27
- {
28
- id:6,
29
- title:'SANS Top 25',
30
- vulnerabilities:[...sauthIds,...saccessControlIds,...scmdiIds,...sdeserializationIds,...sdisclosureIds,...sinjectionIds,...slfiIds,...sqliIds,...ssrfids,...ssstiIds,...sxssIds]
31
- }
32
- ];
28
+ {
29
+ id:6,
30
+ title:'SANS Top 25',
31
+ vulnerabilities:[...sauthIds,...saccessControlIds,...scmdiIds,...sdeserializationIds,...sdisclosureIds,...sinjectionIds,...slfiIds,...sqliIds,...ssrfids,...ssstiIds,...sxssIds]
32
+ },
33
+ {
34
+ id:5,
35
+ title:'ISO 27001',
36
+ vulnerabilities:[...isoAccessControlIds,...isoCryptoIds,...isoOpsSecurityIds,...isoCommunicationsSecurityIds,...isoSecureDevelopmentIds,...isoComplianceIds]
37
+ }
38
+ ];
package/src/compliances/index.ts CHANGED
@@ -3,4 +3,5 @@ export { HIPAA_COMPLIANCE } from './hipaa.js';
3
3
  export { GDPR_COMPLIANCE } from './gdpr.js';
4
4
  export { PCI_DSS_COMPLIANCE } from './pci-dss.js';
5
5
  export { SANS_TOP_25_COMPLIANCE } from './sans-top-25.js';
6
+ export { ISO27001_COMPLIANCE } from './iso27001.js';
6
7
  export { COMPLIANCE_BY_VULNERABILITIES } from './compliance-by-vulnerabilities.js';
package/src/compliances/iso27001.ts ADDED
@@ -0,0 +1,97 @@
1
+ import { ComplianceCode } from '../compliance-codes';
2
+ import { ComplianceCategory, ComplianceRegistry } from '../types';
3
+ import { idsByCategory, idsByCodePrefix, idsByCodes, mergeIds } from './helpers.js';
4
+
5
+ const authIds = idsByCategory('authentication');
6
+ const injectionIds = idsByCategory('injection');
7
+ const xssIds = idsByCategory('xss');
8
+ const ssrfIds = idsByCategory('ssrf');
9
+ const configIds = idsByCategory('configuration');
10
+ const disclosureIds = idsByCategory('information_disclosure');
11
+ const cryptoIds = idsByCategory('cryptographic');
12
+
13
+ const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
14
+ const jwtIds = idsByCodePrefix(['JWT_']);
15
+ const cookieIds = idsByCodePrefix(['COOKIE_']);
16
+ const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
17
+
18
+ const hstsIds = idsByCodes([
19
+ 'HEADER_MISSING_HSTS',
20
+ 'HEADER_HSTS_BAD_MAX_AGE',
21
+ 'HEADER_HSTS_SHORT_MAX_AGE',
22
+ 'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
23
+ 'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
24
+ 'HEADER_DRIFT_HSTS',
25
+ ]);
26
+
27
+ const cookieSecureIds = idsByCodes([
28
+ 'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
29
+ 'COOKIE_SESSION_MISSING_SECURE',
30
+ 'COOKIE_MISSING_SECURE',
31
+ 'COOKIE_HOST_PREFIX_INVALID',
32
+ 'COOKIE_SECURE_PREFIX_INVALID',
33
+ ]);
34
+
35
+ export const isoAccessControlIds = mergeIds(accessControlIds, authIds, jwtIds, cookieIds);
36
+ export const isoCryptoIds = mergeIds(cryptoIds, hstsIds, cookieSecureIds);
37
+ export const isoOpsSecurityIds = mergeIds(configIds, disclosureIds, dirbrowseIds);
38
+ export const isoCommunicationsSecurityIds = mergeIds(hstsIds, cookieSecureIds);
39
+ export const isoSecureDevelopmentIds = mergeIds(injectionIds, xssIds, ssrfIds);
40
+ export const isoComplianceIds = mergeIds(accessControlIds, configIds, disclosureIds);
41
+
42
+ export const ISO27001_COMPLIANCE: ComplianceRegistry = {
43
+ [ComplianceCode.ISO27001_A9_ACCESS_CONTROL]: {
44
+ id: 206,
45
+ code: ComplianceCode.ISO27001_A9_ACCESS_CONTROL,
46
+ title: 'A.9 Access Control',
47
+ description: 'Access to information and application functions must be restricted based on business and security requirements, ensuring users can only perform authorized actions.',
48
+ complianceStandard: ComplianceCategory.ISO27001,
49
+ relatedVulnerabilityIds: isoAccessControlIds,
50
+ isNotApplicable: false,
51
+ },
52
+ [ComplianceCode.ISO27001_A10_CRYPTOGRAPHY]: {
53
+ id: 207,
54
+ code: ComplianceCode.ISO27001_A10_CRYPTOGRAPHY,
55
+ title: 'A.10 Cryptography',
56
+ description: 'Cryptographic controls must be used to protect the confidentiality, authenticity, and integrity of information in transit and at rest.',
57
+ complianceStandard: ComplianceCategory.ISO27001,
58
+ relatedVulnerabilityIds: isoCryptoIds,
59
+ isNotApplicable: isoCryptoIds.length === 0,
60
+ },
61
+ [ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY]: {
62
+ id: 208,
63
+ code: ComplianceCode.ISO27001_A12_OPERATIONS_SECURITY,
64
+ title: 'A.12 Operations Security',
65
+ description: 'Operational procedures and controls should prevent misconfiguration and leakage that expose sensitive information or system internals.',
66
+ complianceStandard: ComplianceCategory.ISO27001,
67
+ relatedVulnerabilityIds: isoOpsSecurityIds,
68
+ isNotApplicable: false,
69
+ },
70
+ [ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY]: {
71
+ id: 209,
72
+ code: ComplianceCode.ISO27001_A13_COMMUNICATIONS_SECURITY,
73
+ title: 'A.13 Communications Security',
74
+ description: 'Network and communications must be protected to prevent interception, downgrade, or weak transport protections.',
75
+ complianceStandard: ComplianceCategory.ISO27001,
76
+ relatedVulnerabilityIds: isoCommunicationsSecurityIds,
77
+ isNotApplicable: false,
78
+ },
79
+ [ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV]: {
80
+ id: 210,
81
+ code: ComplianceCode.ISO27001_A14_SYSTEM_ACQUISITION_DEV,
82
+ title: 'A.14 System Acquisition, Development and Maintenance',
83
+ description: 'Security must be integrated into the software development lifecycle to prevent common injection and input handling flaws.',
84
+ complianceStandard: ComplianceCategory.ISO27001,
85
+ relatedVulnerabilityIds: isoSecureDevelopmentIds,
86
+ isNotApplicable: false,
87
+ },
88
+ [ComplianceCode.ISO27001_A18_COMPLIANCE]: {
89
+ id: 211,
90
+ code: ComplianceCode.ISO27001_A18_COMPLIANCE,
91
+ title: 'A.18 Compliance',
92
+ description: 'Security controls should be verified to ensure regulatory and contractual requirements for access restriction and data protection are met.',
93
+ complianceStandard: ComplianceCategory.ISO27001,
94
+ relatedVulnerabilityIds: isoComplianceIds,
95
+ isNotApplicable: false,
96
+ },
97
+ };
package/src/index.ts CHANGED
@@ -15,7 +15,7 @@ import { CONFIG_VULNERABILITIES } from './categories/configuration.js';
15
15
  import { SENSITIVE_PATH_VULNERABILITIES } from './categories/sensitive-paths.js';
16
16
  import { CATEGORY_REGISTRY } from './category.js';
17
17
  import { SCANNER_REGISTRY } from './scanner.js';
18
- import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE,COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
18
+ import { OWASP_COMPLIANCE, HIPAA_COMPLIANCE, GDPR_COMPLIANCE, PCI_DSS_COMPLIANCE, SANS_TOP_25_COMPLIANCE, ISO27001_COMPLIANCE, COMPLIANCE_BY_VULNERABILITIES } from './compliances/index.js';
19
19
 
20
20
  /**
21
21
  * Get vulnerability definition by code
@@ -102,15 +102,16 @@ export {
102
102
  CONFIG_VULNERABILITIES,
103
103
  SENSITIVE_PATH_VULNERABILITIES,
104
104
  VULNERABILITY_REGISTRY,
105
- OWASP_COMPLIANCE,
106
- HIPAA_COMPLIANCE,
107
- GDPR_COMPLIANCE,
108
- PCI_DSS_COMPLIANCE,
109
- SANS_TOP_25_COMPLIANCE,
110
- CATEGORY_REGISTRY,
111
- SCANNER_REGISTRY,
112
- COMPLIANCE_BY_VULNERABILITIES
113
- };
105
+ OWASP_COMPLIANCE,
106
+ HIPAA_COMPLIANCE,
107
+ GDPR_COMPLIANCE,
108
+ PCI_DSS_COMPLIANCE,
109
+ SANS_TOP_25_COMPLIANCE,
110
+ ISO27001_COMPLIANCE,
111
+ CATEGORY_REGISTRY,
112
+ SCANNER_REGISTRY,
113
+ COMPLIANCE_BY_VULNERABILITIES
114
+ };
114
115
 
115
116
  export default {
116
117
  VulnerabilityCode,
@@ -122,11 +123,12 @@ export default {
122
123
  getAllVulnerabilityCodes,
123
124
  getVulnerabilityCount,
124
125
  createFinding,
125
- OWASP_COMPLIANCE,
126
- HIPAA_COMPLIANCE,
127
- GDPR_COMPLIANCE,
128
- PCI_DSS_COMPLIANCE,
129
- SANS_TOP_25_COMPLIANCE,
130
- CATEGORY_REGISTRY,
131
- SCANNER_REGISTRY,
132
- };
126
+ OWASP_COMPLIANCE,
127
+ HIPAA_COMPLIANCE,
128
+ GDPR_COMPLIANCE,
129
+ PCI_DSS_COMPLIANCE,
130
+ SANS_TOP_25_COMPLIANCE,
131
+ ISO27001_COMPLIANCE,
132
+ CATEGORY_REGISTRY,
133
+ SCANNER_REGISTRY,
134
+ };
package/src/types.ts CHANGED
@@ -119,6 +119,7 @@ export enum ComplianceCategory {
119
119
  GDPR = 'GDPR',
120
120
  PCIDSS = 'PCIDSS',
121
121
  SANS_TOP_25 = 'SANS_TOP_25',
122
+ ISO27001 = 'ISO27001',
122
123
  }
123
124
 
124
125
  /**