\n
\n\n regex
\n\n\n\n\n\ninfo.md
\n\n - `corazawaf/coraza 3.2.1`\n\n
Internal Server Error
\r\nThe server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
\r\n```\r\n\r\nResult from the server side:\r\n```\r\n return cors_after_request(app.make_response(f(*args, **kwargs)))\r\n File \"/home/csi/OpenCRE/venv/lib/python3.10/site-packages/flask/app.py\", line 880, in full_dispatch_request\r\n rv = self.dispatch_request()\r\n File \"/home/csi/OpenCRE/venv/lib/python3.10/site-packages/flask/app.py\", line 865, in dispatch_request\r\n return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]\r\n File \"/home/csi/OpenCRE/application/web/web_main.py\", line 743, in import_from_cre_csv\r\n new_cre, exists = cre_main.register_cre(cre, database)\r\n File \"/home/csi/OpenCRE/application/cmd/cre_main.py\", line 122, in register_cre\r\n collection.add_internal_link(\r\n File \"/home/csi/OpenCRE/application/database/db.py\", line 1597, in add_internal_link\r\n cycle = self.__introduces_cycle(f\"CRE: {higher.id}\", f\"CRE: {lower.id}\")\r\n File \"/home/csi/OpenCRE/application/database/db.py\", line 766, in __introduces_cycle\r\n raise ValueError(\r\nValueError: Existing graph contains cycle,this not a recoverable error, manual database actions are required [('CRE: 155-155', 'CRE:\r\n 546-564'), ('CRE: 546-564', 'CRE: 155-155')]\r\nINFO:werkzeug:161.218.188.108 - - [06/Sep/2024 10:08:39] \"POST /rest/v1/cre_csv_import HTTP/1.1\" 500 -\r\n```\r\n\r\n### Steps to reproduce\r\n\r\nFirst clean the database and populate from upstream:\r\n```\r\n~/OpenCRE$ rm -rf standards_cache.sqlite; make migrate-upgrade; python cre.py --upstream_sync\r\n```\r\n\r\nSecond have a CSV file in the correct format to import (name the file cra_cre.csv with the following content)\r\n```\r\nCRE 0,CRE 1,CRE 2,CRE 3,CRE 4,Cyber Resiliency Act|name,Cyber Resiliency Act|id,Cyber Resiliency Act|hyperlink,NIST 800-53 v5|name,NIST 800-53 v5|id,NIST 800-53 v5|hyperlink,ISO/IEC 27001:2013|name,ISO/IEC 27001:2013|id,ISO/IEC 27001:2013|hyperlink,ASVS|name,ASVS|id,ASVS|hyperlink,CIS v8|name,CIS v8|id,CIS v8|hyperlink,PCI DSS|name,PCI DSS|id,PCI DSS|hyperlink,CSA CCM|name,CSA CCM|id,CSA CCM|hyperlink\r\n,,347-352|Set and confirm integrity of security deployment configuration,,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,028-254|Secure auto-updates over full stack,,,Address and remediate vulnerabilities,2.2,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,820-878|Document all trust boundaries and significant data flows,,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,007-274|Patching and updating system components,,Address and remediate vulnerabilities,2.2,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,286-500|OS security,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,732-148|Vulnerability management,,,Address and remediate vulnerabilities,2.2,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,002-202|Address and remediate,,Address and remediate vulnerabilities,2.2,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,Flaw Remediation,SI-2,https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final,Management of technical vulnerabilities,A.12.6.1,https://www.iso.org/standard/54534.html,Security Update Verification,V14.4,https://owasp.org/www-project-application-security-verification-standard/,Continuous Vulnerability Management,Control 7,https://www.cisecurity.org/controls/v8/,Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.,6.2,https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf,Vulnerability Remediation,IVS-06,https://cloudsecurityalliance.org/research/cloud-controls-matrix/\r\n,,,,\"841-757|Use approved cryptographic algorithms in generation, seeding and verification of OTPs\",Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,240-274|Log only non-sensitive data,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,261-010|Program management for secure software development,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,766-162|Security Analysis and documentation,,,,Address and remediate vulnerabilities,2.2,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,,731-120|Document requirements for (data) protection levels,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,,227-045|Identify sensitive data and subject it to a policy,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n,,,571-640|Personal data handling management,,Designed; developed; and produced to ensure cybersecurity,1.1,https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_1.html,,,,,,,,,,,,,,,,,,\r\n```\r\n\r\n\r\nThird run the command to start the import:\r\n```\r\n~$ curl -X POST http://CRE-LOCAL-SERVER:5000/rest/v1/cre_csv_import -F \"cre_csv=@cra_cre.csv\"\r\n```\r\n\r\n", + "summary": "The issue reported involves an error that occurs when attempting to import a mapping into a database that has been populated from an upstream source. While the import works correctly on an empty database, it fails with a \"500 Internal Server Error\" when the database contains data. The underlying problem seems to be related to a cycle in the existing graph structure, which prevents the import from completing successfully. \n\nTo resolve this, manual database actions are required to fix the cycle issue identified in the error message. It may involve reviewing the relationships between nodes to eliminate any cycles before attempting another import.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/OpenCRE/issues/552", @@ -6516,10 +6744,11 @@ "pk": 229, "fields": { "nest_created_at": "2024-09-11T19:32:01.930Z", - "nest_updated_at": "2024-09-11T19:32:01.930Z", + "nest_updated_at": "2024-09-13T15:09:18.379Z", "node_id": "I_kwDOF9sgec4852Zl", "title": "images", "body": "\r\n", + "summary": "", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-chapter-gujarat-technological-university/issues/2", @@ -6546,6 +6775,7 @@ "node_id": "I_kwDOF8qHOc5f-TgD", "title": "Add descriptions for business users", "body": "## Context\r\n\r\nThe language of OWASP documents speaks to security, operations, IT and engineering professionals. The introduction of low-code/no-code has lowered the bar to become a digital builder. This is the root of why this technology is so important. However, it also means that we cannot assume the same level of technical or security accoman from all low-code/no-code developers.\r\n\r\nTo enable usage of the OWASP Low-Code/No-Code Top 10 by everyone, no matter their technical background, we would need to remove our assumptions and describe risks in a common language that everyone can understand. This should not replace the technical or security oriented language which is a golden standard of an OWASP project, but come as a parallel view on the same issues.\r\n\r\n## Proposal Description\r\n\r\nThe current template for a risk category is as follows:\r\n\r\n- Risk Rating\r\n- The Gist\r\n- Description\r\n- Example Attack Scenarios\r\n - Scenario 1\r\n - Scenario 2\r\n - ...\r\n- How to Prevent\r\n- References\r\n\r\nWe propose the following additions:\r\n- A new section between _Risk Rating_ and _The Gist_ describing the category in simple terms\r\n- A new subsection for each _Scenario_ describing it in simple terms", + "summary": "The issue highlights the need for clearer descriptions in OWASP documentation to accommodate business users and those with varying technical expertise, particularly in the context of low-code/no-code development. It suggests that the existing risk category template be enhanced by adding a new section that explains each risk category in simpler terms, as well as a simplified explanation for each attack scenario. This approach aims to make the information more accessible while maintaining the technical depth for expert users. \n\nTo implement this, it would be necessary to revise the template accordingly, ensuring that the new sections are clear and straightforward.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/issues/48", @@ -6576,6 +6806,7 @@ "node_id": "I_kwDOF8qHOc5f-U7M", "title": "Add product-specific examples", "body": "## Context\r\n\r\nLow-Code/No-Code [can mean many different things](https://www.gartner.com/en/newsroom/press-releases/2022-12-13-gartner-forecasts-worldwide-low-code-development-technologies-market-to-grow-20-percent-in-2023). Tools can differ in technology, users, developers, use cases and more. For example, Low-Code Application Platforms (LCAP) is used to build web and mobile applications while Robotic Process Automation (RPA) is used to build bots. These technologies are ever-changing and are in the process of merging with eachother, so its still important to cover them in a single project. However, we should also emphasize where they differ, allowing people to focus on the risks relevant to a particular technology.\r\n\r\n## Proposal Description\r\n\r\nThe current template for a risk category is as follows:\r\n\r\n- Risk Rating\r\n- The Gist\r\n- Description\r\n- Example Attack Scenarios\r\n - Scenario 1\r\n - Scenario 2\r\n - ...\r\n- How to Prevent\r\n- References\r\n\r\nWe propose the following additions:\r\n- A new subsection under _Risk Rating_, where we provide different ratings for each Low-Code development technologies\r\n- Label each _Scenario_ with the relevant technologies. A scenario can apply to multiple technologies.\r\n\r\nLow-Code development technologies to distinguish:\r\n- Low-Code Application Platforms (LCAP)\r\n- Robotic Process Automation (RPA)\r\n- Integration Platform as a Service (iPaaS)", + "summary": "The issue discusses the need to enhance the current risk assessment template for Low-Code/No-Code technologies by incorporating product-specific examples. It highlights the diversity in Low-Code tools and the importance of distinguishing between different technologies, such as Low-Code Application Platforms (LCAP), Robotic Process Automation (RPA), and Integration Platform as a Service (iPaaS). \n\nThe proposal suggests adding a subsection under the Risk Rating to provide specific ratings for each technology and to label attack scenarios with the relevant technologies, allowing for a clearer understanding of risks associated with each. \n\nTo address this, the template should be updated to include these new subsections and categorizations for improved clarity and relevance.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/issues/49", @@ -6604,6 +6835,7 @@ "node_id": "I_kwDOF8qHOc5qYGEn", "title": "LCNC-SEC-04 - Scenario 2 (Example Attack Scenarios)", "body": "Consider (re)moving Scenario 2\r\n\r\n I know this is unrelated and is not part of the change, but scenario 2 doesn't really fit here, right?\r\n\r\n_Originally posted by @mbrg in https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/pull/56#discussion_r1182454750_\r\n ", + "summary": "The issue raises a concern about the relevance of Scenario 2 in the context of the project. It suggests that Scenario 2 may not be appropriate for inclusion in the current documentation. A review of the content and context of Scenario 2 is needed to determine whether it should be removed or revised to better align with the project's objectives.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/issues/67", @@ -6630,6 +6862,7 @@ "node_id": "I_kwDOF8qHOc5qYGWm", "title": "LCNC-SEC-03 - Clarify \"unintended consequences\"", "body": "\"Unintended consequences\" may be too nebulous, it's coverage is broad and vague. Clarity in the description and impact for what \"unintended consequences\" means in relation to data leakage is required, or consider a different title.\r\n\r\n@mbrg ", + "summary": "The issue raises concerns about the term \"unintended consequences,\" suggesting it is too vague and broad in its current usage. It calls for a clearer definition and description of its implications, specifically regarding data leakage. Alternatively, it proposes considering a different title to enhance clarity. To address this, a more precise formulation or rephrasing of the term is needed.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/issues/68", @@ -6652,10 +6885,11 @@ "pk": 234, "fields": { "nest_created_at": "2024-09-11T19:32:31.845Z", - "nest_updated_at": "2024-09-11T19:32:31.845Z", + "nest_updated_at": "2024-09-13T03:46:09.791Z", "node_id": "I_kwDOF8qHOc5qYHG1", "title": "LCNC-SEC-10 - Consider moving attack scenario to LCNC-SEC-08", "body": " I know that this was part of current available version, but should we move this risk of having too verbose logs to LCNC-SEC-08?\r\n\r\n_Originally posted by @mbrg in https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/pull/56#discussion_r1182467102_\r\n ", + "summary": "The issue discusses the possibility of relocating an attack scenario related to verbose logs from its current position to a different section, LCNC-SEC-08. While it acknowledges that the scenario is part of the current available version, it raises the question of whether this change would be beneficial. To address this, a review of both sections and their relevance to the scenario should be conducted to determine if the move is warranted.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-top-10-low-code-no-code-security-risks/issues/69", @@ -6678,10 +6912,11 @@ "pk": 235, "fields": { "nest_created_at": "2024-09-11T19:35:23.243Z", - "nest_updated_at": "2024-09-11T19:35:23.243Z", + "nest_updated_at": "2024-09-13T15:11:54.036Z", "node_id": "I_kwDOFOM8vs56Di1G", "title": "Hold MTG #22: 2024/10", "body": "- [x] fix the date\n- [ ] announce the meeting on the page\n- [ ] make connpass event\n- [ ] spread the word\n- [ ] hold the meeting\n- [ ] archive the announcement\n", + "summary": "", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-chapter-saitama/issues/79", @@ -6708,6 +6943,7 @@ "node_id": "I_kwDOFOM8vs56Di2H", "title": "Hold MTG #23: 2024/12", "body": "- [ ] fix the date\n- [ ] announce the meeting on the page\n- [ ] make connpass event\n- [ ] spread the word\n- [ ] hold the meeting\n- [ ] archive the announcement\n", + "summary": "", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-chapter-saitama/issues/80", @@ -6730,10 +6966,11 @@ "pk": 237, "fields": { "nest_created_at": "2024-09-11T19:35:34.620Z", - "nest_updated_at": "2024-09-11T19:35:34.620Z", + "nest_updated_at": "2024-09-13T15:12:02.613Z", "node_id": "I_kwDOFLkrvc55lLR7", "title": "2 typos \"prvilege requried \" -> \"privilege required \"", "body": "In line \"Note: Let’s call the Critical/High vulnerabilities with no prvilege requried and minimal user interaction as ‘OneClick’.\"\r\n\r\nhttps://github.com/OWASP/www-project-desktop-app-security-top-10/blob/435a699e590c8440e5592d1bfe32c682fd9b68d0/tab_severitybasedranking.md?plain=1#L16", + "summary": "The issue identifies two typographical errors in the text where \"prvilege requried\" should be corrected to \"privilege required.\" The line in question refers to Critical/High vulnerabilities that require no privilege and minimal user interaction, labeled as ‘OneClick’. The suggested action is to update the text in the specified line to reflect the correct spelling.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/www-project-desktop-app-security-top-10/issues/4", @@ -6760,6 +6997,7 @@ "node_id": "I_kwDOFAM8Ps5LY-F4", "title": "Vehicleid for existing users not showing up", "body": "When accessing the forum, a GET request to /community/api/v2/community/posts/recent is done to receive information about posts and comments. There are 3 existing posts made by the 3 default users, however there is no information about their vehicles.\r\n\r\n\r\n\r\nWhich is honestly not a big deal, you can simply create two users, post something and use their vehicle guids for the challenges. However, I think it would be nice to already have some pre-built vehicleids so the challenge progress feels more natural. I think the vehicles are already created because there is mechanic reports for the default users, so I'm not sure if this is the expected behaviour.\r\n\r\nBoth last stable and development versions have this behaviour. Environment: Macbook M1, macOS Monterey 12.4, Docker 4.7.1 (77678).\r\n", + "summary": "Fix the issue of vehicle IDs not displaying for existing users in the forum's recent posts API. Ensure that when a GET request is made to `/community/api/v2/community/posts/recent`, the response includes vehicle information for the three default users who have made posts.\n\n1. Investigate the API endpoint to confirm if vehicle IDs are being fetched correctly from the database.\n2. Check the database to ensure that vehicle records exist for the default users, and verify that the mechanic reports are correctly linked to these users.\n3. Review the data serialization process in the API to ensure that vehicle information is included in the response.\n4. Test the changes in both stable and development versions to confirm the fix.\n\nConsider adding pre-built vehicle IDs to enhance user experience in challenges.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/75", @@ -6789,6 +7027,7 @@ "node_id": "I_kwDOFAM8Ps5Mpxef", "title": "Community Author Information is a \"Snapshot\" rather than live", "body": "**Is your feature request related to a problem? Please describe.**\r\nIf you make a post in the community, your current avatar, email address, nickname, etc are all saved in Mongo at that moment. This causes a few issues:\r\n\r\n* If the author modifies any of their information, this isn't reflect in the community\r\n* Saving the image data in mongo creates overhead + the UI is less responsive when returning base64encoded image data.\r\n\r\n**Describe the solution you'd like**\r\nChange author information to be return dynamically. Additionally, don't save any image information in mongo or return image data as base64encoded info. Instead add a new endpoint that dynamically returns the correct user's avatar. Less overhead, less storage, plus caching rules can be set up for the images that the browser can handle.", + "summary": "Implement dynamic retrieval of community author information instead of storing it as a snapshot in MongoDB. \n\n1. Identify and modify the existing schema where author data (avatar, email, nickname) is currently saved.\n2. Create a new API endpoint that fetches the current author details dynamically from the user profile database, ensuring real-time accuracy.\n3. Remove the logic that saves image data in MongoDB. Instead, serve images directly from the user profile storage.\n4. Establish caching rules for image responses to enhance UI responsiveness and reduce server load.\n5. Test the new endpoint to ensure it correctly reflects any changes made to the author’s information in real-time. \n\nBegin by reviewing the current data retrieval methods in the community post functionality and plan the necessary changes to the backend architecture.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/80", @@ -6818,6 +7057,7 @@ "node_id": "I_kwDOFAM8Ps5PmTnc", "title": "Good to provide solution doc for all challenges", "body": "**Is your feature request related to a problem? Please describe.**\r\nPeople can explore the challenges but always good to provide final solutions as well.\r\n\r\n**Describe the solution you'd like**\r\nSome doc or youtube videos will definitely help for novice member like me\r\n\r\n**Describe alternatives if any you've considered**\r\nDoc or Video reference\r\n\r\n**Additional context**\r\nAdd any other context/screenshots/rough sketchs about the feature request here.", + "summary": "Create a comprehensive solution documentation for all challenges. Include both written guides and video tutorials to aid novice members in understanding the solutions.\n\n1. **Identify Challenges**: Compile a list of existing challenges that require documentation.\n2. **Document Solutions**: For each challenge, write clear, step-by-step solutions. Use code snippets where necessary to illustrate key points.\n3. **Create Video Content**: Record video tutorials that walk through the solutions, highlighting important concepts and providing visual aids.\n4. **Organize Content**: Structure the documentation in an easily navigable format, categorizing challenges by difficulty or topic.\n5. **Solicit Feedback**: After initial documentation is created, gather feedback from users to improve clarity and usefulness.\n\nBy following these steps, enhance the learning experience for all users engaging with the challenges.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/95", @@ -6847,6 +7087,7 @@ "node_id": "I_kwDOFAM8Ps5QJsda", "title": "Does crAPI's configuration allow it to be used as a Capture-the-flag (CTF) event?", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurious to know if crAPI's configuration allows it to be used as Capture-the-flag (CTF) event\r\n\r\n**Describe the solution you'd like**\r\nA way to configure crAPI to return (e.g in the HTTP response body) a user configured custom flag when particular challenges are solved\r\n\r\n**Describe alternatives if any you've considered**\r\nNone at the moment..\r\n\r\n**Additional context**\r\nAdd any other context/screenshots/rough sketchs about the feature request here.", + "summary": "Evaluate the feasibility of using crAPI for Capture-the-Flag (CTF) events. Assess the current configuration capabilities of crAPI to determine if it can be adapted to return user-defined flags in HTTP responses upon solving specific challenges.\n\n1. Review the current crAPI configuration settings and documentation to identify how responses are generated.\n2. Determine if the API can be modified or extended to include custom payloads in response bodies.\n3. Implement a prototype that allows for configurable flags to be set and returned based on challenge completion.\n4. Test the prototype with various challenge scenarios to ensure flags are triggered correctly.\n\nAdditionally, consider potential security implications and ensure that the implementation does not expose sensitive data or vulnerabilities.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/97", @@ -6876,6 +7117,7 @@ "node_id": "I_kwDOFAM8Ps5TNXg8", "title": "Add GRPC service in crAPI ", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurrently, crAPI only supports REST endpoints. We can only identify and demo REST vulnerabilities with crAPI. We should add a GRPC service which will make it easier to demo GRPC vulnerabilities. \r\n\r\n**Describe the solution you'd like**\r\n@piyushroshan, can you please add more context on a plausible solution here?", + "summary": "Implement a gRPC service in crAPI to enhance vulnerability demonstration capabilities. \n\n1. Analyze the current architecture of crAPI to understand how REST endpoints are integrated.\n2. Research gRPC framework and its integration with existing services.\n3. Create a new gRPC service definition using Protocol Buffers (.proto files) that mirrors the REST endpoints.\n4. Develop the gRPC server-side implementation, ensuring it adheres to the same logic as the REST endpoints.\n5. Implement client-side functionality to call the gRPC service, enabling users to demo vulnerabilities.\n6. Test the new gRPC service to ensure functionality and compatibility with existing tools.\n7. Update documentation to include instructions for using the new gRPC service.\n\nEngage with @piyushroshan for additional insights on the solution design and integration specifics.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/110", @@ -6907,6 +7149,7 @@ "node_id": "I_kwDOFAM8Ps5TNYvH", "title": "Add GraphQL service in crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurrently, crAPI only supports REST endpoints. We can only identify and demo REST vulnerabilities with crAPI. We should add a GraphQL service which will make it easier to demo GraphQL vulnerabilities.\r\n\r\n**Describe the solution you'd like**\r\nA GraphQL API using which we can demonstrate Authorization, Introspection, Batching, Injection, CSRF and other GraphQL attacks. \r\n", + "summary": "Implement GraphQL service in crAPI to extend its capabilities beyond REST endpoints. \n\n1. **Identify Requirements**: Determine the specific GraphQL vulnerabilities to demonstrate, including Authorization, Introspection, Batching, Injection, and CSRF.\n\n2. **Set Up GraphQL Schema**: Create a GraphQL schema that defines types, queries, and mutations relevant to the identified vulnerabilities.