Skip to content

feature: add OWASP Top 10 2025 and API Top 10 2023 standard mappings#293

Merged
3asm merged 2 commits into
masterfrom
fix/os-31440
Jul 7, 2026
Merged

feature: add OWASP Top 10 2025 and API Top 10 2023 standard mappings#293
3asm merged 2 commits into
masterfrom
fix/os-31440

Conversation

@ticket-fixer

@ticket-fixer ticket-fixer Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Added OWASP_TOP_10_2025 and OWASP_API_TOP_10 category mappings to all 123 WEB_SERVICE KB entries. Each entry with an existing OWASP_TOP_10 (2021) mapping now includes a corresponding OWASP_TOP_10_2025 value. API-relevant entries (GraphQL, injection, auth, CORS, misconfiguration, etc.) are additionally mapped to OWASP API Top 10 2023 categories.

Changes

  • Added OWASP_TOP_10_2025 category (A01_2025-A10_2025) to all 123 WEB_SERVICE entries based on existing OWASP_TOP_10 mappings
  • Added OWASP_API_TOP_10 category (API1_2023-API10_2023) to 70+ API-relevant WEB_SERVICE entries
  • Updated tests/kb_test.py CATEGORY_GROUPS, valid values lists, and parametrize list for both new standards

Fixes ticket https://report.ostorlab.co/o/os/remediation/tickets/os-31440

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.52%. Comparing base (c787273) to head (fb450bb).

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #293      +/-   ##
==========================================
+ Coverage   93.44%   94.52%   +1.07%     
==========================================
  Files           5        5              
  Lines         290      292       +2     
==========================================
+ Hits          271      276       +5     
+ Misses         19       16       -3     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ostorlab-ai-pr-review ostorlab-ai-pr-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Summary

Total Issues Found: 4
Critical Issues: 1
Suggestions: 1

Key Findings

  1. Critical — Systemic incorrect OWASP API Top 10 mapping: API3_2023 (Broken Object Property Level Authorization) is incorrectly mapped to all injection-type vulnerabilities (15+ entries including SQL Injection, XSS, Command Injection, etc.). API3_2023 is semantically about excessive data exposure and mass assignment, not input validation/injection. These mappings should be corrected across all affected entries.

  2. Inconsistency in HTTP Host Header Poisoning: This entry has a different (and arguably more correct) API mapping compared to other A03_2021 injection entries, creating an inconsistency that needs resolution.

  3. Unverified OWASP Top 10 2025 categories: The 2025 category values appear to use a direct number-swap from 2021 without verification against the official standard.

Please address the systemic API3_2023 mapping issue across all injection-type entries, not just the ones highlighted individually below.

],
"OWASP_TOP_10_2025": [
"A03_2025"
],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug — Incorrect OWASP API Top 10 Mapping

The mapping of SQL Injection to API3_2023 (Broken Object Property Level Authorization) appears incorrect. OWASP API Top 10 2023's API3 is specifically about excessive data exposure and mass assignment (authorization flaws), not injection vulnerabilities. SQL Injection is fundamentally an input validation/neutralization issue. The API Top 10 2023 does not have a dedicated 'injection' category since injection is covered by the general OWASP Top 10. If injection vulnerabilities must be mapped to the API Top 10, only API8_2023 (Security Misconfiguration) is arguably appropriate, as it covers broader security hygiene issues. Consider removing API3_2023 from this mapping.

⚠️ This same issue affects ALL injection-type entries in this PR (Command Injection, Code Injection, XSS, LDAP Injection, CRLF Injection, SSI Injection, Expression Language Injection, XML External Entity, Unrestricted File Upload, XPath Injection, NoSQL Injection, Server-Side Template Injection, XML Injection) — they all incorrectly map to API3_2023. Please review and correct all of them.

Suggested change
],
"OWASP_API_TOP_10": [
"API8_2023"
]

"OWASP_TOP_10": [
"A03_2021"
],
"OWASP_TOP_10_2025": [

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug — Incorrect OWASP API Top 10 Mapping

Same issue as SQL Injection: CRLF Injection is mapped to API3_2023 (Broken Object Property Level Authorization) which is not semantically related to injection vulnerabilities. API3 covers excessive data exposure and mass assignment. CRLF Injection is an input validation issue. Consider removing API3_2023 and keeping only API8_2023 if the API mapping is needed.

Suggested change
"OWASP_TOP_10_2025": [
"OWASP_API_TOP_10": [
"API8_2023"
]

"OWASP_TOP_10": [
"A03_2021"
],
"OWASP_TOP_10_2025": [

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug — Inconsistent OWASP API Top 10 Mapping

HTTP Host Header Poisoning is mapped to A03_2021 (Injection) in OWASP Top 10, but unlike other injection entries, it only gets API8_2023 without API3_2023. This is inconsistent with the pattern used for all other A03 entries (SQL Injection, XSS, Command Injection, etc.) which get both API3_2023 and API8_2023. Either this entry is missing API3_2023, or the other entries have API3_2023 incorrectly. Please ensure consistency across all entries in the same category. If the API3 mapping is indeed incorrect for injection vulnerabilities (as noted in other comments), this entry's mapping may actually be the correct one to follow.

Suggested change
"OWASP_TOP_10_2025": [
"OWASP_API_TOP_10": [
"API3_2023",
"API8_2023"
]

Comment thread tests/kb_test.py
"M10_2024",
]

OWASP_TOP_10_2025 = [

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug — Unverified OWASP Top 10 2025 Category Mapping

The OWASP Top 10 2025 category values (A01_2025 through A10_2025) appear to use a direct number-swap from OWASP Top 10 2021 (A01_2021 → A01_2025, etc.). Please verify this against the official OWASP Top 10 2025 standard definition. If the 2025 standard redefines the categories (e.g., different vulnerability types at the same position, or rearranged/reorganized categories), the per-entry mappings in the meta.json files may need to be adjusted rather than using a simple year substitution. If a documented mapping guide exists from OWASP, it should be followed instead of assuming a 1:1 correspondence.

Suggested change
OWASP_TOP_10_2025 = [
# TODO(OWASP-2025): Verify category mapping against official OWASP Top 10 2025
# standard. Current values assume 1:1 correspondence with 2021 categories which
# may not be accurate. Per-entry mappings in meta.json files may need adjustment.
# Reference: https://owasp.org/www-project-top-ten/
OWASP_TOP_10_2025: list[str] = [
"A01_2025",
"A02_2025",
"A03_2025",
"A04_2025",
"A05_2025",
"A06_2025",
"A07_2025",
"A08_2025",
"A09_2025",
"A10_2025",
]

@3asm 3asm merged commit f7435b5 into master Jul 7, 2026
7 checks passed
@Oussama-Bakri Oussama-Bakri deleted the fix/os-31440 branch July 7, 2026 09:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant