A specification for declaring vulnerabilities in intentionally vulnerable applications ("vulnapps") to help scanners assess their own find rate.
- A vulnerable application declares its vulnerabilities in an
agreed schema in a
.vulns.yml
(or.vulns.json
) file - A security scanner analyzes the vulnapp and generates a report with its findings
- The individual findings in the report are checked for flags
specified in
.vulns.yml
to assess them as false negative/positive or true positive
.vulns.flags-only.yml
: Flags only, no further grouping or categorization.vulns.subtyped-flags.yml
: Flags categorized into different types.vulns.grouped-flags.yml
: Flags grouped by their location of occurence with optional extra attributes (like HTTP method)
Draft | Declaration EEffort | Flag Duplication | Report Matching Effort | Assessment Precision | Extensibility |
---|---|---|---|---|---|
Flags only | Low (:heavy_plus_sign:) | Low (:heavy_plus_sign:) | Low (:heavy_plus_sign:) | Low (:heavy_minus_sign:) | Low (:heavy_minus_sign:) |
Subtyped flags | Medium | Medium | High (:heavy_minus_sign:) | Medium | Medium |
Grouped flags | High (:heavy_minus_sign:) | High (:heavy_minus_sign:) | Medium | High (:heavy_plus_sign:) | High (:heavy_plus_sign:) |
Most of the discussion that led to the creation of these three drafts happened in juice-shop/juice-shop#1441 and on https://owasp.slack.com/archives/CPMEWT342/p1597085979033700.
Please provide feedback here via comments and/or by 👍/👎 reactions to this comment. Thank you!