\n\n3. **Develop GraphQL Resolvers**: Implement resolvers for the defined queries and mutations, ensuring they are designed to simulate vulnerabilities effectively.\n\n4. **Integrate with crAPI**: Ensure the new GraphQL service is integrated into the existing crAPI framework, allowing users to seamlessly switch between REST and GraphQL endpoints.\n\n5. **Create Documentation**: Document the usage of the new GraphQL service, including examples of how to trigger various vulnerabilities.\n\n6. **Testing**: Conduct thorough testing to ensure the GraphQL service operates as intended and effectively demonstrates the targeted vulnerabilities.\n\nBy following these steps, enhance crAPI's functionality to include a robust GraphQL service for vulnerability demonstration.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/111", @@ -6939,6 +7182,7 @@ "node_id": "I_kwDOFAM8Ps5TNbJk", "title": "Document all the vulnerabilities which currently exist in crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nA documentation page around all the vulnerabilities that currently exist in crAPI will be very helpful. This will provide an easy way to evaluate if crAPI is right for our use cases. \r\n\r\n**Describe the solution you'd like**\r\nA table in README or a separate markdown file that lists down all the vulnerabilities crAPI has and maps them to OWASP API Top 10, OWASP Top 10 and CWEs. \r\n\r\n**Additional context**\r\nNot needed", + "summary": "Document all existing vulnerabilities in crAPI. Create a comprehensive documentation page that lists vulnerabilities and maps them to relevant standards such as OWASP API Top 10, OWASP Top 10, and Common Weakness Enumerations (CWEs).\n\n**First Steps:**\n1. Conduct a thorough security assessment of crAPI to identify all vulnerabilities.\n2. Categorize each vulnerability according to OWASP API Top 10 and CWEs.\n3. Draft a table format for the README or create a separate markdown file to present the findings clearly.\n4. Ensure that the documentation is easy to navigate and understand for potential users evaluating crAPI.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/112", @@ -6953,8 +7197,8 @@ "author": 84, "repository": 406, "assignees": [ - 87, - 88 + 88, + 87 ], "labels": [ 58, @@ -6973,6 +7217,7 @@ "node_id": "I_kwDOFAM8Ps5TNckV", "title": "Up-to-date postman collection as per all the supported vulnerabilities", "body": "**Is your feature request related to a problem? Please describe.**\r\nThe current crAPI postman collection is 5 months old and there have been some enhancements afterward. Some of the changes might be in API specs and will need updates in API specs as well as postman collections. \r\n\r\n**Describe the solution you'd like**\r\nCan we have a GitHub workflow which runs on every PR or every week, checks for a diff of postman collection, and updates the postman collection if necessary? ", + "summary": "Update the crAPI Postman collection to reflect all supported vulnerabilities as per recent enhancements. The existing collection is outdated by five months and requires synchronization with the latest API specifications.\n\nImplement a GitHub workflow that triggers on every pull request or on a weekly basis. This workflow should:\n\n1. Compare the current Postman collection with the latest version.\n2. Identify any differences or updates needed in the API specifications.\n3. Automatically update the Postman collection if discrepancies are found.\n\nFirst steps to tackle this problem:\n\n- Review the latest API specifications to identify enhancements made over the last five months.\n- Create a GitHub Actions workflow that runs a script to check for differences in the Postman collection.\n- Use a diff tool to compare the existing collection against the updated version.\n- Develop a mechanism to automatically update the Postman collection based on the results of the comparison, ensuring that any changes are properly committed back to the repository.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/113", @@ -7004,6 +7249,7 @@ "node_id": "I_kwDOFAM8Ps5TNlp7", "title": "Monitoring for crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nProvide an easy way to set up crAPI along with monitoring setup. For example, with Kubernetes setup, I should be able to monitor golden signals for my Kubernetes setup with Kube-state metrics. \r\n\r\n**Describe the solution you'd like**\r\nWay to deploy an application with Prometheus and Grafana. The user should be able to create a Grafana dashboard out of the infra metrics from crAPI. We can also provide a dashboard template. \r\n", + "summary": "Implement a monitoring solution for crAPI to facilitate easy deployment and monitoring of Kubernetes setups. \n\n1. **Set Up Deployment**: Create a guide for deploying crAPI alongside Prometheus and Grafana. Include Kubernetes configuration examples for deploying these tools in a cluster.\n\n2. **Integrate Kube-State Metrics**: Ensure that crAPI can collect kube-state metrics for monitoring golden signals. Configure Prometheus to scrape these metrics from the Kubernetes environment.\n\n3. **Develop Grafana Dashboard Templates**: Provide pre-configured Grafana dashboard templates that visualize the infrastructure metrics collected by crAPI. \n\n4. **Document Monitoring Setup**: Create detailed documentation on how to set up monitoring, including how to deploy crAPI with Prometheus and Grafana, and how to use the dashboard templates effectively.\n\n5. **Test the Setup**: Validate the entire monitoring setup by deploying a test application and ensuring that metrics are collected and displayed correctly on the Grafana dashboards.\n\nStart by creating a detailed deployment guide that outlines the necessary configurations and steps for users to follow.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/118", @@ -7033,6 +7279,7 @@ "node_id": "I_kwDOFAM8Ps5TOJMB", "title": "Document Happy Path for crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurrently, when we start crAPI, we don't know where to click or where to look to generate specific vulnerabilities. We should document a \"happy path\" or principal workflow which will help people to actually understand the working of the crAPI application. \r\n\r\n**Describe the solution you'd like**\r\nA document with \"happy path\" and link it in main README. \r\n\r\n**Describe alternatives if any you've considered**\r\nNA\r\n\r\n**Additional context**\r\nNA", + "summary": "Document the \"happy path\" for crAPI to improve user experience. Create a detailed guide outlining the primary workflow for generating specific vulnerabilities within the application. \n\n1. Identify key features of crAPI that users need to navigate.\n2. Outline steps to access these features, including any prerequisites for setup.\n3. Include screenshots or diagrams to visually guide users through the process.\n4. Ensure the document is clear and concise, emphasizing crucial actions and decisions.\n5. Link the completed document in the main README for easy access.\n\nStart by gathering information from existing users about their experiences and challenges. Use this feedback to structure the document effectively.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/120", @@ -7065,6 +7312,7 @@ "node_id": "I_kwDOFAM8Ps5TOKJS", "title": "Add direct command Injection vulnerability (CWE-77, OWASP API 8)", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurrently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection. \r\n\r\n**Describe the solution you'd like**\r\n@piyushroshan , can you guide us here for a solution?\r\n\r\n", + "summary": "Implement direct command injection vulnerability (CWE-77, OWASP API 8) in crAPI. This enhancement should allow users to demonstrate both indirect and direct command injection attacks.\n\n**First Steps:**\n1. Research direct command injection techniques and identify common payloads.\n2. Create a new endpoint in crAPI specifically designed to showcase direct command injection.\n3. Ensure the endpoint accepts user input that can be executed as a command in the underlying system.\n4. Implement appropriate safeguards in testing environments to prevent any unauthorized access or system damage.\n5. Document the new feature, detailing the payloads used and their expected outcomes for educational purposes.\n6. Collaborate with @piyushroshan for guidance on best practices and integration into the existing framework.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/121", @@ -7097,6 +7345,7 @@ "node_id": "I_kwDOFAM8Ps5TOM1k", "title": "Add Security Misconfiguration vulnerabilities in crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nWe should be able to demo security misconfiguration vulnerabilities with crAPI. Security misconfiguration falls under [API7:2019 Security Misconfiguration](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa7-security-misconfiguration.md). \r\n\r\n\r\n\r\n**Describe the solution you'd like**\r\nThere are CWEs which fall under security misconfigs:\r\n\r\n- [CWE-2: Environmental Security Flaws](https://cwe.mitre.org/data/definitions/2.html)\r\n- [CWE-16: Configuration](https://cwe.mitre.org/data/definitions/16.html)\r\n- [CWE-388: Error Handling](https://cwe.mitre.org/data/definitions/388.html)\r\n\r\nWe want to add capability in crAPI to be able to demo all three of them. \r\n\r\n**Describe alternatives if any you've considered**\r\nNA\r\n\r\n**Additional context**\r\nNA", + "summary": "Add Security Misconfiguration Vulnerabilities to crAPI.\n\n1. Implement demo capabilities for security misconfiguration vulnerabilities, specifically targeting API7:2019 Security Misconfiguration.\n2. Focus on incorporating the following Common Weakness Enumerations (CWEs):\n - CWE-2: Environmental Security Flaws\n - CWE-16: Configuration\n - CWE-388: Error Handling\n3. Create test cases and scenarios that effectively demonstrate each of the identified CWEs within the crAPI framework.\n\n**First Steps:**\n- Research and gather detailed information on the security misconfigurations represented by the specified CWEs.\n- Design and outline the architecture for integrating these vulnerabilities into crAPI.\n- Develop initial proof-of-concept implementations for each CWE to validate the approach.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/122", @@ -7126,6 +7375,7 @@ "node_id": "I_kwDOFAM8Ps5TOPPy", "title": "Add a way to demonstrate insufficient logging and monitoring vulnerabilities in crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\ncrAPI doesn't have the capability to demo insufficient logging and monitoring vulnerability which is [OWASP API 10:2019](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md). \r\n\r\n**Describe the solution you'd like**\r\n[API10:2019 Insufficient Logging & Monitoring](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md) includes two CWEs:\r\n\r\n- [CWE-223: Omission of Security-relevant Information](https://cwe.mitre.org/data/definitions/223.html)\r\n- [CWE-778: Insufficient Logging](https://cwe.mitre.org/data/definitions/778.html)\r\n\r\nWe want to add the capability to demonstrate both of them. \r\n\r\n**Describe alternatives if any you've considered**\r\nNA\r\n\r\n**Additional context**\r\nNA", + "summary": "Implement a demonstration of insufficient logging and monitoring vulnerabilities in crAPI. Address the absence of capability to showcase vulnerabilities related to [OWASP API 10:2019](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md).\n\n1. Analyze the OWASP documentation for Insufficient Logging and Monitoring, focusing on the two relevant CWEs: \n - [CWE-223: Omission of Security-relevant Information](https://cwe.mitre.org/data/definitions/223.html)\n - [CWE-778: Insufficient Logging](https://cwe.mitre.org/data/definitions/778.html)\n\n2. Design an architecture that allows the simulation of these vulnerabilities within the crAPI environment.\n\n3. Develop logging features that intentionally omit critical security information to represent CWE-223.\n\n4. Create scenarios where logging is minimal or absent entirely to demonstrate CWE-778.\n\n5. Test the implementation to ensure it effectively showcases the vulnerabilities as intended.\n\n6. Document the process and findings to facilitate understanding and education on the vulnerabilities.\n\n7. Consider integrating automated tests to verify the presence of these vulnerabilities in future builds.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/123", @@ -7155,6 +7405,7 @@ "node_id": "I_kwDOFAM8Ps5Tfute", "title": "Easy mode and Challenge mode for using crAPI", "body": "**Is your feature request related to a problem? Please describe.**\r\nThere should be 2 ways to use crAPI. \r\n- Easy mode would have an easily accessible swagger file. \r\n- Challenge mode would not.\r\n\r\n**Describe the solution you'd like**\r\nAs above.", + "summary": "Implement two usage modes for crAPI: Easy mode and Challenge mode. \n\n1. **Easy Mode**: Create an easily accessible Swagger file that provides a user-friendly interface for API exploration. Ensure that the documentation is clear and includes examples for common use cases.\n\n2. **Challenge Mode**: Remove the Swagger file and require users to interact with the API through direct HTTP requests, encouraging a deeper understanding of the API's functionality.\n\n**First Steps**:\n- Review the current crAPI documentation and identify the modifications needed to create the Swagger file for Easy mode.\n- Set up a separate branch for the Challenge mode implementation.\n- Evaluate the current API endpoints to ensure they are well-documented and can be effectively used without Swagger.\n- Gather user feedback on preferred features for both modes to guide development.", "state": "open", "state_reason": "", "url": "https://github.com/OWASP/crAPI/issues/127", @@ -7184,6 +7435,7 @@ "node_id": "I_kwDOFAM8Ps5TfywR", "title": "Video upload functionality is not eminent", "body": "**Is your feature request related to a problem? Please describe.**\r\nCurrently, an upload video functionality is not eminent on the edit profile screen. Here's how it looks like:\r\n![\"Screenshot](\"https://user-images.githubusercontent.com/26570044/194513341-64b5dc42-403c-4b91-825e-f66c412508c4.png\")
\r\n\r\n**Describe the solution you'd like**\r\nWe can add a rectangular upload box to make it prominent. \r\n\r\n**Additional context**\r\n![\"Screenshot](\"https://user-images.githubusercontent.com/26570044/194514192-9fa7589c-c69b-45ae-a5a0-bf8db64b995d.png\")
\r\n",
+ "summary": "Implement a prominent video upload functionality on the edit profile screen. \n\n1. Add a rectangular upload box to enhance visibility.\n2. Ensure the upload box is clearly labeled to guide users.\n3. Use appropriate styling to differentiate the upload box from other elements on the screen.\n\n**First Steps:**\n- Review the current layout of the edit profile screen.\n- Design a mockup of the upload box with dimensions and positioning.\n- Update the front-end code to integrate the new upload box, using HTML and CSS.\n- Implement JavaScript functionality to handle video uploads, including file type validation and size limits.\n- Test the feature across different devices and browsers for compatibility.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/129",
@@ -7215,6 +7467,7 @@
"node_id": "I_kwDOFAM8Ps5ccaC_",
"title": "Docker cannot run services in this part of the web, but other services are available",
"body": "\r\n",
+ "summary": "Investigate the issue where Docker cannot run services in the specified area of the web, despite other services functioning correctly. \n\n1. Check Docker's network configuration to ensure it is not restricted from accessing the required web services.\n2. Verify the firewall settings on the host machine to rule out any blocking of Docker's outbound connections.\n3. Examine the Docker logs for any error messages or warnings that may indicate the root cause of the problem.\n4. Test the connectivity from within a Docker container using tools like `curl` or `ping` to diagnose network issues.\n5. Review Docker's version and configuration to ensure compatibility with the services being accessed.\n\nBegin troubleshooting by running a simple container and attempting to reach the problematic services to gather more information.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/167",
@@ -7241,6 +7494,7 @@
"node_id": "I_kwDOFAM8Ps5eUVoL",
"title": "ERROR: Encountered errors while bringing up the project.",
"body": "\r\n",
+ "summary": "Investigate and resolve the project startup errors indicated in the GitHub issue. Review the error message from the screenshot for specific details on what is failing during the project launch. \n\nFirst steps:\n1. Check the project dependencies and ensure they are correctly defined in the configuration files (e.g., `package.json`, `requirements.txt`).\n2. Verify that all required services (e.g., databases, caches) are running and accessible.\n3. Review the Docker configuration files (e.g., `Dockerfile`, `docker-compose.yml`) for any misconfigurations that might prevent the services from starting.\n4. Run the project in a local development environment to reproduce the error and gather more information.\n5. Check version compatibility of all software components involved (e.g., libraries, frameworks) and update if necessary. \n6. Look for any recent changes in the project that might have introduced this issue, and consider rolling back to a previous stable version.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/171",
@@ -7269,6 +7523,7 @@
"node_id": "I_kwDOFAM8Ps5ekgdL",
"title": "dependency failed to start: container crapi-workshop exited",
"body": "**Describe the bug**\r\nAfter running \"docker compose -f docker-compose.yml --compatibility up -d\" I receive the error: dependency failed to start: container crapi-workshop exited (0)\r\n\r\n\r\n**To Reproduce**\r\nSteps to reproduce the behavior.\r\n1. Use the commands listed on github:\r\n (curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker- compose.yml\r\n docker compose pull\r\n docker compose -f docker-compose.yml --compatibility up -d) with Network of the VM set to NAT. Behaviour of crapi: all containers start and no errors are received.\r\n2. Shutdown the VM, change Network to internal network, and start VM. Use the last command and you'll receive the error.\r\n\r\n**Expected behavior**\r\nAll containers should start.\r\n\r\n**Runtime Environment**\r\nSytem/Environemnt information (e.g Output of docker -v and uname -a)\r\n-Debian 11 running in VirtualBox 7\r\n-Network of VM changed from the default NAT to Internal Network\r\n-Docker Engine - Community Version: 23.0.1\r\n-Docker Compose version v2.16.0\r\n[crapi-workshop log.txt](https://github.com/OWASP/crAPI/files/10748201/crapi-workshop.log.txt)\r\n",
+ "summary": "Investigate the \"dependency failed to start: container crapi-workshop exited\" error when running the Docker Compose setup. \n\n**Steps to Reproduce:**\n1. Execute the following commands to set up the environment:\n - Download the Docker Compose file:\n ```bash\n curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml\n ```\n - Pull the necessary images:\n ```bash\n docker compose pull\n ```\n - Start the containers:\n ```bash\n docker compose -f docker-compose.yml --compatibility up -d\n ```\n2. Initially, run this in a Virtual Machine (VM) with the network set to NAT; all containers should start without errors.\n3. Shut down the VM, change the network setting to Internal Network, and restart the VM. Re-run the last command to see the error.\n\n**Expected Outcome:**\nAll containers should start successfully regardless of the network configuration.\n\n**Environment Details:**\n- Debian 11 in VirtualBox 7\n- Docker Engine - Community Version: 23.0.1\n- Docker Compose version: v2.16.0\n\n**First Steps to Tackle the Problem:**\n1. Check the logs of the `crapi-workshop` container for specific error messages. Examine the provided log file for any relevant details.\n2. Verify network configurations and ensure that all necessary ports are open for communication between containers in the Internal Network setup.\n3. Review the Docker Compose file for any environment variables or services that might be affected by the network mode change.\n4. Test if other containers can communicate properly in the new network setup to rule out broader networking issues.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/172",
@@ -7297,6 +7552,7 @@
"node_id": "I_kwDOFAM8Ps5fAZhY",
"title": "Correct password requirements",
"body": "# Description\r\n\r\nThe guide to create a password at the sign up says \"Password should contain at least one digit, one small letter and one capital letter and should at least contain 8 characters.\", however, there is one requirement that is not described here. The password must have an special character.\r\n\r\n## To Reproduce\r\n\r\nJust go to the sign up page and type a valid password according to the description such as \"1234567qW\", but the password will be invalid, then try adding a special character like \"1234567qW@\", and the password will be accepted.\r\n\r\n### Expected behavior\r\n\r\nExpected that the password description would be correct, like \"Password should contain at least one digit, one special charater, one small letter and one capital letter and should at least contain 8 characters.\"\r\n\r\n\r\n#### Runtime Environment\r\n\r\nDocker version 20.10.13 on Ubuntu 20 x86_64\r\n",
+ "summary": "Update password requirements in the sign-up guide. Ensure the description clearly states that a password must include at least one special character, in addition to one digit, one lowercase letter, one uppercase letter, and a minimum of 8 characters.\n\n### Steps to Address:\n\n1. Review the current sign-up page for the password requirements text.\n2. Modify the password requirements section to include special character stipulation.\n3. Test the sign-up functionality with various password combinations to confirm that the validation logic aligns with the updated requirements.\n4. Update any related documentation or user guides to reflect the new password requirements.\n5. Deploy the changes and verify on the staging environment before pushing to production.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/173",
@@ -7325,6 +7581,7 @@
"node_id": "I_kwDOFAM8Ps5fNAX4",
"title": "crapi-workshop is unhealthy",
"body": "",
+ "summary": "Investigate the unhealthy status of the crapi-workshop. Examine the provided image for error messages or indicators of failure. \n\nCheck the health checks configured for the service and verify if they are correctly set up. Review the logs for any recent errors or anomalies that could point to the root cause of the issue.\n\nEnsure that all required services and dependencies are running and accessible. Check for resource constraints such as memory or CPU limits that may be affecting the service's performance. \n\nStart by:\n1. Reviewing the health check configuration and logs.\n2. Verifying service dependencies are operational.\n3. Monitoring resource usage to identify potential bottlenecks. \n\nDocument findings and propose fixes based on the gathered information.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/175",
@@ -7353,6 +7610,7 @@
"node_id": "I_kwDOFAM8Ps5fUmBQ",
"title": "localhost:8888 is unreachable",
"body": "I can't reach localhost:8888 but I can reach localhost:8025. what is the solution to this problem?\r\n\r\nAlso when I checked the health of the containers, I am seeing that crapi identity is exited 1 minute ago\r\nIs there anyone who experienced this trouble?\r\n\r\nI checked the crapi-identity container's logs and the first issue is PostgreSQL FATAL: database \"crapi\" does not exist.\r\nIn addition: I have got 3 containers that are alive.\r\n",
+ "summary": "Check connectivity to localhost:8888. Since localhost:8025 is accessible, investigate configuration settings related to the service running on port 8888.\n\nExamine the crapi-identity container, which has exited recently. Review logs to confirm the issue: \"PostgreSQL FATAL: database 'crapi' does not exist.\" \n\nTo tackle the problem:\n\n1. **Verify Database Creation**: Ensure that the PostgreSQL database named \"crapi\" is created. If it doesn't exist, create it using the appropriate SQL command or configuration.\n\n2. **Inspect Container Networking**: Confirm that the crapi-identity container is correctly configured to connect to PostgreSQL. Check environment variables and service links.\n\n3. **Check Docker Compose Configuration**: Review your Docker Compose file (if applicable) for any misconfigurations related to the crapi-identity service and PostgreSQL service.\n\n4. **Restart Containers**: After confirming the database exists and configurations are correct, restart the containers.\n\n5. **Monitor Logs**: Continuously monitor the logs of crapi-identity and PostgreSQL to ensure all services are functioning properly.\n\n6. **Test the Endpoint**: After addressing the database issue, test the localhost:8888 endpoint again to verify accessibility.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/176",
@@ -7381,6 +7639,7 @@
"node_id": "I_kwDOFAM8Ps5gA2xK",
"title": "crapi-web Container is unhealthy",
"body": "crapi-web log:\r\nCreating test database for alias 'default'...\r\nCreating test database for alias 'mongodb'...\r\nroot ERROR /workshop/api/mechanic/signup - {'name': 'MechRaju', 'email': 'mechraju@crapi.com', 'mechanic_code': 'TRAC_MEC_3', 'number': '9123456708'} - 400 -{'password': [ErrorDetail(string='This field is required.', code='required')]}\r\ndjango.request WARNING Bad Request: /workshop/api/mechanic/signup\r\n.django.request WARNING Bad Request: /workshop/api/mechanic/signup\r\n.django.request WARNING Bad Request: /workshop/api/mechanic/signup\r\n.django.request WARNING Unauthorized: /workshop/api/mechanic/\r\ndjango.request WARNING Unauthorized: /workshop/api/mechanic/\r\n.django.request WARNING Unauthorized: /workshop/api/mechanic/\r\n..root ERROR /workshop/api/merchant/contact_mechanic - {'mechanic_api': 'https://www.google.com', 'number_of_repeats': 5, 'mechanic_code': 'TRAC_MEC_3', 'vin': '9NFXO86WBWA082766', 'problem_details': 'My Car is not working'} - 400 -{'repeat_request_if_failed': [ErrorDetail(string='This field is required.', code='required')]}\r\ndjango.request WARNING Bad Request: /workshop/api/merchant/contact_mechanic\r\n.root INFO Repeat count: 0\r\nroot INFO Repeat count: 1\r\nroot INFO Repeat count: 2\r\nroot INFO Repeat count: 3\r\nroot INFO Repeat count: 4\r\nroot INFO Repeat count: 5\r\ndjango.request WARNING Bad Request: /workshop/api/merchant/contact_mechanic\r\n....................\r\n\r\nRuntime Environment\r\nDocker version 20.10.12, build 20.10.12-0ubuntu4\r\ndocker-compose version 1.29.2, build unknown\r\nubuntu-desktop 22.04 amd64 \r\n",
+ "summary": "Investigate the unhealthy state of the crapi-web container. Analyze logs indicating multiple Bad Request (400) errors for the `/workshop/api/mechanic/signup` and `/workshop/api/merchant/contact_mechanic` endpoints. \n\nIdentify the missing required fields in the requests:\n- For signup, ensure the `password` field is included in the payload.\n- For contact mechanic, ensure `repeat_request_if_failed` is present.\n\nCheck the server's response to unauthorized access attempts, suggesting potential issues with authentication or token validation for the `/workshop/api/mechanic/` endpoint.\n\nExamine the Docker and docker-compose versions for compatibility with the application. \n\nPossible first steps:\n1. Modify the request payloads to include the missing required fields.\n2. Verify the authentication mechanism and ensure valid tokens are being used.\n3. Restart the crapi-web container and monitor logs for changes in health status.\n4. Test the API endpoints manually or with a tool like Postman to confirm they respond correctly with the expected payloads.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/178",
@@ -7409,6 +7668,7 @@
"node_id": "I_kwDOFAM8Ps5iA6Ep",
"title": "Can't reach localhost:8888 after suspending my virtual machine",
"body": "**Describe the bug**\r\nI successfully downloaded crAPI and it was running on my Kali virtual machine but when I suspended my host and started it again localhost:8888 was not opening. It kept on loading.\r\n\r\n**Expected behavior**\r\nIt should load every time i try opening 127.0.0.1:8888 \r\n\r\n **Environment**\r\nSytem/Environemnt information \r\n\r\ndocker-compose version 1.29.2, built unknown \r\ndocker-py version : 5.0.3\r\nCPython version : 3.11.2\r\nOpenSSL version : OpenSSL 3.0.8 7 Feb 2023\r\nOperating system : Kali Linux Debian 6.1.20-kali1",
+ "summary": "- Investigate the issue of not reaching localhost:8888 after suspending and resuming the virtual machine.\n- Ensure that the crAPI service is still running in the Docker container after the VM resumes. \n- Check the status of the Docker containers by running `docker ps` to confirm that the crAPI container is active.\n- If the crAPI container is not running, restart it using `docker-compose up -d` from the directory containing the docker-compose.yml file.\n- Verify that the port 8888 is correctly mapped in the docker-compose.yml file.\n- If the service is running but still inaccessible, check for any network issues or firewall settings that may be affecting the connection.\n- Consider restarting Docker service with `sudo systemctl restart docker` to reset any network configurations.\n- Monitor the Docker logs for any errors using `docker-compose logs` to identify potential issues.\n- Test accessing crAPI using `curl http://127.0.0.1:8888` from the terminal to isolate the problem further. \n- If issues persist, consider reconfiguring the network settings of the VM or Docker to ensure proper communication.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/182",
@@ -7437,6 +7697,7 @@
"node_id": "I_kwDOFAM8Ps5jEoZ7",
"title": "Coupon and Coupons are different collections ?",
"body": "https://github.com/OWASP/crAPI/blob/df1be10efa127a9cf1e0f9479836bedc980b9f36/services/community/api/models/coupon.go#L61\r\n\r\nDoes it intentional typo or not, because I can create a coupon but can't use that.\r\n\r\nPay attention on the validate coupon func and a collection name that used.\r\n\r\nI recommend to use constants for table/collection names if you'll pass this manually in every calls.",
+ "summary": "Clarify whether \"Coupon\" and \"Coupons\" represent different collections in the codebase. Check the implementation of the `validate coupon` function and the collection name utilized within it to understand the discrepancy. Investigate if the inability to use a created coupon is due to a naming inconsistency.\n\nTo tackle this issue:\n\n1. Review the definition of both \"Coupon\" and \"Coupons\" in the `coupon.go` file.\n2. Examine the `validate coupon` function for how it references the collection names.\n3. Test the creation and validation of a coupon to reproduce the issue.\n4. Propose the implementation of constants for collection/table names to ensure consistency across the codebase. This will help prevent similar issues in the future.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/186",
@@ -7463,6 +7724,7 @@
"node_id": "I_kwDOFAM8Ps5mQX4w",
"title": "Traceback (most recent call last): crapi-workshop | File \"/app/crapi/merchant/tests.py\", line 134, in test_contact_mechanic",
"body": "Hi, I install by docker,but find a bug in startuping! \r\n\r\n\r\n\r\nThe information in this screenshot appears several times and may be helpful for you to debug.\r\n\r\n\r\n\r\n\r\n\r\n",
+ "summary": "Investigate the bug occurring during Docker startup for the crAPI project. The traceback indicates an issue in the `test_contact_mechanic` function located in `merchant/tests.py` at line 134. Review the error messages shown in the provided screenshots, as they may contain critical information for debugging.\n\nFirst steps to tackle the problem:\n\n1. Reproduce the issue by running the Docker container and executing the relevant tests.\n2. Analyze the traceback to identify the root cause of the failure in the `test_contact_mechanic` function.\n3. Check for any missing dependencies or configuration issues in the Docker setup that could lead to this error.\n4. Review recent changes in the codebase that might have affected the functionality being tested.\n5. Consult the documentation or community forums for similar issues encountered by other users.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/200",
@@ -7491,6 +7753,7 @@
"node_id": "I_kwDOFAM8Ps5nM_ig",
"title": " Install crapi for the first time(ERROR: for crapi-web Container \"28eac0bf7569\" is unhealthy.)",
"body": "**Describe the bug**\r\n\r\n```\r\n$: sudo docker-compose -f docker-compose.yml --compatibility up -d\r\nmongodb is up-to-date\r\nmailhog is up-to-date\r\napi.crapi.io is up-to-date\r\npostgresdb is up-to-date\r\ncrapi-identity is up-to-date\r\ncrapi-community is up-to-date\r\nStarting crapi-workshop ... done\r\n\r\nERROR: for crapi-web Container \"28eac0bf7569\" is unhealthy.\r\nERROR: Encountered errors while bringing up the project.\r\n\r\n```\r\n\r\n**Runtime Environment**\r\n \r\n\r\n$: uname -a\r\n```\r\nLinux wg-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux\r\n```\r\n\r\n```\r\n$: sudo docker version\r\n\r\nClient: Docker Engine - Community\r\n Version: 24.0.2\r\n API version: 1.43\r\n Go version: go1.20.4\r\n Git commit: cb74dfc\r\n Built: Thu May 25 21:51:00 2023\r\n OS/Arch: linux/amd64\r\n Context: default\r\n\r\nServer: Docker Engine - Community\r\n Engine:\r\n Version: 24.0.2\r\n API version: 1.43 (minimum version 1.12)\r\n Go version: go1.20.4\r\n Git commit: 659604f\r\n Built: Thu May 25 21:51:00 2023\r\n OS/Arch: linux/amd64\r\n Experimental: false\r\n containerd:\r\n Version: 1.6.21\r\n GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8\r\n runc:\r\n Version: 1.1.7\r\n GitCommit: v1.1.7-0-g860f061\r\n docker-init:\r\n Version: 0.19.0\r\n```\r\n\r\n```\r\nsudo docker-compose version\r\n\r\ndocker-compose version 1.29.2, build unknown\r\ndocker-py version: 5.0.3\r\nCPython version: 3.10.6\r\n```\r\n\r\n",
+ "summary": "Investigate the \"unhealthy\" status of the `crapi-web` container during the initial installation of crapi. Perform the following steps:\n\n1. **Check Container Logs**: Run `sudo docker logs crapi-web` to examine the logs for any errors or issues that may indicate why the container is unhealthy.\n\n2. **Inspect Health Check Configuration**: Review the Dockerfile or docker-compose.yml for `crapi-web` to identify the health check command and ensure it is correctly configured. \n\n3. **Validate Dependencies**: Ensure all dependencies and services required by `crapi-web` are running correctly. Confirm the statuses of `mongodb`, `postgresdb`, and other related services.\n\n4. **Increase Health Check Timeout**: If the health check command requires more time to respond, adjust the timeout settings in the health check configuration.\n\n5. **Resource Allocation**: Verify that the system has sufficient resources (CPU, memory) allocated to Docker. Use `docker stats` to monitor resource usage.\n\n6. **Network Configuration**: Ensure that there are no network-related issues preventing `crapi-web` from communicating with its dependencies.\n\n7. **Update Docker and Docker Compose**: Ensure that you are running the latest stable versions of Docker and Docker Compose. Upgrade if necessary.\n\n8. **Rebuild the Image**: If the problem persists, consider rebuilding the `crapi-web` image using `sudo docker-compose build crapi-web` and then restart the services.\n\n9. **Consult Documentation**: Refer to the official crapi documentation or GitHub repository for any specific troubleshooting tips related to the `crapi-web` container.\n\nBy following these steps, you should be able to diagnose and potentially resolve the \"unhealthy\" status of the `crapi-web` container.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/204",
@@ -7519,6 +7782,7 @@
"node_id": "I_kwDOFAM8Ps5oDh58",
"title": "Container Mongodb error ",
"body": "this is a result of an error that I have been facing for 2 days now and if the mongodb is healhty the crapi_community shows an error \r\nI have just to run this command and wait which one gonna show an error \r\n$sudo VERSION=develop docker-compose -f docker-compose.yml --compatibility up -d[+] Building 0.0s (0/0) \r\n[+] Running 6/6\r\n ✔ Container api.crapi.io Running 0.0s \r\n ✔ Container postgresdb Healthy 0.5s \r\n ✘ Container mongodb Error 13.6s \r\n ✔ Container mailhog Running 0.0s \r\n ✔ Container crapi-identity Created 0.0s \r\n ✔ Container crapi-community Created\r\n\r\n\r\n\r\n\r\n\r\ndocker logs mongo db\r\n\r\nWARNING: MongoDB 5.0+ requires a CPU with AVX support, and your current system does not appear to have that!\r\n see https://jira.mongodb.org/browse/SERVER-54407\r\n see also https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610/2\r\n see also https://github.com/docker-library/mongo/issues/485#issuecomment-891991814\r\n\r\nabout to fork child process, waiting until server is ready for connections.\r\nforked process: 30\r\n\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.470+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":20698, \"ctx\":\"main\",\"msg\":\"***** SERVER RESTARTED *****\"}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.472+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23285, \"ctx\":\"main\",\"msg\":\"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'\"}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.474+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":4648601, \"ctx\":\"main\",\"msg\":\"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize.\"}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.475+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":4615611, \"ctx\":\"initandlisten\",\"msg\":\"MongoDB starting\",\"attr\":{\"pid\":30,\"port\":27017,\"dbPath\":\"/data/db\",\"architecture\":\"64-bit\",\"host\":\"a636cf2cec8a\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.475+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":20720, \"ctx\":\"initandlisten\",\"msg\":\"Available memory is less than system memory\",\"attr\":{\"availableMemSizeMB\":128,\"systemMemSizeMB\":3927}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.475+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23403, \"ctx\":\"initandlisten\",\"msg\":\"Build Info\",\"attr\":{\"buildInfo\":{\"version\":\"4.4.22\",\"gitVersion\":\"fc832685b99221cffb1f5bb5a4ff5ad3e1c416b2\",\"openSSLVersion\":\"OpenSSL 1.1.1f 31 Mar 2020\",\"modules\":[],\"allocator\":\"tcmalloc\",\"environment\":{\"distmod\":\"ubuntu2004\",\"distarch\":\"x86_64\",\"target_arch\":\"x86_64\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.475+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":51765, \"ctx\":\"initandlisten\",\"msg\":\"Operating System\",\"attr\":{\"os\":{\"name\":\"Ubuntu\",\"version\":\"20.04\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.475+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":21951, \"ctx\":\"initandlisten\",\"msg\":\"Options set by command line\",\"attr\":{\"options\":{\"net\":{\"bindIp\":\"127.0.0.1\",\"port\":27017,\"tls\":{\"mode\":\"disabled\"}},\"processManagement\":{\"fork\":true,\"pidFilePath\":\"/tmp/docker-entrypoint-temp-mongod.pid\"},\"systemLog\":{\"destination\":\"file\",\"logAppend\":true,\"path\":\"/proc/1/fd/1\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.476+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22300, \"ctx\":\"initandlisten\",\"msg\":\"The configured WiredTiger cache size is more than 80% of available RAM. See http://dochub.mongodb.org/core/faq-memory-diagnostics-wt\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:15.476+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22315, \"ctx\":\"initandlisten\",\"msg\":\"Opening WiredTiger\",\"attr\":{\"config\":\"create,cache_size=256M,session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000,close_scan_interval=10,close_handle_minimum=250),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress,compact_progress],\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.241+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686132736:241776][30:0x7fc634e35cc0], txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Set global recovery timestamp: (0, 0)\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.241+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686132736:241884][30:0x7fc634e35cc0], txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Set global oldest timestamp: (0, 0)\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.259+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":4795906, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger opened\",\"attr\":{\"durationMillis\":783}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.259+00:00\"},\"s\":\"I\", \"c\":\"RECOVERY\", \"id\":23987, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger recoveryTimestamp\",\"attr\":{\"recoveryTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.341+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22262, \"ctx\":\"initandlisten\",\"msg\":\"Timestamp monitor starting\"}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.357+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":22120, \"ctx\":\"initandlisten\",\"msg\":\"Access control is not enabled for the database. Read and write access to data and configuration is unrestricted\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.357+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":22178, \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.359+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":20320, \"ctx\":\"initandlisten\",\"msg\":\"createCollection\",\"attr\":{\"namespace\":\"admin.system.version\",\"uuidDisposition\":\"provided\",\"uuid\":{\"uuid\":{\"$uuid\":\"6963ed1a-f25c-4956-a0c4-19f00a0e8fd1\"}},\"options\":{\"uuid\":{\"$uuid\":\"6963ed1a-f25c-4956-a0c4-19f00a0e8fd1\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.788+00:00\"},\"s\":\"I\", \"c\":\"INDEX\", \"id\":20345, \"ctx\":\"initandlisten\",\"msg\":\"Index build: done building\",\"attr\":{\"buildUUID\":null,\"namespace\":\"admin.system.version\",\"index\":\"_id_\",\"commitTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.788+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20459, \"ctx\":\"initandlisten\",\"msg\":\"Setting featureCompatibilityVersion\",\"attr\":{\"newVersion\":\"4.4\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.788+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":20536, \"ctx\":\"initandlisten\",\"msg\":\"Flow Control is enabled on this deployment\"}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.790+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":20320, \"ctx\":\"initandlisten\",\"msg\":\"createCollection\",\"attr\":{\"namespace\":\"local.startup_log\",\"uuidDisposition\":\"generated\",\"uuid\":{\"uuid\":{\"$uuid\":\"f0272e6b-f2fc-40ed-990f-3957e3e132eb\"}},\"options\":{\"capped\":true,\"size\":10485760}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.830+00:00\"},\"s\":\"I\", \"c\":\"INDEX\", \"id\":20345, \"ctx\":\"initandlisten\",\"msg\":\"Index build: done building\",\"attr\":{\"buildUUID\":null,\"namespace\":\"local.startup_log\",\"index\":\"_id_\",\"commitTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.831+00:00\"},\"s\":\"I\", \"c\":\"FTDC\", \"id\":20625, \"ctx\":\"initandlisten\",\"msg\":\"Initializing full-time diagnostic data capture\",\"attr\":{\"dataDirectory\":\"/data/db/diagnostic.data\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.831+00:00\"},\"s\":\"I\", \"c\":\"REPL\", \"id\":6015317, \"ctx\":\"initandlisten\",\"msg\":\"Setting new configuration state\",\"attr\":{\"newState\":\"ConfigReplicationDisabled\",\"oldState\":\"ConfigPreStart\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.897+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23015, \"ctx\":\"listener\",\"msg\":\"Listening on\",\"attr\":{\"address\":\"/tmp/mongodb-27017.sock\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.897+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23015, \"ctx\":\"listener\",\"msg\":\"Listening on\",\"attr\":{\"address\":\"127.0.0.1\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:16.897+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23016, \"ctx\":\"listener\",\"msg\":\"Waiting for connections\",\"attr\":{\"port\":27017,\"ssl\":\"off\"}}\r\nchild process started successfully, parent exiting\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:17.574+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.system.sessions\",\"command\":{\"listIndexes\":\"system.sessions\",\"cursor\":{},\"$db\":\"config\"},\"numYields\":0,\"ok\":0,\"errMsg\":\"ns does not exist: config.system.sessions\",\"errName\":\"NamespaceNotFound\",\"errCode\":26,\"reslen\":134,\"locks\":{\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":1}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":1}},\"Global\":{\"acquireCount\":{\"r\":1}},\"Database\":{\"acquireCount\":{\"r\":1}},\"Collection\":{\"acquireCount\":{\"r\":1}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"protocol\":\"op_msg\",\"durationMillis\":677}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:17.581+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheReap\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.system.sessions\",\"command\":{\"listIndexes\":\"system.sessions\",\"cursor\":{},\"$db\":\"config\"},\"numYields\":0,\"ok\":0,\"errMsg\":\"ns does not exist: config.system.sessions\",\"errName\":\"NamespaceNotFound\",\"errCode\":26,\"reslen\":134,\"locks\":{\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":1}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":1}},\"Global\":{\"acquireCount\":{\"r\":1}},\"Database\":{\"acquireCount\":{\"r\":1}},\"Collection\":{\"acquireCount\":{\"r\":1}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"protocol\":\"op_msg\",\"durationMillis\":684}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:17.668+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":20320, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"createCollection\",\"attr\":{\"namespace\":\"config.system.sessions\",\"uuidDisposition\":\"generated\",\"uuid\":{\"uuid\":{\"$uuid\":\"611d3916-8a82-4f2e-9c68-b54e0a1481fb\"}},\"options\":{}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:17.887+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":20712, \"ctx\":\"LogicalSessionCacheReap\",\"msg\":\"Sessions collection is not set up; waiting until next sessions reap interval\",\"attr\":{\"error\":\"NamespaceNotFound: config.system.sessions does not exist\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:18.672+00:00\"},\"s\":\"I\", \"c\":\"INDEX\", \"id\":20345, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"Index build: done building\",\"attr\":{\"buildUUID\":null,\"namespace\":\"config.system.sessions\",\"index\":\"_id_\",\"commitTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:18.672+00:00\"},\"s\":\"I\", \"c\":\"INDEX\", \"id\":20345, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"Index build: done building\",\"attr\":{\"buildUUID\":null,\"namespace\":\"config.system.sessions\",\"index\":\"lsidTTLIndex\",\"commitTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:18.672+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.system.sessions\",\"command\":{\"createIndexes\":\"system.sessions\",\"indexes\":[{\"key\":{\"lastUse\":1},\"name\":\"lsidTTLIndex\",\"expireAfterSeconds\":1800}],\"writeConcern\":{},\"$db\":\"config\"},\"numYields\":0,\"reslen\":114,\"locks\":{\"ParallelBatchWriterMode\":{\"acquireCount\":{\"r\":5}},\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":2,\"w\":3}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":5}},\"Global\":{\"acquireCount\":{\"r\":2,\"w\":3}},\"Database\":{\"acquireCount\":{\"r\":2,\"w\":3}},\"Collection\":{\"acquireCount\":{\"r\":3,\"w\":2}},\"Mutex\":{\"acquireCount\":{\"r\":6}}},\"flowControl\":{\"acquireCount\":1,\"timeAcquiringMicros\":2},\"storage\":{},\"protocol\":\"op_msg\",\"durationMillis\":1004}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:28.466+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"127.0.0.1:45044\",\"connectionId\":1,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:33.367+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn1\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"127.0.0.1:45044\",\"client\":\"conn1\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:36.472+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn1\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"whatsmyuri\":1,\"$db\":\"admin\"},\"numYields\":0,\"reslen\":63,\"locks\":{},\"protocol\":\"op_msg\",\"durationMillis\":253}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:41.278+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn1\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"buildinfo\":1.0,\"$db\":\"admin\"},\"numYields\":0,\"reslen\":1811,\"locks\":{},\"protocol\":\"op_msg\",\"durationMillis\":2311}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:12:46.870+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn1\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"127.0.0.1:45044\",\"connectionId\":1,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:13:37.506+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686132815:869508][30:0x7fc62de26700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 34, snapshot max: 34 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 1\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:13:37.486+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"DBConnectionPool-cleaner\",\"durationMillis\":8031}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:13:57.468+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"DBConnectionPool-cleaner\",\"durationMillis\":4043}}\r\n{\"t\":{\"$date\":\"2023-06-07T10:15:36.268+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"DBConnectionPool-cleaner\",\"durationMillis\":14701}}\r\n/usr/local/bin/docker-entrypoint.sh: line 416: 81 Killed \"${mongo[@]}\" \"$rootAuthDatabase\" <<-EOJS\r\ndb.createUser({\r\nuser: $(_js_escape \"$MONGO_INITDB_ROOT_USERNAME\"),\r\npwd: $(_js_escape \"$MONGO_INITDB_ROOT_PASSWORD\"),\r\nroles: [ { role: 'root', db: $(_js_escape \"$rootAuthDatabase\") } ]\r\n})\r\nEOJS\r\n\r\n\r\nWARNING: MongoDB 5.0+ requires a CPU with AVX support, and your current system does not appear to have that!\r\n see https://jira.mongodb.org/browse/SERVER-54407\r\n see also https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610/2\r\n see also https://github.com/docker-library/mongo/issues/485#issuecomment-891991814\r\n\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.700+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23285, \"ctx\":\"main\",\"msg\":\"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.703+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":4648601, \"ctx\":\"main\",\"msg\":\"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize.\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.704+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":4615611, \"ctx\":\"initandlisten\",\"msg\":\"MongoDB starting\",\"attr\":{\"pid\":1,\"port\":27017,\"dbPath\":\"/data/db\",\"architecture\":\"64-bit\",\"host\":\"a636cf2cec8a\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.704+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":20720, \"ctx\":\"initandlisten\",\"msg\":\"Available memory is less than system memory\",\"attr\":{\"availableMemSizeMB\":128,\"systemMemSizeMB\":3927}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.704+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23403, \"ctx\":\"initandlisten\",\"msg\":\"Build Info\",\"attr\":{\"buildInfo\":{\"version\":\"4.4.22\",\"gitVersion\":\"fc832685b99221cffb1f5bb5a4ff5ad3e1c416b2\",\"openSSLVersion\":\"OpenSSL 1.1.1f 31 Mar 2020\",\"modules\":[],\"allocator\":\"tcmalloc\",\"environment\":{\"distmod\":\"ubuntu2004\",\"distarch\":\"x86_64\",\"target_arch\":\"x86_64\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.704+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":51765, \"ctx\":\"initandlisten\",\"msg\":\"Operating System\",\"attr\":{\"os\":{\"name\":\"Ubuntu\",\"version\":\"20.04\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.704+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":21951, \"ctx\":\"initandlisten\",\"msg\":\"Options set by command line\",\"attr\":{\"options\":{\"net\":{\"bindIp\":\"*\"},\"security\":{\"authorization\":\"enabled\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.706+00:00\"},\"s\":\"W\", \"c\":\"STORAGE\", \"id\":22271, \"ctx\":\"initandlisten\",\"msg\":\"Detected unclean shutdown - Lock file is not empty\",\"attr\":{\"lockFile\":\"/data/db/mongod.lock\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.706+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22270, \"ctx\":\"initandlisten\",\"msg\":\"Storage engine to use detected by data files\",\"attr\":{\"dbpath\":\"/data/db\",\"storageEngine\":\"wiredTiger\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.706+00:00\"},\"s\":\"W\", \"c\":\"STORAGE\", \"id\":22302, \"ctx\":\"initandlisten\",\"msg\":\"Recovering data from the last clean checkpoint.\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.706+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22300, \"ctx\":\"initandlisten\",\"msg\":\"The configured WiredTiger cache size is more than 80% of available RAM. See http://dochub.mongodb.org/core/faq-memory-diagnostics-wt\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:23.706+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22315, \"ctx\":\"initandlisten\",\"msg\":\"Opening WiredTiger\",\"attr\":{\"config\":\"create,cache_size=256M,session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000,close_scan_interval=10,close_handle_minimum=250),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress,compact_progress],\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:24.147+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135864:147357][1:0x7f0929c1dcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 1 through 2\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:24.988+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135864:988764][1:0x7f0929c1dcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 2 through 2\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:25.791+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135865:791543][1:0x7f0929c1dcc0], txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Main recovery loop: starting at 1/21504 to 2/256\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:25.792+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135865:792677][1:0x7f0929c1dcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 1 through 2\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:26.874+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135866:874734][1:0x7f0929c1dcc0], file:sizeStorer.wt, txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 2 through 2\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:27.780+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135867:780713][1:0x7f0929c1dcc0], file:sizeStorer.wt, txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Set global recovery timestamp: (0, 0)\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:27.781+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135867:781022][1:0x7f0929c1dcc0], file:sizeStorer.wt, txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Set global oldest timestamp: (0, 0)\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:28.079+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135868:79249][1:0x7f0929c1dcc0], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 16, snapshot max: 16 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:28.160+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":4795906, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger opened\",\"attr\":{\"durationMillis\":4454}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:28.160+00:00\"},\"s\":\"I\", \"c\":\"RECOVERY\", \"id\":23987, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger recoveryTimestamp\",\"attr\":{\"recoveryTimestamp\":{\"$timestamp\":{\"t\":0,\"i\":0}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:28.669+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22262, \"ctx\":\"initandlisten\",\"msg\":\"Timestamp monitor starting\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:28.704+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":22178, \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.372+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":20536, \"ctx\":\"initandlisten\",\"msg\":\"Flow Control is enabled on this deployment\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.676+00:00\"},\"s\":\"I\", \"c\":\"FTDC\", \"id\":20625, \"ctx\":\"initandlisten\",\"msg\":\"Initializing full-time diagnostic data capture\",\"attr\":{\"dataDirectory\":\"/data/db/diagnostic.data\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.681+00:00\"},\"s\":\"I\", \"c\":\"REPL\", \"id\":6015317, \"ctx\":\"initandlisten\",\"msg\":\"Setting new configuration state\",\"attr\":{\"newState\":\"ConfigReplicationDisabled\",\"oldState\":\"ConfigPreStart\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.973+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23015, \"ctx\":\"listener\",\"msg\":\"Listening on\",\"attr\":{\"address\":\"/tmp/mongodb-27017.sock\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.974+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23015, \"ctx\":\"listener\",\"msg\":\"Listening on\",\"attr\":{\"address\":\"0.0.0.0\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:29.974+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23016, \"ctx\":\"listener\",\"msg\":\"Waiting for connections\",\"attr\":{\"port\":27017,\"ssl\":\"off\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:30.057+00:00\"},\"s\":\"I\", \"c\":\"FTDC\", \"id\":20631, \"ctx\":\"ftdc\",\"msg\":\"Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost\",\"attr\":{\"error\":{\"code\":0,\"codeName\":\"OK\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:39.257+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:38144\",\"connectionId\":1,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:39.258+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn1\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:38144\",\"client\":\"conn1\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:40.995+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn1\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:38144\",\"connectionId\":1,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:59.469+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:48658\",\"connectionId\":2,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:59.496+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn2\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:48658\",\"client\":\"conn2\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:04:59.679+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn2\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:48658\",\"connectionId\":2,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:16.191+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:41614\",\"connectionId\":3,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:16.191+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn3\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:41614\",\"client\":\"conn3\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:16.382+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn3\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:41614\",\"connectionId\":3,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:28.707+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135928:707384][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 18, snapshot max: 18 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:31.571+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"DBConnectionPool-cleaner\",\"durationMillis\":1702}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:33.168+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:46880\",\"connectionId\":4,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:33.169+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn4\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:46880\",\"client\":\"conn4\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:33.366+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn4\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:46880\",\"connectionId\":4,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:50.005+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:47756\",\"connectionId\":5,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:50.006+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn5\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:47756\",\"client\":\"conn5\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:50.106+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn5\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:47756\",\"connectionId\":5,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:56.926+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.7:34006\",\"connectionId\":6,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:57.585+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn6\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.7:34006\",\"client\":\"conn6\",\"doc\":{\"driver\":{\"name\":\"mongo-go-driver\",\"version\":\"v1.3.5\"},\"os\":{\"type\":\"linux\",\"architecture\":\"amd64\"},\"platform\":\"go1.20.4\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:57.601+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.7:34020\",\"connectionId\":7,\"connectionCount\":2}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:57.619+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn7\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.7:34020\",\"client\":\"conn7\",\"doc\":{\"driver\":{\"name\":\"mongo-go-driver\",\"version\":\"v1.3.5\"},\"os\":{\"type\":\"linux\",\"architecture\":\"amd64\"},\"platform\":\"go1.20.4\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:05:59.871+00:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20251, \"ctx\":\"conn7\",\"msg\":\"Supported SASL mechanisms requested for unknown user\",\"attr\":{\"user\":\"admin@admin\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:01.399+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn7\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"command\":{\"isMaster\":1,\"saslSupportedMechs\":\"admin.admin\",\"compression\":[],\"client\":{\"driver\":{\"name\":\"mongo-go-driver\",\"version\":\"v1.3.5\"},\"os\":{\"type\":\"linux\",\"architecture\":\"amd64\"},\"platform\":\"go1.20.4\"},\"$readPreference\":{\"mode\":\"secondaryPreferred\"},\"$db\":\"admin\"},\"numYields\":0,\"reslen\":319,\"locks\":{},\"protocol\":\"op_query\",\"durationMillis\":2792}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:01.779+00:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn7\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-1\",\"speculative\":false,\"principalName\":\"admin\",\"authenticationDatabase\":\"admin\",\"remote\":\"172.18.0.7:34020\",\"extraInfo\":{},\"error\":\"UserNotFound: Could not find user \\\"admin\\\" for db \\\"admin\\\"\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:01.795+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn7\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"command\":{\"saslStart\":1,\"mechanism\":\"SCRAM-SHA-1\",\"payload\":\"xxx\",\"$db\":\"admin\"},\"numYields\":0,\"ok\":0,\"errMsg\":\"Authentication failed.\",\"errName\":\"AuthenticationFailed\",\"errCode\":18,\"reslen\":118,\"locks\":{},\"protocol\":\"op_msg\",\"durationMillis\":106}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:01.796+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn7\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.7:34020\",\"connectionId\":7,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:01.833+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn6\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.7:34006\",\"connectionId\":6,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:06.303+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:54760\",\"connectionId\":8,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:06.304+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn8\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:54760\",\"client\":\"conn8\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:06.498+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn8\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:54760\",\"connectionId\":8,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:22.268+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:33884\",\"connectionId\":9,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:22.269+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn9\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:33884\",\"client\":\"conn9\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:22.380+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn9\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:33884\",\"connectionId\":9,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:28.764+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686135988:764217][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 21, snapshot max: 21 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:38.378+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:33064\",\"connectionId\":10,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:38.386+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn10\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:33064\",\"client\":\"conn10\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:38.579+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn10\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:33064\",\"connectionId\":10,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.387+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.7:35868\",\"connectionId\":11,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.476+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn11\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.7:35868\",\"client\":\"conn11\",\"doc\":{\"driver\":{\"name\":\"mongo-go-driver\",\"version\":\"v1.3.5\"},\"os\":{\"type\":\"linux\",\"architecture\":\"amd64\"},\"platform\":\"go1.20.4\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.513+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.7:35876\",\"connectionId\":12,\"connectionCount\":2}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.513+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn12\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.7:35876\",\"client\":\"conn12\",\"doc\":{\"driver\":{\"name\":\"mongo-go-driver\",\"version\":\"v1.3.5\"},\"os\":{\"type\":\"linux\",\"architecture\":\"amd64\"},\"platform\":\"go1.20.4\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.524+00:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20251, \"ctx\":\"conn12\",\"msg\":\"Supported SASL mechanisms requested for unknown user\",\"attr\":{\"user\":\"admin@admin\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.525+00:00\"},\"s\":\"I\", \"c\":\"ACCESS\", \"id\":20249, \"ctx\":\"conn12\",\"msg\":\"Authentication failed\",\"attr\":{\"mechanism\":\"SCRAM-SHA-1\",\"speculative\":false,\"principalName\":\"admin\",\"authenticationDatabase\":\"admin\",\"remote\":\"172.18.0.7:35876\",\"extraInfo\":{},\"error\":\"UserNotFound: Could not find user \\\"admin\\\" for db \\\"admin\\\"\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.526+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn12\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.7:35876\",\"connectionId\":12,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:40.567+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn11\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.7:35868\",\"connectionId\":11,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:54.472+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:41320\",\"connectionId\":13,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:54.474+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn13\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:41320\",\"client\":\"conn13\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:06:54.569+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn13\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:41320\",\"connectionId\":13,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:10.569+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:44538\",\"connectionId\":14,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:10.570+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn14\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:44538\",\"client\":\"conn14\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:10.668+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn14\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:44538\",\"connectionId\":14,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:27.069+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:56014\",\"connectionId\":15,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:27.070+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn15\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:56014\",\"client\":\"conn15\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:27.172+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn15\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:56014\",\"connectionId\":15,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:28.818+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686136048:818265][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 23, snapshot max: 23 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:42.870+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:58318\",\"connectionId\":16,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:42.871+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn16\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:58318\",\"client\":\"conn16\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:42.994+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn16\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:58318\",\"connectionId\":16,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:58.492+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:38162\",\"connectionId\":17,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:58.566+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn17\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:38162\",\"client\":\"conn17\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:07:58.778+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn17\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:38162\",\"connectionId\":17,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:14.394+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:33518\",\"connectionId\":18,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:14.395+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn18\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:33518\",\"client\":\"conn18\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:14.484+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn18\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:33518\",\"connectionId\":18,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:28.908+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686136108:908044][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 25, snapshot max: 25 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:49.778+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:47224\",\"connectionId\":19,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:49.817+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn19\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:47224\",\"client\":\"conn19\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:08:51.268+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn19\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:47224\",\"connectionId\":19,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:11.107+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:47016\",\"connectionId\":20,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:12.077+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn20\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:47016\",\"client\":\"conn20\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:24.584+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn20\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"isMaster\":1,\"client\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}},\"$db\":\"admin\"},\"numYields\":0,\"reslen\":319,\"locks\":{},\"protocol\":\"op_query\",\"durationMillis\":695}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:29.833+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn20\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"test.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"isMaster\":1.0,\"forShell\":1.0,\"$db\":\"test\"},\"numYields\":0,\"reslen\":304,\"locks\":{},\"protocol\":\"op_msg\",\"durationMillis\":239}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:38.679+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":8,\"after asserts\":8,\"after connections\":8,\"after electionMetrics\":8,\"after extra_info\":8,\"after flowControl\":8,\"after globalLock\":118,\"after indexBulkBuilder\":118,\"after locks\":118,\"after logicalSessionRecordCache\":7021,\"after mirroredReads\":7021,\"after network\":7021,\"after opLatencies\":7021,\"after opReadConcernCounters\":7021,\"after opcounters\":7021,\"after opcountersRepl\":7021,\"after oplog\":7021,\"after oplogTruncation\":7119,\"after repl\":7119,\"after scramCache\":7119,\"after security\":7119,\"after storageEngine\":7119,\"after tcmalloc\":7119,\"after trafficRecording\":7119,\"after transactions\":7119,\"after transportSecurity\":7119,\"after twoPhaseCommitCoordinator\":7119,\"after wiredTiger\":7527,\"at end\":8600}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:41.471+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22944, \"ctx\":\"conn20\",\"msg\":\"Connection ended\",\"attr\":{\"remote\":\"172.18.0.3:47016\",\"connectionId\":20,\"connectionCount\":0}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:47.168+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":0,\"after asserts\":0,\"after connections\":0,\"after electionMetrics\":0,\"after extra_info\":423,\"after flowControl\":423,\"after globalLock\":423,\"after indexBulkBuilder\":423,\"after locks\":423,\"after logicalSessionRecordCache\":423,\"after mirroredReads\":423,\"after network\":423,\"after opLatencies\":423,\"after opReadConcernCounters\":423,\"after opcounters\":423,\"after opcountersRepl\":423,\"after oplog\":423,\"after oplogTruncation\":550,\"after repl\":550,\"after scramCache\":550,\"after security\":550,\"after storageEngine\":550,\"after tcmalloc\":550,\"after trafficRecording\":550,\"after transactions\":550,\"after transportSecurity\":550,\"after twoPhaseCommitCoordinator\":550,\"after wiredTiger\":550,\"at end\":1110}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:54.376+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheReap\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.system.sessions\",\"command\":{\"listIndexes\":\"system.sessions\",\"cursor\":{},\"$db\":\"config\"},\"numYields\":0,\"reslen\":245,\"locks\":{\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":1}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":1}},\"Global\":{\"acquireCount\":{\"r\":1}},\"Database\":{\"acquireCount\":{\"r\":1}},\"Collection\":{\"acquireCount\":{\"r\":1}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"storage\":{},\"protocol\":\"op_msg\",\"durationMillis\":10399}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:54.675+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686136194:675072][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 27, snapshot max: 27 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:56.492+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":869,\"after asserts\":869,\"after connections\":869,\"after electionMetrics\":869,\"after extra_info\":1042,\"after flowControl\":1042,\"after globalLock\":1042,\"after indexBulkBuilder\":1042,\"after locks\":1042,\"after logicalSessionRecordCache\":1042,\"after mirroredReads\":1042,\"after network\":1042,\"after opLatencies\":1042,\"after opReadConcernCounters\":1042,\"after opcounters\":1042,\"after opcountersRepl\":1042,\"after oplog\":1042,\"after oplogTruncation\":1237,\"after repl\":1237,\"after scramCache\":1237,\"after security\":1237,\"after storageEngine\":1237,\"after tcmalloc\":1237,\"after trafficRecording\":1237,\"after transactions\":1237,\"after transportSecurity\":1237,\"after twoPhaseCommitCoordinator\":1237,\"after wiredTiger\":1238,\"at end\":1414}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:59.266+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheRefresh\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.system.sessions\",\"command\":{\"listIndexes\":\"system.sessions\",\"cursor\":{},\"$db\":\"config\"},\"numYields\":0,\"reslen\":245,\"locks\":{\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":1}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":1}},\"Global\":{\"acquireCount\":{\"r\":1}},\"Database\":{\"acquireCount\":{\"r\":1}},\"Collection\":{\"acquireCount\":{\"r\":1}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"storage\":{},\"protocol\":\"op_msg\",\"durationMillis\":15195}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:09:59.614+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"LogicalSessionCacheReap\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"config.transactions\",\"command\":{\"find\":\"transactions\",\"filter\":{\"lastWriteDate\":{\"$lt\":{\"$date\":\"2023-06-07T10:39:54.489Z\"}}},\"projection\":{\"_id\":1},\"sort\":{\"_id\":1},\"readConcern\":{},\"$db\":\"config\"},\"planSummary\":\"EOF\",\"keysExamined\":0,\"docsExamined\":0,\"cursorExhausted\":true,\"numYields\":0,\"nreturned\":0,\"reslen\":108,\"locks\":{\"FeatureCompatibilityVersion\":{\"acquireCount\":{\"r\":1}},\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":1}},\"Global\":{\"acquireCount\":{\"r\":1}},\"Database\":{\"acquireCount\":{\"r\":1}},\"Collection\":{\"acquireCount\":{\"r\":2}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"readConcern\":{\"provenance\":\"clientSupplied\"},\"storage\":{},\"protocol\":\"op_msg\",\"durationMillis\":5113}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:10:31.918+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":201,\"after asserts\":201,\"after connections\":201,\"after electionMetrics\":201,\"after extra_info\":534,\"after flowControl\":534,\"after globalLock\":534,\"after indexBulkBuilder\":534,\"after locks\":534,\"after logicalSessionRecordCache\":534,\"after mirroredReads\":534,\"after network\":534,\"after opLatencies\":534,\"after opReadConcernCounters\":534,\"after opcounters\":534,\"after opcountersRepl\":534,\"after oplog\":534,\"after oplogTruncation\":534,\"after repl\":534,\"after scramCache\":534,\"after security\":534,\"after storageEngine\":534,\"after tcmalloc\":534,\"after trafficRecording\":534,\"after transactions\":534,\"after transportSecurity\":534,\"after twoPhaseCommitCoordinator\":534,\"after wiredTiger\":534,\"at end\":1222}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:10:51.873+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"DBConnectionPool-cleaner\",\"durationMillis\":4405}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:10:56.066+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:60452\",\"connectionId\":21,\"connectionCount\":1}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:10:57.267+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":22943, \"ctx\":\"listener\",\"msg\":\"Connection accepted\",\"attr\":{\"remote\":\"172.18.0.3:60458\",\"connectionId\":22,\"connectionCount\":2}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:10:58.669+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":23099, \"ctx\":\"PeriodicTaskRunner\",\"msg\":\"Task finished\",\"attr\":{\"taskName\":\"UnusedLockCleaner\",\"durationMillis\":6795}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:03.580+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":100,\"after asserts\":100,\"after connections\":100,\"after electionMetrics\":100,\"after extra_info\":403,\"after flowControl\":403,\"after globalLock\":403,\"after indexBulkBuilder\":403,\"after locks\":905,\"after logicalSessionRecordCache\":905,\"after mirroredReads\":905,\"after network\":905,\"after opLatencies\":905,\"after opReadConcernCounters\":905,\"after opcounters\":905,\"after opcountersRepl\":905,\"after oplog\":905,\"after oplogTruncation\":907,\"after repl\":907,\"after scramCache\":907,\"after security\":907,\"after storageEngine\":907,\"after tcmalloc\":907,\"after trafficRecording\":907,\"after transactions\":907,\"after transportSecurity\":907,\"after twoPhaseCommitCoordinator\":907,\"after wiredTiger\":907,\"at end\":1313}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:05.968+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"WTCheckpointThread\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686136265:968123][1:0x7f0922c0e700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 29, snapshot max: 29 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 7\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:19.069+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":20499, \"ctx\":\"ftdc\",\"msg\":\"serverStatus was very slow\",\"attr\":{\"timeStats\":{\"after basic\":0,\"after asserts\":0,\"after connections\":0,\"after electionMetrics\":0,\"after extra_info\":460,\"after flowControl\":460,\"after globalLock\":460,\"after indexBulkBuilder\":460,\"after locks\":460,\"after logicalSessionRecordCache\":460,\"after mirroredReads\":460,\"after network\":460,\"after opLatencies\":460,\"after opReadConcernCounters\":460,\"after opcounters\":460,\"after opcountersRepl\":460,\"after oplog\":460,\"after oplogTruncation\":466,\"after repl\":466,\"after scramCache\":466,\"after security\":466,\"after storageEngine\":466,\"after tcmalloc\":466,\"after trafficRecording\":466,\"after transactions\":466,\"after transportSecurity\":466,\"after twoPhaseCommitCoordinator\":466,\"after wiredTiger\":466,\"at end\":1062}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:14.168+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn21\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:60452\",\"client\":\"conn21\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:14.168+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":51800, \"ctx\":\"conn22\",\"msg\":\"client metadata\",\"attr\":{\"remote\":\"172.18.0.3:60458\",\"client\":\"conn22\",\"doc\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:42.178+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn22\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"isMaster\":1,\"client\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}},\"$db\":\"admin\"},\"numYields\":0,\"reslen\":319,\"locks\":{},\"protocol\":\"op_query\",\"durationMillis\":26393}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:11:42.170+00:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn21\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"admin.$cmd\",\"appName\":\"MongoDB Shell\",\"command\":{\"isMaster\":1,\"client\":{\"application\":{\"name\":\"MongoDB Shell\"},\"driver\":{\"name\":\"MongoDB Internal Client\",\"version\":\"4.4.22\"},\"os\":{\"type\":\"Linux\",\"name\":\"Ubuntu\",\"architecture\":\"x86_64\",\"version\":\"20.04\"}},\"$db\":\"admin\"},\"numYields\":0,\"reslen\":319,\"locks\":{},\"protocol\":\"op_query\",\"durationMillis\":26999}}\r\n\r\nWARNING: MongoDB 5.0+ requires a CPU with AVX support, and your current system does not appear to have that!\r\n see https://jira.mongodb.org/browse/SERVER-54407\r\n see also https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610/2\r\n see also https://github.com/docker-library/mongo/issues/485#issuecomment-891991814\r\n\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.003+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23285, \"ctx\":\"main\",\"msg\":\"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.014+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":4648601, \"ctx\":\"main\",\"msg\":\"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize.\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.016+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":4615611, \"ctx\":\"initandlisten\",\"msg\":\"MongoDB starting\",\"attr\":{\"pid\":1,\"port\":27017,\"dbPath\":\"/data/db\",\"architecture\":\"64-bit\",\"host\":\"a636cf2cec8a\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.021+00:00\"},\"s\":\"W\", \"c\":\"CONTROL\", \"id\":20720, \"ctx\":\"initandlisten\",\"msg\":\"Available memory is less than system memory\",\"attr\":{\"availableMemSizeMB\":128,\"systemMemSizeMB\":3927}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.021+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":23403, \"ctx\":\"initandlisten\",\"msg\":\"Build Info\",\"attr\":{\"buildInfo\":{\"version\":\"4.4.22\",\"gitVersion\":\"fc832685b99221cffb1f5bb5a4ff5ad3e1c416b2\",\"openSSLVersion\":\"OpenSSL 1.1.1f 31 Mar 2020\",\"modules\":[],\"allocator\":\"tcmalloc\",\"environment\":{\"distmod\":\"ubuntu2004\",\"distarch\":\"x86_64\",\"target_arch\":\"x86_64\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.021+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":51765, \"ctx\":\"initandlisten\",\"msg\":\"Operating System\",\"attr\":{\"os\":{\"name\":\"Ubuntu\",\"version\":\"20.04\"}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.021+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":21951, \"ctx\":\"initandlisten\",\"msg\":\"Options set by command line\",\"attr\":{\"options\":{\"net\":{\"bindIp\":\"*\"},\"security\":{\"authorization\":\"enabled\"}}}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.023+00:00\"},\"s\":\"W\", \"c\":\"STORAGE\", \"id\":22271, \"ctx\":\"initandlisten\",\"msg\":\"Detected unclean shutdown - Lock file is not empty\",\"attr\":{\"lockFile\":\"/data/db/mongod.lock\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.023+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22270, \"ctx\":\"initandlisten\",\"msg\":\"Storage engine to use detected by data files\",\"attr\":{\"dbpath\":\"/data/db\",\"storageEngine\":\"wiredTiger\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.023+00:00\"},\"s\":\"W\", \"c\":\"STORAGE\", \"id\":22302, \"ctx\":\"initandlisten\",\"msg\":\"Recovering data from the last clean checkpoint.\"}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.023+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22300, \"ctx\":\"initandlisten\",\"msg\":\"The configured WiredTiger cache size is more than 80% of available RAM. See http://dochub.mongodb.org/core/faq-memory-diagnostics-wt\",\"tags\":[\"startupWarnings\"]}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:17.024+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22315, \"ctx\":\"initandlisten\",\"msg\":\"Opening WiredTiger\",\"attr\":{\"config\":\"create,cache_size=256M,session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000,close_scan_interval=10,close_handle_minimum=250),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress,compact_progress],\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:20.997+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138740:997479][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 2 through 3\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:30.394+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138750:394043][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 3 through 3\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:42.413+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138762:413345][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Main recovery loop: starting at 2/8192 to 3/256\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:52:43.283+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138763:283850][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 2 through 3\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:53:01.955+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138781:955463][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY_PROGRESS] Recovering log 3 through 3\"}}\r\n{\"t\":{\"$date\":\"2023-06-07T11:54:12.205+00:00\"},\"s\":\"I\", \"c\":\"STORAGE\", \"id\":22430, \"ctx\":\"initandlisten\",\"msg\":\"WiredTiger message\",\"attr\":{\"message\":\"[1686138849:906448][1:0x7f75326efcc0], txn-recover: [WT_VERB_RECOVERY | WT_VERB_RECOVERY_PROGRESS] Set global recovery timestamp: (0, 0)\"}}\r\n**Describe the bug**\r\nA clear and concise description of what the bug is.\r\n\r\n**To Reproduce**\r\nSteps to reproduce the behavior.\r\nIf applicable, add screenshots to help explain your problem.\r\n\r\n**Expected behavior**\r\nA clear and concise description of what you expected to happen.\r\n\r\n**Runtime Environment**\r\nSytem/Environemnt information (e.g Output of docker -v and uname -a)\r\n\r\n",
+ "summary": "**Summarize the MongoDB Container Error Issue**\n\n1. **Identify the issue**: Address the error occurring when starting the MongoDB container using Docker. The command run is:\n ```\n sudo VERSION=develop docker-compose -f docker-compose.yml --compatibility up -d\n ```\n The MongoDB container shows an error while others run without issues.\n\n2. **Examine logs**: Review the MongoDB container logs using:\n ```\n docker logs mongodb\n ```\n Key warnings include:\n - MongoDB 5.0+ requires CPU with AVX support, which your system lacks. Reference: [JIRA SERVER-54407](https://jira.mongodb.org/browse/SERVER-54407).\n - Available memory is significantly lower than the system memory.\n - The configured WiredTiger cache size exceeds 80% of available RAM.\n\n3. **Possible causes**:\n - Lack of AVX support in the CPU.\n - Insufficient available memory for MongoDB operations.\n - Unclean shutdown detected, indicated by a non-empty lock file (`/data/db/mongod.lock`).\n\n4. **Proposed first steps**:\n - Confirm CPU capabilities and consider using a machine with AVX support if necessary.\n - Free up or allocate more RAM to the container to ensure it has adequate resources.\n - If the lock file indicates an improper shutdown, remove the lock file:\n ```\n rm /data/db/mongod.lock\n ```\n - Adjust the WiredTiger cache size in the MongoDB configuration to use less RAM or increase the available RAM in the system.\n\n5. **Monitor results**: Restart the MongoDB container after making the necessary adjustments and check the logs again for any persistent issues or errors. \n\nBy following these steps, you should be able to troubleshoot the MongoDB container error effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/206",
@@ -7547,6 +7811,7 @@
"node_id": "I_kwDOFAM8Ps54h0Dn",
"title": "crAPI main page not loading on localhost",
"body": "**Describe the bug**\r\nEvery time I curl from Linux the file with the given command it gets to my folder empty + when I manually filled the file with the set up and pull the main page is not loading on my localhost\r\n\r\n**To Reproduce**\r\n\r\n\r\n\r\n\r\n**Expected behavior**\r\ndocker-compose.yml should contain the set up. I tried manually editing the file and it runs but when in the login the loader never ends as I showed on the pictures above\r\n\r\n",
+ "summary": "Investigate the issue with the crAPI main page not loading on localhost. Confirm that the `docker-compose.yml` file is correctly configured with the necessary setup. \n\n1. Check the output of the `curl` command; ensure that the expected files are being downloaded correctly and are not empty.\n2. Verify the contents of the `docker-compose.yml` file. Ensure all required services are defined and correctly configured.\n3. If manually editing the `docker-compose.yml` resolves some issues but leads to an infinite loading screen during login, consider checking the logs of the running services for any errors. Use `docker-compose logs` to fetch the logs.\n4. Investigate network configurations and firewall settings that may be blocking access to localhost.\n5. Ensure all dependencies are correctly installed and running. Run `docker-compose up` to start the services and monitor for any errors during startup.\n\nBegin troubleshooting with these steps to pinpoint the root cause of the loading issue.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/crAPI/issues/221",
@@ -7575,6 +7840,7 @@
"node_id": "I_kwDOFAM8Ps54-xJF",
"title": " required but undefined property 'converstion_params' in openapi-spec.json",
"body": "In the openapi-spec.json file, the definition for 'ProfileVideo' at line 3012 appears to have a spelling mistake for one of the required properties.\r\n\r\nconvers**t**ion_params should be conversion_params (additional 't' character is likely an error).\r\n\r\n![\"DashList\"](\"https://docs.pixee.ai/img/pixee_dashlist.png\")
\n👋 This dashboard summarizes my activity on the repository, including available improvement opportunities.\n\n\n## Recommendations\n_Last analysis: Sep 11 | Next scheduled analysis: Sep 18_\n\n### Open\n\n ✅ Nice work, you're all caught up!\n\n\n### Available\n\n ✅ Nothing yet, but I'm continuing to monitor your PRs.\n\n\n### Completed\n✅ You merged improvements I recommended [View](https://github.com/OWASP/cornucopia/pulls?q=is%3Apr+is%3Amerged+author%3Aapp%2Fpixeebot)\n✅ I also hardened PRs for you [View](https://github.com/OWASP/cornucopia/pulls?q=%22Hardening+Suggestion%22+in%3Atitle+is%3Apr+author%3Aapp%2Fpixeebot+is%3Amerged+head%3Apixeebot%2F)\n\n## Metrics\n**What would you like to see here?** [Let us know!](https://tally.so/r/mYa4Y5)\n\n## Resources\n\n📚 **Quick links**\nPixee Docs | Codemodder by Pixee\n\n🧰 **Tools I work with**\n[SonarCloud](https://docs.pixee.ai/code-scanning-tools/sonar) | [SonarQube](https://docs.pixee.ai/code-scanning-tools/sonarqube) | [CodeQL](https://docs.pixee.ai/code-scanning-tools/codeql) | [Semgrep](https://docs.pixee.ai/code-scanning-tools/semgrep)\n\n🚀 **Pixee CLI**\nThe power of my codemods in your local development environment. [Learn more](https://github.com/pixee/pixee-cli)\n\n💬 **Reach out**\nFeedback | Support\n\n---\n\n❤️ Follow, share, and engage with Pixee: GitHub | [LinkedIn](https://www.linkedin.com/company/pixee/) | [Slack](https://pixee-community.slack.com/signup#/domain-signup)\n\n\n \n\n",
+ "summary": "The Pixeebot Activity Dashboard provides a summary of repository activity, including current status and recommendations for improvement. As of the last analysis, all tasks are up to date, with no pending improvements. Recently merged improvements and hardened pull requests have been noted. The dashboard invites feedback on the metrics displayed and encourages users to share suggestions for additional features. Users are also provided with quick links to relevant resources and tools, as well as contact options for support and feedback. To enhance the dashboard, consider providing input on desired metrics.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/cornucopia/issues/549",
@@ -7875,6 +8151,7 @@
"node_id": "I_kwDOEyybVc6K2tWJ",
"title": "Ensure the converter can create print-ready proofs for print-on-demand jobs",
"body": "**Is your feature request related to a problem? Please describe.**\r\n\r\nIn order to drive the project further and create print ready proofs for print-on-demand we need to be able to script the idml to pdf convertion.\r\n\r\n**Describe the solution you'd like**\r\nA clear and concise description of what you want to happen.\r\n\r\nScribus looks promising: https://wiki.scribus.net/canvas/Command_line_scripts#Usefull_'Create_PDF_out_of_existing_scribus_document'_script\r\n\r\nPerhaps we could create a github action for doing the convertion or a python module.\r\n\r\n**Describe alternatives you've considered**\r\n\r\nIndesign server is an alternative, but it’s a commercial product.\r\n\r\n**Additional context**\r\n\r\nCurrently we are not delivering print ready design files. A designer always have install the fonts, open the idml document, clone the back of the card 79 times to the correct place and export to pdf.\r\nInstead we should just be able to deliver final pdfs and not idml with embedded art works.\r\n\r\nAs a middle step we could look into correctly add the links to the graphics from python, but I am afraid it won’t be platform dependent.\r\n",
+ "summary": "The issue highlights the need for a solution to create print-ready proofs for print-on-demand jobs by automating the IDML to PDF conversion process. The suggested approach involves using Scribus for scripting the conversion or possibly creating a GitHub action or Python module to streamline this process. Currently, the workflow requires manual intervention by designers to export the files, which is inefficient. Alternatives like Indesign Server are noted but are not preferred due to their commercial nature. The next steps should focus on implementing an automated solution that can handle the conversion effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/cornucopia/issues/583",
@@ -7901,6 +8178,7 @@
"node_id": "I_kwDOEyybVc6LGIZM",
"title": "Build the requirement list on the card using OpenCRE for easier maintenance and collaboration. ",
"body": "**Is your feature request related to a problem? Please describe.**\r\n\r\nCurrently the requirement list connected with each card has a tendency to become outdated. There is also too little discussions around them which means that it's not sure all of them are equally relevant for all cards. \r\n\r\n**Describe the solution you'd like**\r\n\r\nWe should be able to build the requirement map on the cards by querying the OpenCRE API. This will invite to more cross-team collaboration and maintenance of the requirements connected to the cards and make the map easier to maintain. \r\n\r\n**Describe alternatives you've considered**\r\n\r\nThe requirement list has been moved out of the word and indesign files, this has helped, but using OpenCRE is the next logical step.\r\n\r\n",
+ "summary": "The issue highlights the problem of outdated requirement lists associated with cards, which lack sufficient discussion and relevance. The proposed solution is to utilize the OpenCRE API to build a requirement map for these cards, promoting better collaboration and easier maintenance. An alternative considered was moving the requirement list out of word and design files, which has already shown some improvement. \n\nNext steps could involve integrating the OpenCRE API to enhance the requirement mapping process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/cornucopia/issues/595",
@@ -7927,6 +8205,7 @@
"node_id": "I_kwDOEyybVc6LGK9o",
"title": "Language review of the translations.",
"body": "**Is your feature request related to a problem? Please describe.**\r\n\r\nWe now have the decks translated into 6 languages, but we have not done a proper review of the language. The English, Norwegian and Dutch versions are probably fine, but what about the rest? \r\n\r\n**Describe the solution you'd like**\r\n\r\nGet someone that has been working as a native language teacher or translator to have a look at the translations in order to make sure the translations are properly done.\r\n",
+ "summary": "The issue highlights the need for a comprehensive review of translations for decks available in six languages. While the English, Norwegian, and Dutch versions are assumed to be acceptable, there is uncertainty regarding the quality of the other translations. The proposed solution involves engaging a native language teacher or translator to assess and ensure the accuracy and appropriateness of all translations. It may be beneficial to identify and contact qualified individuals for this review process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/cornucopia/issues/596",
@@ -7953,6 +8232,7 @@
"node_id": "I_kwDOEdhCDs47aYXL",
"title": "OWASP threat modeling references",
"body": "Add references to other OWASP threat modeling projects and resources",
+ "summary": "The issue suggests adding references to various OWASP threat modeling projects and resources to enhance the existing documentation. To address this, it would be beneficial to gather a list of relevant OWASP resources and incorporate them into the documentation for better accessibility and guidance.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-threat-modeling-playbook/issues/3",
@@ -7979,6 +8259,7 @@
"node_id": "I_kwDOEdhCDs47aYeL",
"title": "Include a list of threat modeling tools",
"body": "As part of the tooling step",
+ "summary": "The issue suggests that a list of threat modeling tools should be included in the documentation, specifically within the tooling section. To address this, the team should compile and add relevant tools to enhance the resource's comprehensiveness.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-threat-modeling-playbook/issues/4",
@@ -8001,10 +8282,11 @@
"pk": 282,
"fields": {
"nest_created_at": "2024-09-11T19:39:37.166Z",
- "nest_updated_at": "2024-09-11T19:39:37.166Z",
+ "nest_updated_at": "2024-09-13T15:14:15.785Z",
"node_id": "I_kwDOEdhCDs47aYqV",
"title": "Include a list of threat modeling methodologies",
"body": "As part of the selecting a methodology step",
+ "summary": "The issue requests the inclusion of a list of threat modeling methodologies within the documentation, specifically during the selection process of a methodology. It suggests enhancing the guidance provided to users when they are choosing a suitable threat modeling approach. To address this, a compilation of existing threat modeling methodologies should be created and added to the relevant section of the documentation.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-threat-modeling-playbook/issues/5",
@@ -8031,6 +8313,7 @@
"node_id": "I_kwDOEcPlPM5hiKgz",
"title": "💻✅ Incorporate Good Practices back into the handbook",
"body": "https://owasp.org/www-committee-project/#div-practice",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/21",
@@ -8053,10 +8336,11 @@
"pk": 284,
"fields": {
"nest_created_at": "2024-09-11T19:39:46.047Z",
- "nest_updated_at": "2024-09-11T19:39:46.047Z",
+ "nest_updated_at": "2024-09-13T03:50:56.619Z",
"node_id": "I_kwDOEcPlPM5hiLKX",
"title": "📝👀 Update the .github/README.md for the OWASP Github page to better reflect projects and their statuses.",
"body": "",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/22",
@@ -8085,6 +8369,7 @@
"node_id": "I_kwDOEcPlPM5hjFys",
"title": "📋🌟 create a list or projects or update the existing one to show last release, commit #, last commit, stars,",
"body": "### Discussed in https://github.com/OWASP/www-committee-project/discussions/44\r\n\r\n\r\n\r\nOriginally posted by **DonnieBLT** March 22, 2023\r\nsee this as a starting point https://github.com/psiinon/owasp-projects \r\n\r\nwe can create a github action that runs daily to update the list\r\nmake sure it shows - \r\nprimary language, license, Forks, stars, Issues, PRs, issues need help last updated, Release version, date released \r\nfigure out a way to show project statuses from each github repo to link roadmap issues similar to how the github list of repos has the stats
",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/48",
@@ -8111,6 +8396,7 @@
"node_id": "I_kwDOEcPlPM5jQpN5",
"title": "HANDBOOK: Discuss/document legal review for project donations",
"body": "Nothing about legal review for project donations. There should be. The OWASP Foundation should provide this service if they don't already. The foundation will be unable to protect project leaders without the necessary due diligence, which is one of the benefits of joining a foundation in the first place. This needs to be addressed.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/58",
@@ -8141,6 +8427,7 @@
"node_id": "I_kwDOEcPlPM5jQpdQ",
"title": "HANDBOOK: Document copyright transfer",
"body": "No mention of copyright transfer. We should discuss this in a future committee meeting, decide on a path forward and document the requirements in the handbook.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/59",
@@ -8171,6 +8458,7 @@
"node_id": "I_kwDOEcPlPM5jQp5i",
"title": "HANDBOOK: Prescribe OSS licenses",
"body": "Some OSI licenses are anti-business or may lead to unintended legal requirements to disclose IP based on a deployments configuration. We should be prescriptive in the licenses we will accept.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/60",
@@ -8201,6 +8489,7 @@
"node_id": "I_kwDOEcPlPM5jQqB6",
"title": "HANDBOOK: Require CODEOWNERS and SECURITY.md",
"body": "We should require a CODEOWNERS file and SECURITY.md in every project repo.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/61",
@@ -8231,6 +8520,7 @@
"node_id": "I_kwDOEcPlPM5jQqVK",
"title": "HANDBOOK: JIRA onboarding?",
"body": "The new project request form takes you to JIRA, which requires an account. Future leaders will use their personal or work email address. We should encourage them to use their OWASP email address, but they won't have one yet. Therefore, I don't think JIRA is the right intake process. ",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/62",
@@ -8261,6 +8551,7 @@
"node_id": "I_kwDOEcPlPM5jQqiQ",
"title": "HANDBOOK: Clarify project types",
"body": "We need to clarify project types. CycloneDX is the only \"Standard\" project that I'm aware of. Other \"standards\" like ASVS are categorized as documentation projects. We need to discuss this. CycloneDX does not fit into any existing project types. But the creation of a \"standard\" project type may be problematic with ASVS and others that are a different type of standard.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/63",
@@ -8291,6 +8582,7 @@
"node_id": "I_kwDOEcPlPM5k_oQ6",
"title": "Remove other \"project handbooks\" ",
"body": "there are a few places where the handbook is mentioned see below: - would be good to consolidate them all into one official repo or file and remove all copies of the previous handbook and forward them to the new one\r\n\r\n1. https://github.com/OWASP/www-policy/blob/master/unpublished/project-handbook.md\r\n2. https://github.com/OWASP-Foundation/Project-Handbook\r\n3. https://owasp.org/www-policy/operational/projects\r\n4. https://owasp.org/www-pdf-archive/PROJECT_LEADER-HANDBOOK_2014.pdf\r\n5. https://owasp.org/www-pdf-archive//OWASPProjectsHandbook2013.pdf\r\n6. https://github.com/OWASP/www-committee-project/tree/master/handbook",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/68",
@@ -8321,6 +8613,7 @@
"node_id": "I_kwDOEcPlPM5o2MvR",
"title": "Setup a Github Action to monitor project pages for activity ",
"body": "1) if a project has not changed it's project page in 1 week, send a reminder\r\n2) if a project has not had updates for 6 months send a reminder\r\n3) if a project has not had updates for 2 years, send an archive notice\r\n4) if a project has not had updates for 3 years, archive it",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-committee-project/issues/71",
@@ -8343,10 +8636,11 @@
"pk": 294,
"fields": {
"nest_created_at": "2024-09-11T19:40:14.558Z",
- "nest_updated_at": "2024-09-11T19:40:14.558Z",
+ "nest_updated_at": "2024-09-13T15:14:34.494Z",
"node_id": "I_kwDOEZvT985B4hvR",
"title": "bug: acurl command bug",
"body": "error msg:\r\n```\r\n~ ❯❯❯ acurl http://localhost:8000/DescribeIpReport\r\nTraceback (most recent call last):\r\n File \"gurl/__main__.py\", line 32, in ![\"cancel-login-to-github\"](\"https://user-images.githubusercontent.com/29352392/183881998-d066f24a-ba77-4ceb-9121-27f3f095c395.png\")
\r\n\r\n\r\nLog of cancelled login to Github:\r\n\r\n```\r\ndebug: controllers/auth.js: API login request: [object Object] {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:02\"}\r\ndebug: controllers/auth.js: API oauthReturn request: [object Object] {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:04\"}\r\ndebug: controllers/auth.js: API completeLogin request: [object Object] {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:04\"}\r\nerror: controllers/auth.js: {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:05\"}\r\nerror: Requires authentication {\"body\":{\"documentation_url\":\"https://docs.github.com/rest/reference/users#get-the-authenticated-user\",\"message\":\"Requires authentication\"},\"headers\":{\"access-control-allow-origin\":\"*\",\"access-control-expose-headers\":\"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset\",\"connection\":\"close\",\"content-length\":\"131\",\"content-security-policy\":\"default-src 'none'\",\"content-type\":\"application/json; charset=utf-8\",\"date\":\"Wed, 10 Aug 2022 10:10:05 GMT\",\"referrer-policy\":\"origin-when-cross-origin, strict-origin-when-cross-origin\",\"server\":\"GitHub.com\",\"strict-transport-security\":\"max-age=31536000; includeSubdomains; preload\",\"vary\":\"Accept-Encoding, Accept, X-Requested-With\",\"x-content-type-options\":\"nosniff\",\"x-frame-options\":\"deny\",\"x-github-media-type\":\"github.v3; format=json\",\"x-github-request-id\":\"DCD8:9FDC:C3D6C6:CE492A:62F383FD\",\"x-ratelimit-limit\":\"60\",\"x-ratelimit-remaining\":\"58\",\"x-ratelimit-reset\":\"1660129699\",\"x-ratelimit-resource\":\"core\",\"x-ratelimit-used\":\"2\",\"x-xss-protection\":\"0\"},\"service\":\"threat-dragon\",\"statusCode\":401,\"timestamp\":\"2022-08-10 11:10:05\"}\r\nerror: undefined {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:05\"}\r\ndebug: controllers/auth.js: Returning error to client: {\"status\":500,\"message\":\"Internal Server Error\",\"details\":\"Internal Server Error\"} {\"service\":\"threat-dragon\",\"timestamp\":\"2022-08-10 11:10:05\"}\r\n```\r\nWhen protocol mismatch occurs (HTTPS certs not valid):\r\n![\"login-incompatible-protocol\"](\"https://user-images.githubusercontent.com/29352392/183882712-22145126-a1bb-448a-9b02-b76ba4eba079.png\")
\r\n\r\n",
+ "summary": "Implement timeouts and error reporting for login failures.\n\n1. Identify the issue: Users encounter a blank dashboard or a spinning wait icon when the \"Login with GitHub\" feature fails.\n\n2. Propose a solution: Upon a login failure, display an error message to the user and redirect them back to the homepage.\n\n3. Review existing error logs for understanding:\n - Analyze the log entries related to login requests to identify failure points. For instance, check for HTTP status codes like 401 (authentication required) or 500 (internal server error) as shown in the example logs.\n\n4. Design the error handling process:\n - Create a timeout mechanism for the login process. If the login attempt exceeds a specified duration without a response, trigger an error state.\n - Implement a user-friendly error message that specifies the nature of the failure (e.g., \"Login Failed: Please check your credentials or try again later.\").\n\n5. Redirect users: Ensure that after displaying the error message, the application navigates users back to the homepage to provide a seamless experience.\n\n6. First steps to tackle the problem:\n - Review the authentication controller code to locate where the login requests are processed.\n - Implement a timeout function that cancels the login attempt if it takes too long.\n - Add error handling logic to manage different types of errors (e.g., authentication errors, protocol mismatches).\n - Test the implementation thoroughly to ensure that users receive appropriate feedback on login failures.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/481",
@@ -9857,6 +10188,7 @@
"node_id": "I_kwDOEAWEP85QK_81",
"title": "console.log redirected to log file",
"body": "**Describe what problem your feature request solves**\r\nWe have some places where the console is used to log messages, which do not appear in the log file\r\n\r\n**Describe the solution you'd like**\r\nIt would be good to make sure that all console.log messages also appear in the log file. This has been done for electron logs, so would be good for server and vue logs\r\n\r\n**Additional context**\r\nAt the same time ensure that no tokens or PII is being logged\r\n",
+ "summary": "Implement a solution to redirect `console.log` messages to a log file. Ensure all logging mechanisms, including those used in server and Vue environments, capture console outputs.\n\n1. **Investigate Existing Logging Mechanisms**: Review how logging is currently implemented for Electron to identify potential methods for redirecting console output to files.\n\n2. **Modify Console Methods**: Override `console.log`, `console.warn`, and other relevant console methods to include file writing functionality. Utilize a logging library or Node.js' `fs` module to append logs to a designated log file.\n\n3. **Implement Filtering for Sensitive Data**: Integrate a mechanism to filter out any tokens or Personally Identifiable Information (PII) from the logs before writing them to the log file. Use regular expressions or a predefined list of sensitive keywords.\n\n4. **Test the Implementation**: Create unit tests to ensure that all console messages are captured in the log file and that no sensitive data is logged.\n\n5. **Document the Changes**: Update project documentation to reflect the new logging behavior, including examples of how messages will appear in the log file and any configurations needed for sensitive data filtering.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/493",
@@ -9872,8 +10204,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 85
+ 85,
+ 71
]
}
},
@@ -9886,6 +10218,7 @@
"node_id": "I_kwDOEAWEP85bOYiH",
"title": "Update jekyll versions for docs ",
"body": "**Describe what problem your feature request solves**\r\nThe ruby gem files reference out of date versions\r\n\r\n**Describe the solution you'd like**\r\nupdate docs gem files for up to date versions\r\n\r\n**Additional context**\r\n\r\n",
+ "summary": "Update Jekyll versions for documentation. \n\nIdentify outdated Ruby gem files in the documentation. Replace current references with the latest stable versions of Jekyll and its dependencies. \n\nFirst steps: \n1. Check the current Jekyll version in the Gemfile and Gemfile.lock files.\n2. Visit the official Jekyll repository or RubyGems to find the latest versions.\n3. Update the Gemfile with the new version numbers.\n4. Run `bundle update` to ensure all dependencies are resolved.\n5. Test the documentation site locally to confirm that updates do not introduce any issues. \n6. Commit the changes and submit a pull request for review.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/584",
@@ -9901,9 +10234,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
85,
- 86
+ 86,
+ 71
]
}
},
@@ -9916,6 +10249,7 @@
"node_id": "I_kwDOEAWEP85eq-qF",
"title": "Support for more granular threats using threat trees",
"body": "**Describe what problem your feature request solves**\r\nWhile documenting specific threats, it would be helpful if we could select more granular threats in the Edit Threat modal. For example, LINDDUN and STRIDE both have threat trees corresponding to each threat. The frameworks refer to these trees in their mitigation strategies section, so having this feature would be useful to quickly find the corresponding mitigations. More context is provided below.\r\n\r\n**Describe the solution you'd like**\r\nCurrently we can select the type of threat in the Edit Threat modal. This type corresponds to the root node of a threat tree. Perhaps there could be an additional drop-down menu below this with options for each of the child nodes in the corresponding threat trees?\r\n\r\n**Additional context**\r\nFor example, the Linkability threat in LINDDUN has the threat tree shown below. On selecting Linkability in the Edit Threat modal, another dropdown below could have options corresponding to the child nodes in this tree. \r\n\r\n![\"diagram](\"https://user-images.githubusercontent.com/22164211/219478797-2c64feff-d433-4b66-b48a-59f86d67c75a.png\")
\r\n\r\nSource: [Linkability Threat Trees](https://www.linddun.org/linkability)\r\n\r\nHaving this information could then allow us to find the corresponding mitigation strategies from a table like this one:\r\n\r\n![\"linddun](\"https://user-images.githubusercontent.com/22164211/219479491-db66a838-7b4f-4865-8b85-fab911929d11.png\")
\r\n\r\nSource: [LINDDUN Mitigation Strategies](https://www.linddun.org/mitigation-strategies-and-solutions)\r\n\r\nThank you!",
+ "summary": "Implement support for granular threats using threat trees in the Edit Threat modal. Enable selection of child nodes corresponding to threat trees like LINDDUN and STRIDE. \n\n1. Modify the Edit Threat modal to include a new dropdown menu beneath the existing threat type selection.\n2. Populate this dropdown with options for each child node from the selected threat tree.\n3. Ensure that selecting a child node allows users to easily reference associated mitigation strategies.\n4. Review the Linkability threat tree from LINDDUN as a primary example for implementation, ensuring the structure aligns with existing frameworks.\n5. Test the feature to confirm that it accurately displays child nodes and links to relevant mitigation strategies.\n\nThese steps will enhance usability and speed up the threat documentation process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/607",
@@ -9933,8 +10267,8 @@
143
],
"labels": [
- 71,
- 77
+ 77,
+ 71
]
}
},
@@ -9947,6 +10281,7 @@
"node_id": "I_kwDOEAWEP85gb7yz",
"title": "Allow user to select multiple threat types",
"body": "**Describe what problem your feature request solves**\r\nAt the moment when selecting a threat type, I can only select one of the available options. For example, I can indicate a threat covers Confidentiality **or** Integrity **or** Availability, but cannot indicate it affects multiple of them. This creates a problem when discussing threats that legitimately affect multiple areas—for instance, a service crash that creates Availability issues and may disclose information while crashing that threatens Confidentiality.\r\n\r\n**Describe the solution you'd like**\r\nThreat types should be multi-select, perhaps with check-boxes or the Option-key-to-select-multiple solution. This enables users to select one or multiple depending on the context of the threat.",
+ "summary": "Implement multi-select functionality for threat types. \n\n**Problem Addressed**: Currently, users can only select a single threat type (Confidentiality, Integrity, Availability), which limits the ability to accurately represent threats affecting multiple areas, such as a service crash impacting both Availability and Confidentiality.\n\n**Proposed Solution**: Introduce check-boxes or an Option-key mechanism to allow users to select multiple threat types simultaneously. This will improve threat categorization and facilitate better discussions around multi-faceted threats.\n\n**First Steps to Tackle the Problem**:\n1. Analyze the current UI component handling threat type selection.\n2. Modify the selection component to support multiple selections (consider using a library or framework that handles check-boxes).\n3. Update the backend logic to accept and process multiple threat types.\n4. Perform testing to ensure that both selection and data handling work as expected.\n5. Collect user feedback on the new feature for further refinements.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/620",
@@ -9962,9 +10297,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
72,
- 73
+ 73,
+ 71
]
}
},
@@ -9977,6 +10312,7 @@
"node_id": "I_kwDOEAWEP85hGL0h",
"title": "Flatpak/flathub support",
"body": "**Describe what problem your feature request solves**\r\nA [Flatpak](https://flatpak.org/) install would be a great alternative to Snaps and Appimages, since this allows most users to download threat-dragon straight from their software store. Would people be open for this? I could look into it myself but I want to see if there is an appetite for it.\r\n\r\nFlatpack [instructions](https://github.com/flatpak/flatpak) and [flathub](https://flathub.org/)\r\nalong with [electron and flatpak](https://docs.flatpak.org/en/latest/electron.html)",
+ "summary": "Implement Flatpak support for Threat Dragon. \n\nEvaluate the benefits of offering a Flatpak installation option as an alternative to Snaps and AppImages. Focus on the convenience for users in downloading Threat Dragon directly from their software store.\n\nResearch Flatpak and Flathub documentation thoroughly. Review the Flatpak [instructions](https://github.com/flatpak/flatpak) and explore Flathub [guidelines](https://flathub.org/). \n\nInvestigate how to package the application using Electron within Flatpak. Consult the [Electron and Flatpak documentation](https://docs.flatpak.org/en/latest/electron.html) for specific requirements.\n\nBegin by:\n1. Setting up a Flatpak development environment.\n2. Creating a Flatpak manifest file for the Threat Dragon application.\n3. Testing the build process locally to ensure functionality.\n4. Engaging with the community to gauge interest in this feature.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/626",
