Mapping issues to OWASP Top 10

[psiinon]

We've had quite a few requests to include the OWASP Top Ten Id with issues as we do with CWE Ids and WASC Ids.

I believe a contributor is working on the code changed but actually mapping all of our existing alerts will be a non trivial process.

We'll need to include the year as well so I was thiking we'd display something like: "OWASP 2017 A1" etc. So any one issue could potentially map to multiple OWASP IDs across multiple years :/

Would anyone like to help us map the current ZAP issues?

If so then please let me know...

Many thanks,

Simon
--

OWASP ZAP Project leader

[Kevin W. Wall]

Doesn't OT10 already map their stuff to 1 or more  CWE IDs? Thought they did. If so, it should be pretty straightforward.  And if they don't,  then should and you should recruit some of the OT10 people to help out.

-kevin

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAORxfg6PUMPcFO1k_wv7Hbe2DpkZkdJJhR%3DoJ9F1LKSV6ChNAw%40mail.gmail.com.

[kingthorin+owaspzap]

There's also probably not much sense in mapping anything older than 2017 (Top 10 wise)