Add ssdf (#317)

* ssdf data

* make auto importing fail if any step fails

* add ssdf entry from spreadsheet

Makefile

@@ -77,13 +77,6 @@ migrate-downgrade:
 
 import-all:
 	[ -d "./venv" ] && . ./venv/bin/activate
-	rm -rf standards_cache.sqlite
-	make migrate-upgrade
-	export FLASK_APP=$(CURDIR)/cre.py
-	python cre.py --add --from_spreadsheet https://docs.google.com/spreadsheets/d/1eZOEYgts7d_-Dr-1oAbogPfzBLh6511b58pX3b59kvg
-	python cre.py --generate_embeddings
-	python cre.py --zap_in --cheatsheets_in --github_tools_in  --capec_in --owasp_secure_headers_in --pci_dss_4_in --juiceshop_in
-	python cre.py --generate_embeddings
-
+	rm -rf standards_cache.sqlite && make migrate-upgrade && export FLASK_APP=$(CURDIR)/cre.py && python cre.py --add --from_spreadsheet https://docs.google.com/spreadsheets/d/1eZOEYgts7d_-Dr-1oAbogPfzBLh6511b58pX3b59kvg && python cre.py --generate_embeddings && python cre.py --zap_in --cheatsheets_in --github_tools_in  --capec_in --owasp_secure_headers_in --pci_dss_4_in --juiceshop_in &&	python cre.py --generate_embeddings
 
 all: clean lint test dev dev-run

application/utils/spreadsheet_parsers.py

@@ -473,6 +473,14 @@ def parse_standards(
                     # "version":"v2",
                     "separator": "\n",
                 },
+                "NIST SSDF": {
+                    "section": "Standard NIST SSDF",
+                    "sectionID": "Standard NIST SSDF ID",
+                    "subsection": "",
+                    "hyperlink": "",
+                    # "version":"v2",
+                    "separator": "\n",
+                },
             },
         }
     links: List[defs.Link] = []

cres/.yaml

@@ -0,0 +1,11 @@
+doctype: CRE
+links:
+- document:
+    doctype: CRE
+    id: 764-507
+    name: Restrict XML parsing (against XXE)
+    tags:
+    - Configuration
+    - Injection protection
+  ltype: Contains
+name: XML Parser hardening

cres/002-630.yaml

@@ -10,8 +10,8 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md
     name: ASVS
-    section: V3.2.1
-    sectionID: Verify the application generates a new session token on user authentication.
+    section: Verify the application generates a new session token on user authentication.
+    sectionID: V3.2.1
   ltype: Linked To
 - document:
     doctype: Standard
@@ -34,7 +34,7 @@ links:
   ltype: Linked To
 - document:
     doctype: Standard
-    hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html
+    hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html
     name: OWASP Web Security Testing Guide (WSTG)
     section: WSTG-SESS-03
   ltype: Linked To

cres/002-801.yaml

@@ -12,9 +12,9 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md
     name: ASVS
-    section: V2.9.3
-    sectionID: Verify that approved cryptographic algorithms are used in the generation,
+    section: Verify that approved cryptographic algorithms are used in the generation,
       seeding, and verification.
+    sectionID: V2.9.3
   ltype: Linked To
 - document:
     doctype: Standard

cres/004-517.yaml

@@ -1,6 +1,11 @@
 doctype: CRE
 id: 004-517
 links:
+- document:
+    doctype: CRE
+    id: 433-442
+    name: Verification
+  ltype: Related
 - document:
     doctype: CRE
     id: 074-873
@@ -16,6 +21,11 @@ links:
     id: 782-234
     name: Clear policy compliant I/O requirements
   ltype: Contains
+- document:
+    doctype: CRE
+    id: 072-713
+    name: Manage standard technologies and frameworks
+  ltype: Related
 - document:
     doctype: CRE
     id: 787-638
@@ -32,6 +42,12 @@ links:
     name: NIST 800-53 v5
     section: SC-18 Mobile Code
   ltype: Linked To
+- document:
+    doctype: Standard
+    name: ISO 27001
+    section: Application security requirements
+    sectionID: '8.26'
+  ltype: Linked To
 - document:
     doctype: Standard
     hyperlink: https://owaspsamm.org/model/design/security-requirements/stream-a
@@ -45,11 +61,24 @@ links:
     section: Application Security Baseline Requirements
     sectionID: AIS-02
   ltype: Linked To
+- document:
+    doctype: Standard
+    name: ISO 27001
+    section: Information transfer
+    sectionID: '5.14'
+  ltype: Linked To
 - document:
     doctype: Standard
     hyperlink: https://owaspsamm.org/model/governance/policy-and-compliance/stream-a/
     name: SAMM
     section: Policy & Standards
     sectionID: G-PC-A
   ltype: Linked To
+- document:
+    doctype: Standard
+    name: NIST SSDF
+    section: Identify and document all security requirements for organization-developed
+      software to meet, and maintain the requirements over time.
+    sectionID: PO.1.2
+  ltype: Linked To
 name: Security requirements

cres/010-308.yaml

@@ -8,17 +8,17 @@ links:
   ltype: Contains
 - document:
     doctype: CRE
-    id: 760-764
-    name: Injection protection
+    id: 760-765
+    name: XSS protection
     tags:
-    - XSS protection
+    - Injection protection
   ltype: Related
 - document:
     doctype: CRE
-    id: 760-765
-    name: XSS protection
+    id: 760-764
+    name: Injection protection
     tags:
-    - Injection protection
+    - XSS protection
   ltype: Related
 - document:
     doctype: CRE
@@ -66,5 +66,5 @@ links:
   ltype: Contains
 name: Input validation
 tags:
-- Injection protection
 - XSS protection
+- Injection protection

cres/013-021.yaml

@@ -11,10 +11,41 @@ links:
     id: 247-250
     name: Access control processes
   ltype: Related
+- document:
+    doctype: CRE
+    id: 118-775
+    name: Manage an internal secure software development community
+  ltype: Related
+- document:
+    doctype: Standard
+    hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-13
+    name: NIST 800-53 v5
+    section: PM-13 Security and Privacy Workforce
+  ltype: Linked To
 - document:
     doctype: Standard
     name: ISO 27001
     section: Information security roles and responsibilities
     sectionID: '5.2'
   ltype: Linked To
+- document:
+    doctype: Standard
+    name: NIST SSDF
+    section: Create new roles and alter responsibilities for existing roles as needed
+      to encompass all parts of the SDLC. Periodically review and maintain the defined
+      roles and responsibilities, updating them as needed.
+    sectionID: PO.2.1
+  ltype: Linked To
+- document:
+    doctype: Standard
+    hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-2
+    name: NIST 800-53 v5
+    section: PM-2 Information Security Program Leadership Role
+  ltype: Linked To
+- document:
+    doctype: Standard
+    hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-29
+    name: NIST 800-53 v5
+    section: PM-29 Risk Management Program Leadership Roles
+  ltype: Linked To
 name: Roles and responsibilities

cres/015-063.yaml

@@ -15,10 +15,10 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md
     name: ASVS
-    section: V8.3.5
-    sectionID: Verify accessing sensitive data is audited (without logging the sensitive
+    section: Verify accessing sensitive data is audited (without logging the sensitive
       data itself), if the data is collected under relevant data protection directives
       or where logging of access is required.
+    sectionID: V8.3.5
   ltype: Linked To
 - document:
     doctype: Standard

cres/026-280.yaml

@@ -10,9 +10,9 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md
     name: ASVS
-    section: V1.7.2
-    sectionID: Verify that logs are securely transmitted to a preferably remote system
+    section: Verify that logs are securely transmitted to a preferably remote system
       for analysis, detection, alerting, and escalation.
+    sectionID: V1.7.2
   ltype: Linked To
 - document:
     doctype: Standard

cres/027-210.yaml

@@ -12,10 +12,10 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md
     name: ASVS
-    section: V6.3.2
-    sectionID: Verify that random GUIDs are created using the GUID v4 algorithm, and
+    section: Verify that random GUIDs are created using the GUID v4 algorithm, and
       a Cryptographically-secure Pseudo-random Number Generator (CSPRNG). GUIDs created
       using other pseudo-random number generators may be predictable.
+    sectionID: V6.3.2
   ltype: Linked To
 - document:
     doctype: Standard
@@ -26,7 +26,7 @@ links:
   ltype: Linked To
 - document:
     doctype: Standard
-    hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html
+    hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html
     name: OWASP Web Security Testing Guide (WSTG)
     section: WSTG-CRYP-04
   ltype: Linked To

