diff --git a/app/models/concerns/enums/vulnerability.rb b/app/models/concerns/enums/vulnerability.rb index dbf05dbc4287bbfe0f689f5df676581e7fba9de5..f7d35c77648e342d493bab5db54119233b7e1be5 100644 --- a/app/models/concerns/enums/vulnerability.rb +++ b/app/models/concerns/enums/vulnerability.rb @@ -46,6 +46,30 @@ module Vulnerability dismissed: 2 }.with_indifferent_access.freeze + OWASP_TOP_10 = { + "A1:2017-Injection" => 1, + "A2:2017-Broken Authentication" => 2, + "A3:2017-Sensitive Data Exposure" => 3, + "A4:2017-XML External Entities (XXE)" => 4, + "A5:2017-Broken Access Control" => 5, + "A6:2017-Security Misconfiguration" => 6, + "A7:2017-Cross-Site Scripting (XSS)" => 7, + "A8:2017-Insecure Deserialization" => 8, + "A9:2017-Using Components with Known Vulnerabilities" => 9, + "A10:2017-Insufficient Logging & Monitoring" => 10, + + "A1:2021-Broken Access Control" => 11, + "A2:2021-Cryptographic Failures" => 12, + "A3:2021-Injection" => 13, + "A4:2021-Insecure Design" => 14, + "A5:2021-Security Misconfiguration" => 15, + "A6:2021-Vulnerable and Outdated Components" => 16, + "A7:2021-Identification and Authentication Failures" => 17, + "A8:2021-Software and Data Integrity Failures" => 18, + "A9:2021-Security Logging and Monitoring Failures" => 19, + "A10:2021-Server-Side Request Forgery" => 20 + }.with_indifferent_access.freeze + def self.confidence_levels CONFIDENCE_LEVELS end @@ -73,6 +97,10 @@ def self.detection_methods def self.vulnerability_states VULNERABILITY_STATES end + + def self.owasp_top_10 + OWASP_TOP_10 + end end end diff --git a/ee/app/models/vulnerabilities/read.rb b/ee/app/models/vulnerabilities/read.rb index 9c895a8b1ab8cc631060f43e7a98b24617a2e658..5d2532c120edd7340b52ee4ae3d8a17f3827c5b8 100644 --- a/ee/app/models/vulnerabilities/read.rb +++ b/ee/app/models/vulnerabilities/read.rb @@ -32,6 +32,7 @@ class Read < ApplicationRecord enum state: ::Enums::Vulnerability.vulnerability_states enum report_type: ::Enums::Vulnerability.report_types enum severity: ::Enums::Vulnerability.severity_levels, _prefix: :severity + enum owasp_top_10: ::Enums::Vulnerability.owasp_top_10 scope :by_uuid, -> (uuids) { where(uuid: uuids) } scope :by_vulnerabilities, -> (vulnerabilities) { where(vulnerability: vulnerabilities) } diff --git a/ee/spec/models/vulnerabilities/read_spec.rb b/ee/spec/models/vulnerabilities/read_spec.rb index 8d3bcfe982e2fbea9f935cf2702204368ff3d013..49207ee2588c85b22cf363642c011bc73979743c 100644 --- a/ee/spec/models/vulnerabilities/read_spec.rb +++ b/ee/spec/models/vulnerabilities/read_spec.rb @@ -618,6 +618,16 @@ end end + describe '.owasp_top_10' do + it 'raises ArgumentError for invalid enum value' do + expect { described_class.new(owasp_top_10: '123456') }.to raise_error(ArgumentError) + end + + it 'accepts nil value' do + is_expected.to allow_value(nil).for(:owasp_top_10) + end + end + private def create_vulnerability(severity: 7, confidence: 7, report_type: 0)