Initial commit

skills/appsec/sast-bandit/references/cwe_owasp_mapping.md

@@ -0,0 +1,157 @@
+# Bandit Test to CWE and OWASP Mapping
+
+Complete mapping between Bandit test IDs, Common Weakness Enumeration (CWE), and OWASP Top 10 2021 categories.
+
+## Table of Contents
+
+- [Cryptographic Issues](#cryptographic-issues)
+- [Injection Vulnerabilities](#injection-vulnerabilities)
+- [Security Misconfiguration](#security-misconfiguration)
+- [Insecure Deserialization](#insecure-deserialization)
+- [Access Control Issues](#access-control-issues)
+
+## Cryptographic Issues
+
+### OWASP A02:2021 - Cryptographic Failures
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B302 | Use of insecure MD2, MD4, MD5, or SHA1 hash function | CWE-327 | MEDIUM |
+| B303 | Use of insecure MD2, MD4, or MD5 hash function | CWE-327 | MEDIUM |
+| B304 | Use of insecure MD2, MD4, MD5, or SHA1 hash function | CWE-327 | MEDIUM |
+| B305 | Use of insecure cipher mode | CWE-327 | MEDIUM |
+| B306 | Use of insecure and deprecated function (mktemp) | CWE-377 | MEDIUM |
+| B307 | Use of possibly insecure function (eval) | CWE-78 | MEDIUM |
+| B311 | Standard pseudo-random generators are not suitable for security | CWE-330 | LOW |
+| B323 | Unverified context with insecure default | CWE-327 | MEDIUM |
+| B324 | Use of insecure hash functions in hashlib | CWE-327 | HIGH |
+| B401 | Use of insecure telnet protocol | CWE-319 | HIGH |
+| B402 | Use of insecure FTP protocol | CWE-319 | HIGH |
+| B403 | Use of insecure pickle import | CWE-502 | LOW |
+| B404 | Use of insecure subprocess import | CWE-78 | LOW |
+| B413 | Use of pycrypto | CWE-327 | HIGH |
+| B501 | Use of weak cryptographic key | CWE-326 | HIGH |
+| B502 | Use of weak SSL/TLS protocol | CWE-327 | HIGH |
+| B503 | Use of insecure SSL/TLS cipher | CWE-327 | MEDIUM |
+| B504 | SSL with no version specified | CWE-327 | LOW |
+| B505 | Use of weak cryptographic hash | CWE-327 | MEDIUM |
+
+**Remediation Strategy**: Replace weak cryptographic algorithms with strong alternatives. Use SHA-256 or SHA-512 for hashing, AES-256 for encryption, and TLS 1.2+ for transport security. For password hashing, use bcrypt, scrypt, or Argon2.
+
+## Injection Vulnerabilities
+
+### OWASP A03:2021 - Injection
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B308 | Use of mark_safe | CWE-80 | MEDIUM |
+| B313 | XML bad element tree | CWE-611 | MEDIUM |
+| B314 | XML bad element tree (lxml) | CWE-611 | MEDIUM |
+| B315 | XML bad element tree (expat) | CWE-611 | MEDIUM |
+| B316 | XML bad element tree (sax) | CWE-611 | MEDIUM |
+| B317 | XML bad element tree (expatreader) | CWE-611 | MEDIUM |
+| B318 | XML bad element tree (expatbuilder) | CWE-611 | MEDIUM |
+| B319 | XML bad element tree (xmlrpc) | CWE-611 | HIGH |
+| B320 | XML bad element tree (pulldom) | CWE-611 | HIGH |
+| B321 | FTP-related functions are being called | CWE-319 | HIGH |
+| B405 | XML mini DOM import | CWE-611 | LOW |
+| B406 | XML etree import | CWE-611 | LOW |
+| B407 | XML expat import | CWE-611 | LOW |
+| B408 | XML minidom import | CWE-611 | LOW |
+| B410 | XML etree import (lxml) | CWE-611 | LOW |
+| B411 | XML standard library imports | CWE-611 | LOW |
+| B412 | Deprecated httpoxy vulnerability | CWE-807 | LOW |
+| B601 | Paramiko call with shell=True | CWE-78 | HIGH |
+| B602 | subprocess call with shell=True | CWE-78 | HIGH |
+| B603 | subprocess without shell=True | CWE-78 | LOW |
+| B604 | Function call with shell=True | CWE-78 | HIGH |
+| B605 | Starting a process with a shell | CWE-78 | HIGH |
+| B606 | Starting a process without shell | CWE-78 | LOW |
+| B607 | Starting a process with a partial path | CWE-78 | LOW |
+| B608 | Possible SQL injection vector through string formatting | CWE-89 | MEDIUM |
+| B609 | Use of wildcard injection | CWE-78 | MEDIUM |
+| B610 | Potential SQL injection via Django raw SQL | CWE-89 | MEDIUM |
+| B611 | Potential SQL injection via Django extra | CWE-89 | MEDIUM |
+
+**Remediation Strategy**: Never concatenate user input into commands, queries, or markup. Use parameterized queries for SQL, safe XML parsers with DTD processing disabled, and avoid `shell=True` in subprocess calls. Use `shlex.split()` for argument parsing.
