Skip to content

Normalize OWASP cheat sheet references for issue #471#10

Open
Bornunique911 wants to merge 37 commits into
review/issue-471-kubernetes-importersfrom
review/issue-471-cheatsheet-references
Open

Normalize OWASP cheat sheet references for issue #471#10
Bornunique911 wants to merge 37 commits into
review/issue-471-kubernetes-importersfrom
review/issue-471-cheatsheet-references

Conversation

@Bornunique911

@Bornunique911 Bornunique911 commented Mar 24, 2026

Copy link
Copy Markdown
Owner

Summary

This PR normalizes OWASP cheat sheet references for the OWASP#471 resource mapping flow.

What changed

  • normalized cheat sheet reference handling
  • added or updated supplemental reference data
  • updated parser test coverage

Validation

./venv/bin/python -m pytest application/tests/cheatsheets_parser_test.py -q

@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 949bd17 to 658002d Compare April 1, 2026 10:09
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 9147aa3 to 8d71673 Compare April 1, 2026 10:09
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from f23755c to 9390511 Compare April 11, 2026 07:58
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from ef1baee to 901c9a0 Compare April 11, 2026 07:58
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 9390511 to c9b49f8 Compare April 21, 2026 16:57
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 901c9a0 to 8df31e9 Compare April 21, 2026 16:57
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from a60a627 to 12a8ba1 Compare April 21, 2026 19:34
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 10585d9 to 38051c9 Compare April 22, 2026 21:00
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 12a8ba1 to 92b2655 Compare April 26, 2026 20:54
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 38051c9 to f26c78e Compare April 26, 2026 20:57
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 92b2655 to d593747 Compare April 30, 2026 19:09
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 386a106 to 20b0aab Compare April 30, 2026 19:18
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from bd8c5c5 to 241db90 Compare May 7, 2026 09:35
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from bb7b759 to b08e8e5 Compare May 7, 2026 09:37
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 241db90 to f56d892 Compare June 1, 2026 15:17
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from b08e8e5 to 2b18fb2 Compare June 2, 2026 17:33
@Bornunique911 Bornunique911 force-pushed the review/issue-471-kubernetes-importers branch from 5745184 to 9661b79 Compare June 8, 2026 18:46
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from b3bab92 to 069deba Compare June 8, 2026 18:47
Bornunique911 and others added 12 commits June 9, 2026 12:03
…WASP#823)

* Add curated CWE fallback mappings

* Cover CWE fallback and inheritance behavior with tests

* Add local CWE refresh tooling

* Add local helper scripts for issue OWASP#472

* Integrate OpenCRE map analysis support from issue OWASP#469

* Implement fallback for gap analysis in database with error handling

* Update scripts/show-db-stats.sh

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Bornunique911 <69379200+Bornunique911@users.noreply.github.com>

* fix: remove leading space in 'xss' keyword for CWE mapping

* fix: update condition for related CWE entries to check for 'ChildOf' nature

* fix: correct syntax for accessing related CWE entry attributes

* fix: enhance gap analysis error handling for Heroku and fallback scenarios

---------

Signed-off-by: Bornunique911 <69379200+Bornunique911@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…nitor

PR OWASP#823 reintroduced Neo4j/Redis fallback on Heroku cache misses, causing 503s
when Neo4j DNS fails. Serve precomputed GA from Postgres only on Heroku and
return 404 on cache miss. Add monitor_ga_health.py for production regression
alerting (especially HTTP 503).

Fixes OWASP#923

Co-authored-by: Cursor <cursoragent@cursor.com>
Cloudflare blocks anonymous urllib requests to ga_standards on production.

Co-authored-by: Cursor <cursoragent@cursor.com>
Allow AGENTS.md through the *.md gitignore exception and document that
Heroku/opencreorg gap analysis is cache-only (no compute on production).

Co-authored-by: Cursor <cursoragent@cursor.com>
Guard add_gap_analysis_result so non-material {"result":{}} primary rows
are not inserted and cannot overwrite material cache; subresource keys unchanged.

Co-authored-by: Cursor <cursoragent@cursor.com>
Supports postgres-to-postgres sync via temp-table merge for prod tables
without a unique index on cache_key.