cres/027-555.yaml

@@ -10,9 +10,9 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md
     name: ASVS
-    section: V2.1.1
-    sectionID: Verify that user set passwords are at least 12 characters in length
-      (after multiple spaces are combined).
+    section: Verify that user set passwords are at least 12 characters in length (after
+      multiple spaces are combined).
+    sectionID: V2.1.1
   ltype: Linked To
 - document:
     doctype: Standard
@@ -29,7 +29,7 @@ links:
   ltype: Linked To
 - document:
     doctype: Standard
-    hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html
+    hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html
     name: OWASP Web Security Testing Guide (WSTG)
     section: WSTG-ATHN-07
   ltype: Linked To

cres/028-254.yaml

@@ -10,11 +10,11 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md
     name: ASVS
-    section: V10.3.1
-    sectionID: Verify that if the application has a client or server auto-update feature,
+    section: Verify that if the application has a client or server auto-update feature,
       updates should be obtained over secure channels and digitally signed. The update
       code must validate the digital signature of the update before installing or
       executing the update.
+    sectionID: V10.3.1
   ltype: Linked To
 - document:
     doctype: Standard

cres/031-447.yaml

@@ -6,17 +6,17 @@ links:
     id: 010-308
     name: Input validation
     tags:
-    - Injection protection
     - XSS protection
+    - Injection protection
   ltype: Contains
 - document:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md
     name: ASVS
-    section: V5.1.3
-    sectionID: Verify that all input (HTML form fields, REST requests, URL parameters,
+    section: Verify that all input (HTML form fields, REST requests, URL parameters,
       HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive
       validation (allow lists).
+    sectionID: V5.1.3
   ltype: Linked To
 - document:
     doctype: Standard
@@ -33,7 +33,7 @@ links:
   ltype: Linked To
 - document:
     doctype: Standard
-    hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/
+    hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/
     name: OWASP Web Security Testing Guide (WSTG)
     section: WSTG-INPV-00
   ltype: Linked To

cres/032-213.yaml

@@ -12,9 +12,9 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md
     name: ASVS
-    section: V6.4.2
-    sectionID: Verify that key material is not exposed to the application but instead
+    section: Verify that key material is not exposed to the application but instead
       uses an isolated security module like a vault for cryptographic operations.
+    sectionID: V6.4.2
   ltype: Linked To
 - document:
     doctype: Standard

cres/036-147.yaml

@@ -15,10 +15,10 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md
     name: ASVS
-    section: V14.4.5
-    sectionID: 'Verify that a Strict-Transport-Security header is included on all
-      responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800;
+    section: 'Verify that a Strict-Transport-Security header is included on all responses
+      and for all subdomains, such as Strict-Transport-Security: max-age=15724800;
       includeSubdomains.'
+    sectionID: V14.4.5
   ltype: Linked To
 - document:
     doctype: Standard
@@ -29,7 +29,7 @@ links:
   ltype: Linked To
 - document:
     doctype: Standard
-    hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html
+    hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html
     name: OWASP Web Security Testing Guide (WSTG)
     section: WSTG-CONF-07
   ltype: Linked To

cres/036-275.yaml

@@ -10,9 +10,9 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md
     name: ASVS
-    section: V1.1.7
-    sectionID: Verify availability of a secure coding checklist, security requirements,
+    section: Verify availability of a secure coding checklist, security requirements,
       guideline, or policy to all developers and testers.
+    sectionID: V1.1.7
   ltype: Linked To
 - document:
     doctype: Standard

cres/036-725.yaml

@@ -10,11 +10,11 @@ links:
     doctype: Standard
     hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md
     name: ASVS
-    section: V14.4.1
-    sectionID: Verify that every HTTP response contains a Content-Type header. Also
+    section: Verify that every HTTP response contains a Content-Type header. Also
       specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types
       are text/*, /+xml and application/xml. Content must match with the provided
       Content-Type header.
+    sectionID: V14.4.1
   ltype: Linked To
 - document:
     doctype: Standard