+
+## Security Misconfiguration
+
+### OWASP A05:2021 - Security Misconfiguration
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B201 | Flask app run with debug=True | CWE-489 | HIGH |
+| B310 | Audit URL open for permitted schemes | CWE-939 | MEDIUM |
+| B506 | Test for use of yaml load | CWE-20 | MEDIUM |
+| B507 | SSH with no host key verification | CWE-295 | MEDIUM |
+| B701 | jinja2 autoescape false | CWE-94 | HIGH |
+| B702 | Test for use of mako templates | CWE-94 | MEDIUM |
+| B703 | Django autoescape false | CWE-94 | MEDIUM |
+
+**Remediation Strategy**: Disable debug mode in production, validate and sanitize all inputs, enable autoescape in template engines, use safe YAML loaders (`yaml.safe_load()`), and enforce strict host key verification for SSH connections.
+
+## Insecure Deserialization
+
+### OWASP A08:2021 - Software and Data Integrity Failures
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B301 | Pickle and modules that wrap it can be unsafe | CWE-502 | MEDIUM |
+
+**Remediation Strategy**: Avoid using pickle for untrusted data. Use JSON, MessagePack, or Protocol Buffers with strict schema validation. If pickle is necessary, implement cryptographic signing and validation of serialized data.
+
+## Access Control Issues
+
+### OWASP A01:2021 - Broken Access Control
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B506 | Test for use of yaml load (arbitrary code execution) | CWE-20 | MEDIUM |
+
+**Remediation Strategy**: Use `yaml.safe_load()` instead of `yaml.load()` to prevent arbitrary code execution. Implement proper access controls and input validation for all YAML processing.
+
+## Hardcoded Credentials
+
+### OWASP A02:2021 - Cryptographic Failures
+
+| Test ID | Description | CWE | Severity |
+|---------|-------------|-----|----------|
+| B105 | Possible hardcoded password string | CWE-259 | LOW |
+| B106 | Possible hardcoded password function argument | CWE-259 | LOW |
+| B107 | Possible hardcoded password default argument | CWE-259 | LOW |
+
+**Remediation Strategy**: Never hardcode credentials. Use environment variables, secret management services (HashiCorp Vault, AWS Secrets Manager), or encrypted configuration files with proper key management.
+
+## Priority Matrix
+
+Use this matrix to prioritize remediation efforts:
+
+| Priority | Criteria | Action |
+|----------|----------|--------|
+| **CRITICAL** | HIGH Severity + HIGH Confidence | Immediate remediation required |
+| **HIGH** | HIGH Severity OR MEDIUM Severity + HIGH Confidence | Remediate within 1 sprint |
+| **MEDIUM** | MEDIUM Severity + MEDIUM Confidence | Remediate within 2 sprints |
+| **LOW** | LOW Severity OR LOW Confidence | Address during refactoring |
+| **INFORMATIONAL** | Review only | Document and monitor |
+
+## OWASP Top 10 2021 Coverage
+
+| OWASP Category | Bandit Coverage | Notes |
+|----------------|-----------------|-------|
+| A01:2021 Broken Access Control | Partial | Covers YAML deserialization |
+| A02:2021 Cryptographic Failures | Excellent | Comprehensive crypto checks |
+| A03:2021 Injection | Excellent | SQL, command, XML injection |
+| A04:2021 Insecure Design | None | Requires manual review |
+| A05:2021 Security Misconfiguration | Good | Debug mode, templating |
+| A06:2021 Vulnerable Components | None | Use Safety or pip-audit |
+| A07:2021 Authentication Failures | Partial | Hardcoded credentials only |
+| A08:2021 Data Integrity Failures | Good | Deserialization issues |
+| A09:2021 Security Logging Failures | None | Requires manual review |
+| A10:2021 SSRF | Partial | URL scheme validation |
+
+## References
+
+- [OWASP Top 10 2021](https://owasp.org/Top10/)
+- [CWE Database](https://cwe.mitre.org/)
+- [Bandit Documentation](https://bandit.readthedocs.io/)