kurt-r2c · February 28, 2022 23:04
diff --git a/owasp_2017_to_cwe.yaml b/owasp_2017_to_cwe.yaml
 A01:2017 - Injection:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection'
 - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command
  Injection'')'
 - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS
  Command Injection'')'
 - 'CWE-88: Improper Neutralization of Argument Delimiters in a Command (''Argument
  Injection'')'
 - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL
  Injection'')'
 - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP
  Injection'')'
 - 'CWE-91: XML Injection (aka Blind XPath Injection)'
 - 'CWE-564: SQL Injection: Hibernate'
 - 'CWE-917: Improper Neutralization of Special Elements used in an Expression Language
  Statement (''Expression Language Injection'')'
 - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
 A02:2017 - Broken Authentication:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication'
 - 'CWE-287: Improper Authentication'
 - 'CWE-256: Plaintext Storage of a Password'
 - 'CWE-308: Use of Single-factor Authentication'
 - 'CWE-384: Session Fixation'
 - 'CWE-522: Insufficiently Protected Credentials'
 - 'CWE-523: Unprotected Transport of Credentials'
 - 'CWE-613: Insufficient Session Expiration'
 - 'CWE-620: Unverified Password Change'
 - 'CWE-640: Weak Password Recovery Mechanism for Forgotten Password'
 A03:2017 - Sensitive Data Exposure:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure'
 - 'CWE-220: Storage of File With Sensitive Data Under FTP Root'
 - 'CWE-295: Improper Certificate Validation'
 - 'CWE-311: Missing Encryption of Sensitive Data'
 - 'CWE-312: Cleartext Storage of Sensitive Information'
 - 'CWE-319: Cleartext Transmission of Sensitive Information'
 - 'CWE CATEGORY: Key Management Errors'
 - 'CWE-325: Missing Cryptographic Step'
 - 'CWE-326: Inadequate Encryption Strength'
 - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
 - 'CWE-328: Use of Weak Hash'
 - 'CWE-359: Exposure of Private Personal Information to an Unauthorized Actor'
 A04:2017 - XML External Entities (XXE):
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)'
 - 'CWE-611: Improper Restriction of XML External Entity Reference'
 - 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML Entity
  Expansion'')'
 A05:2017 - Broken Access Control:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control'
 - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
 - 'CWE-284: Improper Access Control'
 - 'CWE-285: Improper Authorization'
 - 'CWE-425: Direct Request (''Forced Browsing'')'
 - 'CWE-639: Authorization Bypass Through User-Controlled Key'
 A06:2017 - Security Misconfiguration:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration'
 - 'CWE CATEGORY: Configuration'
 - 'CWE-209: Generation of Error Message Containing Sensitive Information'
 - 'CWE-548: Exposure of Information Through Directory Listing'
 A07:2017 - Cross-Site Scripting (XSS):
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)'
 - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
  Scripting'')'
 A08:2017 - Insecure Deserialization:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A8 - Insecure Deserialization'
 - 'CWE-502: Deserialization of Untrusted Data'
 A09:2017 - Using Components with Known Vulnerabilities:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities'
 A10:2017 - Insufficient Logging & Monitoring:
 - 'CWE CATEGORY: OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring'
 - 'CWE-223: Omission of Security-relevant Information'
 - 'CWE-778: Insufficient Logging'
	A01:2017 - Injection:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection'
	- 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command
	Injection'')'
	- 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS
	Command Injection'')'
	- 'CWE-88: Improper Neutralization of Argument Delimiters in a Command (''Argument
	Injection'')'
	- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL
	Injection'')'
	- 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP
	Injection'')'
	- 'CWE-91: XML Injection (aka Blind XPath Injection)'
	- 'CWE-564: SQL Injection: Hibernate'
	- 'CWE-917: Improper Neutralization of Special Elements used in an Expression Language
	Statement (''Expression Language Injection'')'
	- 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
	A02:2017 - Broken Authentication:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication'
	- 'CWE-287: Improper Authentication'
	- 'CWE-256: Plaintext Storage of a Password'
	- 'CWE-308: Use of Single-factor Authentication'
	- 'CWE-384: Session Fixation'
	- 'CWE-522: Insufficiently Protected Credentials'
	- 'CWE-523: Unprotected Transport of Credentials'
	- 'CWE-613: Insufficient Session Expiration'
	- 'CWE-620: Unverified Password Change'
	- 'CWE-640: Weak Password Recovery Mechanism for Forgotten Password'
	A03:2017 - Sensitive Data Exposure:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure'
	- 'CWE-220: Storage of File With Sensitive Data Under FTP Root'
	- 'CWE-295: Improper Certificate Validation'
	- 'CWE-311: Missing Encryption of Sensitive Data'
	- 'CWE-312: Cleartext Storage of Sensitive Information'
	- 'CWE-319: Cleartext Transmission of Sensitive Information'
	- 'CWE CATEGORY: Key Management Errors'
	- 'CWE-325: Missing Cryptographic Step'
	- 'CWE-326: Inadequate Encryption Strength'
	- 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
	- 'CWE-328: Use of Weak Hash'
	- 'CWE-359: Exposure of Private Personal Information to an Unauthorized Actor'
	A04:2017 - XML External Entities (XXE):
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)'
	- 'CWE-611: Improper Restriction of XML External Entity Reference'
	- 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML Entity
	Expansion'')'
	A05:2017 - Broken Access Control:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control'
	- 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
	- 'CWE-284: Improper Access Control'
	- 'CWE-285: Improper Authorization'
	- 'CWE-425: Direct Request (''Forced Browsing'')'
	- 'CWE-639: Authorization Bypass Through User-Controlled Key'
	A06:2017 - Security Misconfiguration:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration'
	- 'CWE CATEGORY: Configuration'
	- 'CWE-209: Generation of Error Message Containing Sensitive Information'
	- 'CWE-548: Exposure of Information Through Directory Listing'
	A07:2017 - Cross-Site Scripting (XSS):
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)'
	- 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
	Scripting'')'
	A08:2017 - Insecure Deserialization:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A8 - Insecure Deserialization'
	- 'CWE-502: Deserialization of Untrusted Data'
	A09:2017 - Using Components with Known Vulnerabilities:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities'
	A10:2017 - Insufficient Logging & Monitoring:
	- 'CWE CATEGORY: OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring'
	- 'CWE-223: Omission of Security-relevant Information'
	- 'CWE-778: Insufficient Logging'