Co-authored-by: Cursor <cursoragent@cursor.com>
Document operational scripts and weekly prod GA checks in AGENTS.md; add
link_pci_dss_cre.py for embedding-based CRE linking. Harden primary GA cache
key detection, sync script materiality guards, monitor 503 test, and DSN redaction.

Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid accidental production writes when running link_pci_dss_cre.py
without explicit --cache-file or CRE_CACHE_FILE.

Co-authored-by: Cursor <cursoragent@cursor.com>
Guard against an empty get_CREs result so callers get None instead of
IndexError when a DB row exists but no matching CRE document is found.

Co-authored-by: Cursor <cursoragent@cursor.com>
Serve precomputed OpenCRE GA from cache on Heroku instead of computing on
the web dyno, expand backfill to include automatic CRE links, and harden
PCI DSS / Secure Headers imports with better linking and parser fixes.

Co-authored-by: Cursor <cursoragent@cursor.com>
Harden PCI env parsing, tighten sync script safety checks, make bridge
fallback tests deterministic, and format files flagged by CI black.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
northdpole and others added 25 commits June 11, 2026 14:21
Track AGENTS.md and .cursor/rules so the team shares human-plan-then-agent-execute workflows, CI/PR policies, and domain safety guardrails.

Co-authored-by: Cursor <cursoragent@cursor.com>
Add modular .cursor/rules for requirements gates, tickets, TDD, and
verification; tighten plan-first and multi-agent flows; slim AGENTS.md
to an index aligned with make lint/mypy/test checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
The test expected tags="1,2" but dbNodeFromCode joins the input list
["111-111", "222-222"] with commas, producing "111-111,222-222".
The expected value in the test was wrong.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Closes OWASP#862

request.args.get('text') returns None if the query param is absent.
Passing None into db.text_search() causes re.search() to raise
TypeError: expected string or bytes-like object.
Return a 400 before reaching the database call.
Replace get_all_records() with get_all_values() to bypass gspread's
numericise() which converts section codes like '5.10' to float 5.1.
get_all_values() returns raw strings, preserving trailing zeros.

Fixes OWASP#574
Fixes OWASP#546
Align spreadsheet_test with get_all_values-based read path so section
codes like 5.10 stay strings instead of being float-coerced.

Co-authored-by: Cursor <cursoragent@cursor.com>
Handle empty worksheets and pad short rows so section IDs are preserved
as strings without IndexError or truncated dict keys.
Fail fast with GSpreadException when worksheet header row contains
duplicates, use zip(strict=True) after row padding, and add regression
tests for the helper and read_spreadsheet integration.
Fix production H12 timeouts from GET /all_cres?per_page=1000 by batching
N+1 link hydration in the DB layer, capping per_page at 100, scoping
DataProvider to Explorer routes with incremental page loads, and using
ensureFullExplorerData for graph views.

Closes OWASP#930. Related: OWASP#847, OWASP#848.

Co-authored-by: Cursor <cursoragent@cursor.com>
Fix buildTree sibling keyPath mutation, serialize loadPage via promise
chain with exposed dataLoadError, hoist Explorer layout wrappers,
surface load failures in graph views, restore viewport zoom, and
harden pagination link parity test.

Co-authored-by: Cursor <cursoragent@cursor.com>
* feat(api): add feature-flagged /rest/v1/health endpoint

Adds a lightweight deploy/uptime health probe at GET /rest/v1/health, gated behind the CRE_ENABLE_HEALTH feature flag (off by default).

Behavior:
- Flag off (default): endpoint returns 404, as if it does not exist.
- Flag on, healthy: 200 with {ok, db_reachable, cre_count, standards_count} when the serving DB is reachable and holds a non-empty dataset.
- Flag on, unhealthy: 503 when the DB is unreachable or the dataset is empty/broken (reason explains which).

Node_collection.health_check() runs cheap COUNT queries over CRE and Node, never raises (connectivity errors are reported as ok=False), and treats a zero count for either as an empty dataset.

Scope is intentionally limited to DB reachability + data sanity. Deeper checks (gap-analysis completeness, mapping coverage, Neo4j, Redis) are deliberately excluded by design and belong in ops tooling.

* fix: load .env in feature_flags and document CRE_ENABLE_HEALTH flag

* Modified the .env issue
@Bornunique911 Bornunique911 force-pushed the review/issue-471-cheatsheet-references branch from 2f0195c to 8b80b4d Compare June 20, 2026 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants