Skip to content

Hcl vulnerability list update#297

Merged
davewichers merged 10 commits into
OWASP-Benchmark:mainfrom
AkashSahai:HCL_Vulnerability_List_Update
May 13, 2026
Merged

Hcl vulnerability list update#297
davewichers merged 10 commits into
OWASP-Benchmark:mainfrom
AkashSahai:HCL_Vulnerability_List_Update

Conversation

@AkashSahai
Copy link
Copy Markdown
Contributor

@AkashSahai AkashSahai commented May 5, 2026
edited
Loading

Updated the Hcl vulnerability list to get proper results after running crawler and scorecard scripts for Owasp Benchmark Python.

  • Add 5 entries to vulnerabilityToCweNumber map and modified mapping for 1.

@AkashSahai
Added more CWE mappings for HCL AppScan
9bdd442 
Added more CWE mappings for HCL AppScan
@AkashSahai
Modified mapping of attJavaDeserCodeExec
267c933 
Modified mapping of attJavaDeserCodeExec for HCL AppScan IAST
@AkashSahai
Modified IAST related vulnerability mappings
6cb1a4a 
Modified IAST related vulnerability mappings
@AkashSahai
Added CodeInjection mapping for IAST
07472f1 
Added CodeInjection mapping for IAST
@AkashSahai
added DeserializationOfUntrustedData as another option for 502 Vulner…
8d32154 
…ability

added DeserializationOfUntrustedData as another option for 502 Vulnerability
@AkashSahai
Merge remote-tracking branch 'upstream/main' into HCL_Vulnerability_L…
f838286 
…ist_Update
@AkashSahai
Removed added MISSING_REFERRER_POLICY_HEADER
8427c95 
Removed added MISSING_REFERRER_POLICY_HEADER as this was handled using CweNumber.DONTCARE
@AkashSahai
removed not required code
d0dd080 
removed not required code
@AkashSahai
removed whitespace
45578ac 
removed whitespace
@AkashSahai
Copy link
Copy Markdown
Contributor Author

AkashSahai commented May 6, 2026

Hi @davewichers,
please take a look at this PR and merge if everything looks good.

Thanks.

darkspirit510
darkspirit510 suggested changes May 11, 2026
View reviewed changes
Comment thread plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java Outdated
vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT);
vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.DONTCARE);
vulnerabilityToCweNumber.put("DetectedAPIs", CweNumber.DONTCARE);
vulnerabilityToCweNumber.put("attBlindCodeInjection", 94);
Copy link
Copy Markdown
Contributor

@darkspirit510 darkspirit510 May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it does not exist, please create the number in CweNumber class.

Copy link
Copy Markdown
Contributor Author

@AkashSahai AkashSahai May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I replaced 94 with CweNumber.CODE_INJECTION, which was recently added to the CweNumber class.

@AkashSahai
removed hard coded CweNumber
ac8d3d8 
removed hard coded CweNumber and using the CweNumber.CODE_INJECTION on the place of 94
@AkashSahai AkashSahai requested a review from darkspirit510 May 12, 2026 06:27
@davewichers davewichers merged commit ded8378 into OWASP-Benchmark:main May 13, 2026
1 check passed
@davewichers
Copy link
Copy Markdown
Contributor

davewichers commented May 13, 2026

@darkspirit510 - His updates look like they addressed your comments properly, so I merged this in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darkspirit510 darkspirit510 Awaiting requested review from darkspirit510

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AkashSahai @davewichers @darkspirit510