lib/hackerone/client/weakness.rb in hackerone-client-0.2.1 vs lib/hackerone/client/weakness.rb in hackerone-client-0.2.2
- old
+ new
@@ -1,16 +1,34 @@
module HackerOne
module Client
class Weakness
class << self
def extract_cwe_number(cwe)
+ return if cwe.nil?
fail StandardError::ArgumentError unless cwe.upcase.start_with?('CWE-')
cwe.split('CWE-').last.to_i
end
end
+ CLASSIFICATION_MAPPING = {
+ "None Applicable" => "A0-Other",
+ "Denial of Service" => "A0-Other",
+ "Memory Corruption" => "A0-Other",
+ "Cryptographic Issue" => "A0-Other",
+ "Privilege Escalation" => "A0-Other",
+ "UI Redressing (Clickjacking)" => "A0-Other",
+ "Command Injection" => "A1-Injection",
+ "Remote Code Execution" => "A1-Injection",
+ "SQL Injection" => "A1-Injection",
+ "Authentication" => "A2-AuthSession",
+ "Cross-Site Scripting (XSS)" => "A3-XSS",
+ "Information Disclosure" => "A6-DataExposure",
+ "Cross-Site Request Forgery (CSRF)" => "A8-CSRF",
+ "Unvalidated / Open Redirect" => "A10-Redirects"
+ }
+
OWASP_TOP_10_2013_TO_CWE = {
'A1-Injection' => [77, 78, 88, 89, 90, 91, 564],
'A2-AuthSession' =>
[287, 613, 522, 256, 384, 472, 346, 441, 523, 620, 640, 319, 311],
'A3-XSS' => [79],
@@ -28,12 +46,14 @@
def initialize(weakness)
@attributes = weakness
end
def to_owasp
- OWASP_TOP_10_2013_TO_CWE.map do |owasp, cwes|
+ from_cwe = OWASP_TOP_10_2013_TO_CWE.map do |owasp, cwes|
owasp if cwes.include?(self.class.extract_cwe_number(to_cwe))
- end.compact.first || OWASP_DEFAULT
+ end.compact.first
+
+ from_cwe || CLASSIFICATION_MAPPING[@attributes[:name]] || OWASP_DEFAULT
end
def to_cwe
@attributes[:external_id]
end