@@ -9995,10 +10331,10 @@
146
],
"labels": [
- 71,
- 78,
80,
- 82
+ 82,
+ 78,
+ 71
]
}
},
@@ -10011,6 +10347,7 @@
"node_id": "I_kwDOEAWEP85jHNdW",
"title": "Use RAAML for threat models",
"body": "**Describe what problem your feature request solves**\r\n\r\n\r\nThe Risk Analysis and Assessment Modeling Language (RAAML) specification is a sysml compliant format that would allow integration with other modeling capabilities such as simulation. It is also a component UAFML. \r\n\r\n**Describe the solution you'd like**\r\n\r\n\r\nImplement modeling capabilities to support RAAML either as default or as content import/export.\r\n\r\n**Additional context**\r\n\r\n\r\nhttps://www.omg.org/spec/RAAML/1.0/Beta2/About-RAAML\r\nhttps://emfjson.github.io/projects/ecorejs/latest/",
+ "summary": "Implement RAAML support for threat models. Utilize the Risk Analysis and Assessment Modeling Language (RAAML) specification to facilitate integration with simulation tools and enhance modeling capabilities. Ensure compatibility with UAFML and SysML standards.\n\n**First Steps:**\n1. Review the RAAML specification at the provided OMG link to understand its structure and requirements.\n2. Analyze current modeling capabilities and identify integration points for RAAML.\n3. Design a framework for importing and exporting RAAML content.\n4. Develop a prototype that demonstrates basic RAAML modeling capabilities.\n5. Test the prototype with existing threat models to validate functionality.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/639",
@@ -10026,9 +10363,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
73,
- 77
+ 77,
+ 71
]
}
},
@@ -10041,6 +10378,7 @@
"node_id": "I_kwDOEAWEP85jNXUB",
"title": "Make the API OSLC compliant",
"body": "**Describe what problem your feature request solves**\r\n\r\n\r\nModeling tools have their own interoperability specification called Open Services for Lifecycle Collaboration (OSLC). It would be nice if Threat Dragon could provide OSLC compatibility to facilitate ALM / PLM integration.\r\n\r\n**Describe the solution you'd like**\r\n\r\n\r\nProvide OSLC compatible API and documentation with OpenAPI.\r\n\r\n**Additional context**\r\n\r\n\r\nhttps://open-services.net/\r\nhttps://www.ibm.com/docs/en/elms/elm/6.0.4?topic=integrating-oslc-integrations\r\nhttps://docs.oasis-open-projects.org/oslc-op/qm/v2.1/os/quality-management-spec.html\r\n",
+ "summary": "Implement OSLC Compliance for API\n\n- Address the need for interoperability among modeling tools by making the Threat Dragon API OSLC compliant.\n- Ensure compatibility with Open Services for Lifecycle Collaboration (OSLC) to enable integration with Application Lifecycle Management (ALM) and Product Lifecycle Management (PLM) systems.\n- Develop an OSLC-compatible API that adheres to the specifications outlined on the OSLC website and related documentation.\n\nFirst Steps:\n1. Review the OSLC specifications and guidelines available at https://open-services.net/ to understand the requirements for compliance.\n2. Analyze the current Threat Dragon API structure and identify necessary modifications to align with OSLC standards.\n3. Create a design plan for the new OSLC-compatible API, including endpoints and data formats.\n4. Implement the API changes, ensuring to include detailed documentation using OpenAPI for ease of use and integration by third parties.\n5. Test the new API for compliance with OSLC standards and validate functionality with ALM/PLM tools.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/641",
@@ -10056,9 +10394,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
73,
- 87
+ 87,
+ 71
]
}
},
@@ -10071,6 +10409,7 @@
"node_id": "I_kwDOEAWEP85jhf0_",
"title": "Use the new File System Access API on Chromium browsers",
"body": "**Describe what problem your feature request solves**\r\nThe actual way of handling local threat models could generate a lot of files because a new file is generated each time a user saves the working threat model.\r\n\r\n**Describe the solution you'd like**\r\nOn chromium based browsers the new File System Access API should be used (it's the one used in https://vscode.dev/)\r\n\r\n**Additional context**\r\nBlog presenting the API: https://developer.chrome.com/articles/file-system-access/ \r\n",
+ "summary": "Implement the File System Access API for Chromium browsers to improve local threat model file handling. \n\n**Problem to Solve:**\nCurrent file management generates excessive files by creating a new file each time a user saves a threat model, leading to clutter and inefficiency.\n\n**Proposed Solution:**\nUtilize the File System Access API to allow direct access and manipulation of files in the user's local file system. This will streamline the saving process, enabling users to overwrite existing files or manage their local files more effectively.\n\n**Technical Steps to Tackle the Problem:**\n1. Research the File System Access API and understand its capabilities and limitations.\n2. Update the codebase to replace current file handling methods with the File System Access API.\n3. Implement a file picker UI to allow users to select existing files to overwrite or choose locations for new files.\n4. Test the integration across different Chromium-based browsers to ensure compatibility and performance.\n5. Document the changes and provide user guidance on the new file handling process.\n\n**Resources:**\nRefer to the detailed blog on the File System Access API for implementation guidelines: https://developer.chrome.com/articles/file-system-access/",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/643",
@@ -10088,8 +10427,8 @@
43
],
"labels": [
- 71,
- 80
+ 80,
+ 71
]
}
},
@@ -10102,6 +10441,7 @@
"node_id": "I_kwDOEAWEP85pxCwC",
"title": "Provide demo versions of 1.x and 2.x to combined site",
"body": "**Describe what problem your feature request solves**:\r\nIt would be good to have demos of both versions 1.x and 2.x on a combined site alongside pytm\r\n\r\n**Describe the solution you'd like**:\r\n@izar has offered to provide access to [threatmodeling.dev](http://threatmodeling.dev/) site so that demos of pytm and Threat Dragon can be alongside each other\r\n\r\n**Additional context**:\r\nControl of the site would also be with OWASP along with @izar, and this will guarantee long term continuity\r\n",
+ "summary": "Create demo versions of both 1.x and 2.x on a combined site with pytm. Ensure that the demos are accessible through the threatmodeling.dev platform. \n\n1. Collaborate with @izar to set up the environment on the threatmodeling.dev site.\n2. Establish a version control process to manage updates for both 1.x and 2.x demos.\n3. Ensure that OWASP maintains control over the site for long-term support and continuity, involving @izar in the management.\n4. Develop a user-friendly interface to allow easy navigation between the demos of pytm and Threat Dragon.\n5. Test the demos thoroughly to ensure they function correctly and are user-friendly before launch. \n\nBy implementing these steps, you will provide users with an integrated experience of the different versions available.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/684",
@@ -10117,9 +10457,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
+ 87,
79,
- 87
+ 71
]
}
},
@@ -10132,6 +10472,7 @@
"node_id": "I_kwDOEAWEP85qAOP3",
"title": "Integration with OpenAI API",
"body": "**Describe what problem your feature request solves**:\r\nIt would be good to investigate Threat Dragon integration with OpenAI API\r\n\r\n**Describe the solution you'd like**:\r\nDescription of what it would take and roughly how long\r\n\r\n**Additional context**:\r\n@cvlucian asks: _\"research into Threat Dragon being integrated with OpenAI API? Endless possibilities probably to populate threat models models based on technical spec docs or simple input, AI assessment of risks etc.\"_\r\n",
+ "summary": "Investigate integration of Threat Dragon with OpenAI API. Focus on leveraging OpenAI's capabilities to enhance threat modeling processes by populating models using technical specifications or simple inputs. Assess potential for AI-driven risk evaluations.\n\nOutline the required steps for integration:\n1. Research OpenAI API documentation to understand its functionalities and limitations.\n2. Define use cases for Threat Dragon, such as:\n - Automatically generating threat models from input data.\n - Conducting AI-based assessments of identified risks.\n3. Evaluate data inputs and outputs necessary for seamless integration.\n4. Create a prototype to test API interactions with Threat Dragon.\n5. Estimate implementation time based on complexity of integration tasks.\n\nCollaborate with @cvlucian and other contributors to refine use cases and gather additional insights on practical applications. Prioritize identifying any potential challenges related to data privacy and compliance when utilizing AI models for sensitive information.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/685",
@@ -10160,6 +10501,7 @@
"node_id": "I_kwDOEAWEP85twZey",
"title": "Enable threats to be reassigned and/or duplicated to other components",
"body": "**Describe what problem your feature request solves**:\r\n\r\nOnce a threat is created, it is not possible to duplicate it or move it to other components. You need to manually repeat the whole process or delete a threat and add new one in different component.\r\n\r\n**Describe the solution you'd like**:\r\n\r\nIt would be really useful to be able to move threats from one component to another and to duplicate once created threat in other component. \r\n\r\n**Additional context**:\r\n\r\nThere are threats applicable to many components and it is time-consuming to create the same threat in every one of them. Also, once the component is created and threats are added to them, if you want to split it into two components you need to recreate every threat from the original one.\r\n",
+ "summary": "Implement functionality to enable reassignment and duplication of threats across components. \n\n**Problem Statement**: \nCurrently, threats can only be created manually for each component, leading to inefficiencies. Users must duplicate efforts by recreating threats or deleting and re-adding them to different components, which is time-consuming.\n\n**Proposed Solution**: \nIntroduce features that allow users to:\n1. Move a threat from one component to another.\n2. Duplicate an existing threat to another component directly.\n\n**Technical Considerations**:\n- Modify the threat management system to include options for 'Move' and 'Duplicate' actions.\n- Ensure that moving a threat updates all relevant relationships and dependencies associated with that threat.\n- Implement a user interface that allows easy selection of target components for duplication or reassignment.\n- Consider the impact on data integrity and ensure that threats remain consistent across components.\n\n**Next Steps**:\n1. Analyze the current database schema to understand how threats are linked to components.\n2. Design the user interface for moving and duplicating threats.\n3. Develop the backend logic for moving threats, ensuring proper handling of existing references.\n4. Test the new functionalities thoroughly to avoid data inconsistencies.\n5. Document the changes and provide user guidelines for utilizing the new features.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/716",
@@ -10175,8 +10517,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 73
+ 73,
+ 71
]
}
},
@@ -10189,6 +10531,7 @@
"node_id": "I_kwDOEAWEP85uU5Sc",
"title": "Upgrade to latest antv/x6 drawing package",
"body": "**Describe what problem your feature request solves**:\r\nwe have a lot of niggles with the drawing package, and this may be because we are using an old version :\r\n\r\n```\r\n \"@antv/x6\": \"^1.32.7\",\r\n \"@antv/x6-vue-shape\": \"^1.4.0\",\r\n```\r\n\r\n**Describe the solution you'd like**:\r\nupgrade to latest version 2.x - note that this is a breaking change:\r\n\r\n```\r\n \"@antv/x6\": \"^2.13.1\",\r\n \"@antv/x6-vue-shape\": \"^2.1.1\",\r\n```\r\n\r\n**Additional context**:\r\n\r\n",
+ "summary": "Upgrade the antv/x6 drawing package to the latest version to resolve existing issues with the current implementation. The current dependencies are:\n\n```\n \"@antv/x6\": \"^1.32.7\",\n \"@antv/x6-vue-shape\": \"^1.4.0\",\n```\n\nTransition to the following versions, noting that this is a breaking change:\n\n```\n \"@antv/x6\": \"^2.13.1\",\n \"@antv/x6-vue-shape\": \"^2.1.1\",\n```\n\n### Steps to Tackle the Problem:\n\n1. **Review Release Notes**: Examine the release notes for versions 2.x to identify breaking changes and new features.\n \n2. **Update Dependencies**: Modify the `package.json` to reflect the new versions.\n\n3. **Run Tests**: Execute existing unit and integration tests to identify breaking changes or issues introduced by the upgrade.\n\n4. **Refactor Code**: Address any deprecated methods or properties within the codebase that may have changed in the new version.\n\n5. **Test Functionality**: Manually test the application to ensure all drawing functionalities work as expected with the upgraded packages.\n\n6. **Document Changes**: Update documentation to reflect any changes in usage due to the upgrade.\n\n7. **Monitor for Bugs**: After deployment, monitor the application for any new issues that may arise from the upgrade.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/722",
@@ -10206,10 +10549,10 @@
43
],
"labels": [
- 71,
- 75,
83,
- 87
+ 75,
+ 87,
+ 71
]
}
},
@@ -10222,6 +10565,7 @@
"node_id": "I_kwDOEAWEP85zLzuV",
"title": "provide pipeline tests for utilities",
"body": "**Describe what problem your feature request solves**:\r\nWe are not sure if the utilities still run OK, and these should be checked in one of the pipelines\r\n\r\n**Describe the solution you'd like**:\r\nCheck that the utilities still run in the CI pipeline\r\n\r\n**Additional context**:\r\nUtilities:\r\n* DragonExtractor\r\n* threat-mvp\r\n* TMT2TD\r\nand possibly [DragonGPT](https://github.com/LuizBoina/dragon-gpt)\r\n\r\n",
+ "summary": "Implement pipeline tests for utilities to ensure functionality. Verify that the following utilities execute correctly within the CI pipeline:\n\n1. DragonExtractor\n2. threat-mvp\n3. TMT2TD\n4. Potentially include DragonGPT\n\nBegin by creating test cases for each utility. Use unit tests to validate core functionalities and integration tests for interactions with other components. \n\nSteps to tackle the problem:\n1. Review the existing utility code to identify key functions and expected outputs.\n2. Develop unit tests for each utility, covering edge cases and typical use cases using a testing framework like pytest or unittest.\n3. Integrate these tests into the CI pipeline configuration, ensuring they run on each commit or pull request.\n4. Monitor test results and adjust as necessary to resolve any failures or issues.\n5. Document the testing process and update README files where appropriate to guide future contributions.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/762",
@@ -10237,8 +10581,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 79
+ 79,
+ 71
]
}
},
@@ -10251,6 +10595,7 @@
"node_id": "I_kwDOEAWEP8524btK",
"title": "Clicking on data flow does not open it in properties",
"body": "**Describe the bug**:\r\nClicking on an existing data flow does not set its properties into the properties section. A double click is needed, but it results in an addition of a new point on the data flow.\r\n\r\n**Expected behaviour**:\r\nA single click on the data flow makes its properties accessible in the properties section\r\n\r\n**Environment**:\r\n\r\n- Version: 2.1.1\r\n- Platform: Desktop App and Web App\r\n- OS: MAC OS / Windows / Linux\r\n- Browser: All\r\n\r\n**To Reproduce**:\r\n1. Add a data flow\r\n2. Select another component on the diagram\r\n3. Click on the data flow just created\r\n\r\n",
+ "summary": "Fix the issue where clicking on a data flow does not open its properties. Ensure that a single click on the data flow correctly populates the properties section instead of requiring a double click, which inadvertently adds a new point to the data flow.\n\n**Technical Details**:\n- Investigate the event handling for mouse clicks on data flow components within the properties section.\n- Check the logic that differentiates between single and double click actions.\n- Update the event listener for the data flow to ensure that it sets the properties on a single click.\n\n**First Steps**:\n1. Review the code responsible for handling clicks on data flow components.\n2. Identify the function that currently manages the properties section update.\n3. Modify the click event listener to trigger the properties update on a single click.\n4. Test the changes across different platforms (Mac OS, Windows, Linux) and in various browsers to ensure consistent behavior.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/785",
@@ -10284,6 +10629,7 @@
"node_id": "I_kwDOEAWEP853bZp0",
"title": "Add the full database of PLOT4ai threats to Threat Dragon",
"body": "**Describe what problem your feature request solves**:\r\nPLOT4ai contains a database of 86 threats. Threat Dragon recently added support for the categories, similar to the other frameworks, but it would be nice if the threats under each category would become available from a drop-down menu as well.\r\nThe way threats are organized under the categories can be observed here: https://plot4.ai/library\r\n\r\n**Describe the solution you'd like**:\r\nWhen you add a threat (or edit one), you can already select the threat type, which corresponds to the plot4ai category.\r\nPLOT4ai has a [json file](https://github.com/PLOT4ai/plot4ai-library/blob/main/deck.json) available with all the threats; based on this json file and the selected type/category, the relevant threats could be loaded and used to populate a drop-down box called 'threat'. The user could then select the applicable threat.\r\nAdditionally, the information in the _explanation_ field could be used to prefill the Description-field in Threat Dragon and the information in the _recommendations_ field could be used to prefill the Mitigation field in Threat Dragon\r\n\r\n**Additional context**:\r\nPLOT4ai is in it's setup very similar to LINDDUN, which is also part of Threat Dragon. Adding this functionality would also open the possibility to add the threats from LINDDUN to threat dragon.\r\n\r\nThe additions of 'Development Phase' and 'Threat' to the threat dialog should only be visible when the diagram type is 'PLOT4ai', and possibly also for 'LINDDUN' diagram type.\r\n",
+ "summary": "Implement the full database of PLOT4ai threats in Threat Dragon. \n\n**Problem to solve**: Integrate 86 PLOT4ai threats into Threat Dragon, utilizing a user-friendly drop-down menu to enhance user experience when selecting threats.\n\n**Proposed solution**:\n1. Utilize the existing PLOT4ai [JSON file](https://github.com/PLOT4ai/plot4ai-library/blob/main/deck.json) to extract threat data.\n2. Modify the threat addition/editing interface to include a drop-down menu for selecting threats based on the chosen PLOT4ai category.\n3. Prefill the Description field in Threat Dragon with the information from the _explanation_ field of the JSON and the Mitigation field with data from the _recommendations_ field.\n4. Ensure that these new fields ('Development Phase' and 'Threat') appear only when the diagram type is set to 'PLOT4ai' or 'LINDDUN'.\n\n**First steps**:\n- Review the structure of the PLOT4ai JSON file to understand how threats are categorized.\n- Modify the front-end code of Threat Dragon to create a drop-down menu that dynamically populates with threats based on the selected category.\n- Implement the functionality to prefill the Description and Mitigation fields from the corresponding JSON data.\n- Test the integration to ensure that the drop-down menu and prefilled fields work correctly within the Threat Dragon interface.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/796",
@@ -10301,9 +10647,9 @@
150
],
"labels": [
- 71,
72,
- 73
+ 73,
+ 71
]
}
},
@@ -10316,6 +10662,7 @@
"node_id": "I_kwDOEAWEP853bcDN",
"title": "Add the full database of LINDDUN threats to Threat Dragon",
"body": "**Describe what problem your feature request solves**:\r\nLINDDUN contains a database of 35 threats. Threat Dragon already has support for the categories, similar to the other frameworks, but it would be nice if the threats under each category would become available from a drop-down menu as well.\r\nThe way threats are organized under the categories can be observed here: https://downloads.linddun.org/linddun-go/default/v20230802/go.pdf\r\n\r\n**Describe the solution you'd like**:\r\nWhen you add a threat (or edit one), you can already select the threat type, which corresponds to the linddun category.\r\nIf the linddun cards were to be digitalized in json format - similar to plot4ai - then this could serve as a database; then, based on this json file and the selected type/category, the relevant threats could be loaded and used to populate a drop-down box called 'threat'. The user could then select the applicable threat.\r\nAdditionally, the rest of the information on the linddun cards could be used to prefill the Description-field in Threat Dragon.\r\n\r\n**Additional context**:\r\nLINDDUN is very similar to PLOT4ai, which was also recently added to Threat Dragon. Adding this functionality would also open the possibility to add the threats from PLOT4ai to threat dragon.",
+ "summary": "Implement full integration of the LINDDUN threat database into Threat Dragon. \n\n**Problem**: Enhance the usability of Threat Dragon by allowing users to select specific LINDDUN threats from a drop-down menu, improving threat identification in threat modeling.\n\n**Solution**: \n1. Digitalize the LINDDUN threat cards into a JSON format, similar to the PLOT4ai integration.\n2. Update the Threat Dragon interface to include a new drop-down menu for threats, linked to the category selected by the user.\n3. Populate the drop-down based on the JSON data, allowing users to select relevant threats based on their chosen category.\n4. Use additional details from the LINDDUN cards to automatically fill the Description field in Threat Dragon when a threat is selected.\n\n**First Steps**:\n- Gather the JSON format of the LINDDUN threat cards from the provided PDF link.\n- Develop a mapping of the threat categories to the existing Threat Dragon structure.\n- Implement the front-end changes to introduce a new drop-down menu for threat selection.\n- Test the integration with sample data to ensure smooth functionality and accurate threat population.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/797",
@@ -10333,9 +10680,9 @@
150
],
"labels": [
- 71,
72,
- 73
+ 73,
+ 71
]
}
},
@@ -10344,10 +10691,11 @@
"pk": 361,
"fields": {
"nest_created_at": "2024-09-11T20:09:18.224Z",
- "nest_updated_at": "2024-09-11T20:09:18.224Z",
+ "nest_updated_at": "2024-09-13T03:53:44.409Z",
"node_id": "I_kwDOEAWEP854AXzc",
"title": "Isolate Authentication and Repository",
"body": "**Describe what problem your feature request solves**:\r\nIn reviewing #629, #426 and #1 I believe we need to decouple Authentication from the Repository, in cases where it is sensible.\r\n\r\n| Authentication | Repository | Status |\r\n| ------------- | ------------- |---------|\r\n| Github | Github Repo | Implemented |\r\n| Bitbucket | Bitbucket Repo | Implemented |\r\n| AWS IAM | S3 | #426 requests |\r\n| AWS IAM | AWS SQL | New |\r\n| Azure | Azure Blob | New |\r\n| Azure | Azure SQL | New |\r\n(Note - I am not proposing to build all of these combos!)\r\n\r\n\r\n**Describe the solution you'd like**:\r\n- [ ] Enable either intermediate screens between Provider selection and Repo selection for choice of Repository (where appropriate) or rely upon property files only.\r\n- [ ] Isolate the Provider and Repository coupling in Node - at present the authentication mechanism sets the repository, and they are 1-2-1.\r\n\r\n**Key Questions**:\r\n1. Is there a valid use case here to have a single Authentication Provider enable access to multiple types of repository? (I am not anticipating multiple repositories within a threat dragon instance)\r\n2. Do we want end users/modellers, not deployers, to select between repository options themselves or defer this to config in deployment?\r\n\r\nAs always, happy to be told this is beyond the scope or vision of the platform. ",
+ "summary": "Isolate Authentication from Repository\n\n**Problem Solving**: Decouple Authentication from Repository to allow flexible integration with various repository types without direct coupling.\n\n**Proposed Solution**:\n1. Implement intermediate screens or use property files to allow users to choose the repository type after selecting the authentication provider.\n2. Refactor Node to eliminate the 1-2-1 relationship between authentication mechanisms and repositories, enabling a single authentication provider to access multiple repository types.\n\n**Key Questions to Address**:\n- Validate the use case for a single Authentication Provider accessing multiple repository types.\n- Determine if end users should choose repository options or if this decision should be made during deployment configuration.\n\n**First Steps**:\n1. Review existing code to identify where authentication and repository coupling occurs.\n2. Design a prototype for intermediate screens or property file management.\n3. Assess the implications of refactoring authentication and repository interaction on current implementations.\n4. Gather feedback on use cases from stakeholders to guide the development process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/805",
@@ -10358,12 +10706,10 @@
"comments_count": 1,
"closed_at": null,
"created_at": "2023-11-28T00:24:25Z",
- "updated_at": "2024-07-15T09:23:02Z",
+ "updated_at": "2024-09-12T07:58:30Z",
"author": 141,
"repository": 502,
- "assignees": [
- 141
- ],
+ "assignees": [],
"labels": [
71,
74
@@ -10379,6 +10725,7 @@
"node_id": "I_kwDOEAWEP857QYJr",
"title": "Desktop should show indication when loading",
"body": "**Describe what problem your feature request solves**:\r\nThe desktop application can take a long time to load, and the spinner in App.vue does not show while loading\r\n\r\n**Describe the solution you'd like**:\r\nDesktop app shows indication of loading\r\n\r\n**Additional context**:\r\nsteps to reproduce:\r\n1. download the installer for a new version of Threat Dragon\r\n2. install the new version\r\n3. invoke the new version and wait up to 30s before getting a window appearing\r\n",
+ "summary": "Implement a loading indicator for the desktop application during startup. \n\n**Problem to Solve**: The desktop application currently lacks a visual indication when it is loading, leading to user confusion during the delay, which can last up to 30 seconds.\n\n**Solution**: \n1. Modify the App.vue component to display a loading spinner during the initialization phase of the application.\n2. Ensure the spinner is visible until the application fully loads and the main window appears.\n\n**Technical Steps**:\n1. Identify the lifecycle hooks in App.vue responsible for application startup.\n2. Introduce a reactive property (e.g., `isLoading`) to manage the loading state.\n3. Set `isLoading` to `true` at the beginning of the startup process and change it to `false` once the application is fully loaded.\n4. Update the template in App.vue to conditionally render the loading spinner based on the `isLoading` property.\n5. Test the implementation by installing a new version of Threat Dragon and verifying that the loading spinner appears during startup.\n\n**Next Steps**:\n- Review the current initialization code in App.vue.\n- Create a simple loading spinner component if none exists.\n- Implement the state management for loading indication.\n- Conduct user testing to ensure the loading experience is improved.",
"state": "open",
"state_reason": "reopened",
"url": "https://github.com/OWASP/threat-dragon/issues/823",
@@ -10394,9 +10741,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
75,
- 78
+ 78,
+ 71
]
}
},
@@ -10405,10 +10752,11 @@
"pk": 363,
"fields": {
"nest_created_at": "2024-09-11T20:09:22.413Z",
- "nest_updated_at": "2024-09-11T20:09:22.413Z",
+ "nest_updated_at": "2024-09-13T03:53:45.749Z",
"node_id": "I_kwDOEAWEP857ZVYL",
"title": "PDF report generation froze the application",
"body": "**Describe the bug**:\r\nGenerating a PDF report halted the desktop application\r\n\r\n**Expected behaviour**:\r\nApplication should not freeze\r\n\r\n**Environment**:\r\n\r\n- Version: 2.1.2\r\n- Platform: Desktop App\r\n- OS: Windows\r\n- Browser: electron\r\n\r\n**To Reproduce**:\r\n\r\n**Any additional context, screenshots, etc**:\r\n@mikkolehtisalo reports \"the Windows Server we run the tool on acted differently from ordinary desktop operating systems. I ended up moving the data to Excel/Word and finishing the report by hand.\"\r\n",
+ "summary": "Investigate the application freeze during PDF report generation. Ensure the application remains responsive while generating reports.\n\n**Technical Details**:\n- Version: 2.1.2\n- Platform: Desktop App\n- OS: Windows (specifically mentioned issues on Windows Server)\n- Browser: Electron\n\n**Steps to Reproduce**:\n1. Open the application.\n2. Initiate PDF report generation.\n\n**First Steps to Tackle the Problem**:\n1. Analyze the report generation code for synchronous operations that could block the main thread.\n2. Implement asynchronous processing for PDF generation to prevent UI freeze.\n3. Test the application on both regular desktop and Windows Server environments to replicate the issue.\n4. Utilize logging to capture any errors or performance metrics during report generation. \n5. Consider using a worker thread or a background process for handling PDF generation tasks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/826",
@@ -10419,16 +10767,14 @@
"comments_count": 5,
"closed_at": null,
"created_at": "2024-01-08T11:16:52Z",
- "updated_at": "2024-07-18T18:54:57Z",
+ "updated_at": "2024-09-12T07:56:10Z",
"author": 43,
"repository": 502,
- "assignees": [
- 151
- ],
+ "assignees": [],
"labels": [
+ 88,
78,
- 81,
- 88
+ 81
]
}
},
@@ -10441,6 +10787,7 @@
"node_id": "I_kwDOEAWEP857ZbP2",
"title": "Generic git support",
"body": "**Describe what problem your feature request solves**:\r\nNot everyone uses github or bitbucket for git repo access, it would be good to provide for these organizations\r\n\r\n**Describe the solution you'd like**:\r\nProvide support for git, not specific to github or bitbucket\r\n\r\n**Additional context**:\r\n@mikkolehtisalo reports \"the application has capability to save into github. However configuring internal git that is not github would require code changes. More generic git support would be super.\"\r\n",
+ "summary": "Implement generic Git support to enable repository access beyond GitHub and Bitbucket. \n\n1. Assess current integration capabilities and identify hard-coded dependencies on GitHub and Bitbucket within the application.\n2. Develop a flexible configuration system that allows users to input their own Git repository details (e.g., URL, authentication).\n3. Refactor the codebase to utilize standard Git commands and APIs, ensuring compatibility with various Git hosting services.\n4. Test the implementation with multiple Git providers to validate functionality and stability.\n5. Update documentation to guide users on how to configure their own Git repositories.\n\nStart by analyzing the existing code that handles Git interactions and outline a plan for abstraction to accommodate different Git providers.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/828",
@@ -10456,9 +10803,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
74,
- 75
+ 75,
+ 71
]
}
},
@@ -10471,6 +10818,7 @@
"node_id": "I_kwDOEAWEP857rNmj",
"title": "Revise data model of threat + mitigations",
"body": "**Describe what problem your feature request solves**:\r\nMultiple mitigations for a threat are possible, and also multiple threats per mitigations\r\n\r\n**Describe the solution you'd like**:\r\nrevise data model of threat and mitigations to be more flexible\r\n\r\n**Additional context**:\r\nUser reports:\r\n\"_The data model for threat mitigations is in my opinion simply incorrrect. One threat may have many mitigations, which has different implementation status. At this moment the tool seems to allow tracking only one mitigation per threat._\r\n\r\n_Not being able to copy or move threats makes impossible to refactor the environment image later on. I would take even \"make a copy of this threat to there\" without any linking of contents to fix this. Without this I had to redraw the environment and do a lot of manual work to get the final report cleaned up._\"\r\n\r\n",
+ "summary": "Revise the data model for threats and mitigations to enhance flexibility. \n\n**Address the following issues**:\n1. Allow multiple mitigations for each threat, accommodating various implementation statuses.\n2. Enable multiple threats to be associated with each mitigation.\n\n**Implement a solution**:\n1. Redesign the database schema to support a many-to-many relationship between threats and mitigations, possibly using a join table.\n2. Update the application logic to handle the new relationships, ensuring that users can add, edit, and view multiple mitigations per threat and vice versa.\n\n**Consider additional features**:\n1. Implement functionality to copy or move threats, allowing users to refactor environment images without redundant manual work.\n\n**First steps**:\n1. Analyze the current data model structure and identify necessary changes.\n2. Create a prototype of the new data model and gather feedback from stakeholders.\n3. Begin implementing the database schema changes and update the application code accordingly.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/834",
@@ -10486,8 +10834,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 75
+ 75,
+ 71
]
}
},
@@ -10500,6 +10848,7 @@
"node_id": "I_kwDOEAWEP859hs3c",
"title": "winget support would be great",
"body": "**Describe what problem your feature request solves**:\r\n\r\nIt would make the installation and upgrading the software on modern Windows very very easy.\r\n\r\n**Describe the solution you'd like**:\r\n\r\nI'd love to be able to say `winget install --id OWASP.ThreatDragon` or similar -- and of course subsequently `winget upgrade --id OWASP.ThreatDragon` -- in order to install and upgrade the software.\r\n\r\nPS: I think there is a way to integrate this with GitHub automation, but I need to dig that up again and will comment once I find it. That way if the assets in your releases follow a particular schema a PR will automatically go to microsoft/winget-pkgs.",
+ "summary": "Implement winget support to simplify software installation and upgrades on modern Windows systems. \n\n1. Enable users to install software using commands like `winget install --id OWASP.ThreatDragon` and upgrade with `winget upgrade --id OWASP.ThreatDragon`.\n2. Investigate integration with GitHub automation to streamline the process; ensure that release assets conform to a specified schema for automatic PR submissions to microsoft/winget-pkgs.\n\nFirst steps:\n- Research the winget CLI documentation to understand command usage and requirements.\n- Develop a manifest file for OWASP ThreatDragon that adheres to winget's specifications.\n- Test the installation and upgrade commands locally to verify functionality.\n- Explore GitHub Actions to automate the PR creation process for updates.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/848",
@@ -10518,10 +10867,10 @@
153
],
"labels": [
- 71,
- 78,
80,
- 81
+ 81,
+ 78,
+ 71
]
}
},
@@ -10534,6 +10883,7 @@
"node_id": "I_kwDOEAWEP8596XGk",
"title": "Long term file format",
"body": "**Describe what problem your feature request solves**:\r\nThe Threat Dragon file format / JSON schema uses two related but incompatible versions for 1.x and 2.x, and neither of these is a format other tools can use\r\n\r\n**Describe the solution you'd like**:\r\nThreat Dragon version 3.x should use a standard file format instead of the existing incompatible versions 1.x and versions 2.x formats\r\n[Open Threat Model](https://github.com/iriusrisk/OpenThreatModel) file format has been released and could be considered alongside CycloneDx\r\n\r\n**Additional context**:\r\n\r\n* [CycloneDx](https://cyclonedx.org/) is an [ECMA standard 424](https://ecma-international.org/publications-and-standards/standards/ecma-424/)\r\n* CycloneDx can provide the definition of the threat model file, as a TMBOM (Threat Model Bill of Materials)\r\n* There is also a [CyclonDX github issue](https://github.com/CycloneDX/specification/issues/462) for tracking this work\r\n* The TMBOM fields need to be defined in the [CycloneDx Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)\r\n* The closest CycloneDX BOM to a TMBOM is the [example of an HBOM](https://github.com/CycloneDX/bom-examples/blob/master/HBOM/PCIe-SATA-adapter-board/bom.json) (Hardware BOM)\r\n* An informal workstream (#[workstream-threat-model](https://cyclonedx.slack.com/archives/C073KMCQMUG)) has been set up on the OWASP CycloneDX Slack which meets regularly\r\n* [Agenda and minutes are available](https://docs.google.com/document/d/1OxM2KDAKmkY6Z-K0Qe5Gce7jMWWnCU1Osd3P4V8t8yQ/) and [TMBOM Use Cases and Requirements](https://docs.google.com/document/d/1gwfk0GHafuUE06GRc31kkQ-NTB2w8ZatYGKUm7Ah-5Q/)\r\n\r\n",
+ "summary": "Create a standardized file format for Threat Dragon version 3.x to replace the incompatible 1.x and 2.x JSON schemas. Evaluate the Open Threat Model file format and CycloneDX as potential solutions.\n\n1. Review the CycloneDX specification, particularly ECMA standard 424, which outlines the Threat Model Bill of Materials (TMBOM) structure.\n2. Analyze the TMBOM fields and their definitions in the CycloneDX Property Taxonomy.\n3. Compare the TMBOM requirements with the existing CycloneDX BOM examples, specifically the HBOM for reference.\n4. Participate in the informal workstream on OWASP CycloneDX Slack to gather insights and collaborate with others involved in this effort.\n5. Consult the provided agenda and minutes for ongoing discussions and document any relevant use cases and requirements for the TMBOM. \n\nBy standardizing the file format, improve interoperability with other tools and enhance usability for users of Threat Dragon.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/850",
@@ -10551,9 +10901,9 @@
43
],
"labels": [
- 71,
+ 89,
75,
- 89
+ 71
]
}
},
@@ -10566,6 +10916,7 @@
"node_id": "I_kwDOEAWEP85-aL-p",
"title": "Refactor Providers to use standard model",
"body": "The existing providers have been maintained against the initial Github schema. A refactor to maintain a standard repository schema is necessary to simplify the code base.",
+ "summary": "Refactor the Providers to conform to the standard repository schema. Analyze the current implementation of the providers that are based on the initial GitHub schema. Identify discrepancies and areas for improvement to align with the new model.\n\n1. Review the standard repository schema and document the differences between it and the current provider implementations.\n2. Update data structures and methods in the providers to match the standard schema requirements.\n3. Ensure that all existing functionality remains intact by writing unit tests for the current behavior.\n4. Gradually replace the old schema references in the codebase with the new standard model.\n5. Conduct thorough testing to validate that all providers function correctly after the refactor.\n\nBy following these steps, enhance the maintainability and clarity of the codebase, which will streamline future development efforts.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/860",
@@ -10583,8 +10934,8 @@
141
],
"labels": [
- 74,
- 88
+ 88,
+ 74
]
}
},
@@ -10597,6 +10948,7 @@
"node_id": "I_kwDOEAWEP85-mY1C",
"title": "Feature Request: OPSEC Threat Modeling",
"body": "**Describe what problem your feature request solves**:\r\nThere is no OPSEC based threat modeling unless its in context SDLC\r\n\r\n**Describe the solution you'd like**:\r\nI would like an option to use Threat-Dragon to create OPSEC or Operation Security based threat model\r\n\r\n**Additional context**:\r\nMost threat models are defined in terms of software developers life cycle or IT. OPSEC applies to IT and all domains especially physical. I could find no OPSEC threat models and think this could easily be added to Threat-Dragon and increase the user baser. The ability to easily create OPSEC threat models and display them especially for the physical domain has a lot of value. See an good example here: https://old.reddit.com/r/opsec/comments/eh6uvc/want_to_learn_opsec_as_a_total_beginner_start_here/\r\n\r\n\r\n",
+ "summary": "Implement OPSEC Threat Modeling feature in Threat-Dragon. \n\n1. Identify the current limitations in Threat-Dragon regarding OPSEC-based threat modeling. \n2. Research existing OPSEC frameworks and methodologies to incorporate relevant aspects into the tool.\n3. Develop a user interface option for creating OPSEC threat models, ensuring it accommodates both IT and physical domains.\n4. Create templates or guidelines for users to easily build OPSEC threat models.\n5. Validate the feature with potential users to gather feedback and improve functionality.\n\nThis enhancement will broaden Threat-Dragon’s applicability and attract a wider user base by addressing a gap in existing threat modeling tools.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/861",
@@ -10612,8 +10964,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 75
+ 75,
+ 71
]
}
},
@@ -10626,6 +10978,7 @@
"node_id": "I_kwDOEAWEP85-5wp2",
"title": "Create AppVeyor pipeline for signing Windows installer",
"body": "**Describe what problem your feature request solves**:\r\nAs of July 2023 the Certificate Authority/Brower Forum’s [CA/B Forum](https://cabforum.org/baseline-requirements-code-signing/) requires all code signing private keys be stored on secure hardware.\r\nThe cost is prohibitive, $175 to $250 per year\r\n\r\n**Describe the solution you'd like**:\r\nWindows installer signed\r\n\r\n**Additional context**:\r\nThe [How to Sign a Windows App in Electron Builder](https://codesigningstore.com/how-to-sign-a-windows-app-in-electron-builder) describes what needs to be done to sign the Threat Dragon application.\r\nThe existing certificate runs out on 20th February 2024\r\n",
+ "summary": "Create an AppVeyor pipeline for signing the Windows installer for the Threat Dragon application. \n\n1. Store code signing private keys on secure hardware to comply with CA/B Forum requirements effective July 2023. \n2. Evaluate and select a cost-effective hardware security module (HSM) solution, considering expenses between $175 to $250 per year.\n3. Implement the signing process using the guidance from the \"How to Sign a Windows App in Electron Builder\" documentation.\n4. Configure the AppVeyor pipeline to automate the signing of the Windows installer.\n5. Ensure that the current certificate is renewed before it expires on February 20, 2024.\n\nFirst steps:\n- Research and choose an appropriate HSM provider.\n- Set up an AppVeyor account and create a new pipeline configuration.\n- Write and test the script for the signing process within the pipeline.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/872",
@@ -10641,9 +10994,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
+ 90,
87,
- 90
+ 71
]
}
},
@@ -10656,6 +11009,7 @@
"node_id": "I_kwDOEAWEP85_m2Mp",
"title": "Support Github/Bitbucket/Gitlab in Desktop",
"body": "I am unclear why we would not support the various repositories in Desktop mode, so proposing enabling.\r\n\r\nWelcome feedback.",
+ "summary": "Enable support for GitHub, Bitbucket, and GitLab in Desktop mode. Assess the current architecture of the Desktop application to identify integration points for these repositories. \n\nFirst, gather information on the existing APIs for GitHub, Bitbucket, and GitLab. Review the authentication methods currently used in Desktop mode and determine if they can accommodate the additional services. \n\nNext, implement a plan to create a user interface for repository selection, ensuring that it allows users to authenticate and manage repositories seamlessly. Consider leveraging existing libraries or SDKs for each service to streamline the integration process. \n\nFinally, solicit feedback from users and developers to refine the functionality and address any potential issues that arise during the implementation phase.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/883",
@@ -10671,9 +11025,9 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
+ 91,
78,
- 91
+ 71
]
}
},
@@ -10686,6 +11040,7 @@
"node_id": "I_kwDOEAWEP86BTduO",
"title": "Provide translation for Demo Model Page",
"body": "**Describe what problem your feature request solves**:\r\nCurrently , In the [Select Demo Page] User can't access the Demo models name in any language other than English as shown below\r\n\r\n**Describe the solution you'd like**:\r\nFor Better User Experience the Demo models should also have used i18n \r\n\r\n**Additional context**:\r\n\r\n\r\n",
+ "summary": "Implement internationalization (i18n) for the Demo Model Page. \n\n1. Identify the current implementation of the Demo Model names that restricts access to English only.\n2. Analyze the existing codebase to locate where the Demo Model names are defined and rendered.\n3. Create a localization file that includes translations for the Demo Model names in multiple languages.\n4. Modify the rendering logic to pull the appropriate translation based on the user's selected language.\n5. Test the changes to ensure that the Demo Model names display correctly in different languages.\n6. Update the documentation to reflect the new i18n implementation.\n\nEnhance user experience by enabling multilingual support for Demo Model names.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/902",
@@ -10701,8 +11056,8 @@
"repository": 502,
"assignees": [],
"labels": [
- 71,
- 73
+ 73,
+ 71
]
}
},
@@ -10711,10 +11066,11 @@
"pk": 373,
"fields": {
"nest_created_at": "2024-09-11T20:09:44.344Z",
- "nest_updated_at": "2024-09-11T20:09:44.344Z",
+ "nest_updated_at": "2024-09-13T15:17:02.857Z",
"node_id": "I_kwDOEAWEP86BdDcU",
"title": "Conform to OCSF schema",
"body": "**Describe what problem your feature request solves**:\r\nThe Open Cybersecurity Schema Framework ([OCSF](https://schema.ocsf.io/1.1.0/)) provides categories to organize event classes, which can be consumed by various operational monitoring tools.\r\n\r\n**Describe the solution you'd like**:\r\nProvide fields in the threat that conform to OCSF schema [Vulnerability Details object](https://schema.ocsf.io/1.1.0/objects/vulnerability) which is part of the [Vulnerability Finding Class](https://schema.ocsf.io/1.1.0/classes/vulnerability_finding)\r\n\r\n**Additional context**:\r\n\r\n",
+ "summary": "Conform to the OCSF schema by implementing fields in the threat data that adhere to the OCSF Vulnerability Details object. This enhancement will enable better organization and categorization of event classes, facilitating integration with various operational monitoring tools.\n\n1. Review the OCSF schema documentation, specifically the [Vulnerability Details object](https://schema.ocsf.io/1.1.0/objects/vulnerability) and the [Vulnerability Finding Class](https://schema.ocsf.io/1.1.0/classes/vulnerability_finding).\n2. Identify the necessary fields from the Vulnerability Details object that need to be implemented in the existing threat data structure.\n3. Modify the data model to include these fields, ensuring compatibility with the OCSF schema.\n4. Test the changes to ensure that the new fields are correctly populated and formatted according to the OCSF specifications.\n5. Update documentation to reflect the new schema conformance and provide examples of the updated threat data structure.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/threat-dragon/issues/904",
@@ -10722,15 +11078,16 @@
"sequence_id": 2171877140,
"is_locked": false,
"lock_reason": "",
- "comments_count": 0,
+ "comments_count": 1,
"closed_at": null,
"created_at": "2024-03-06T16:08:53Z",
- "updated_at": "2024-03-06T16:08:54Z",
+ "updated_at": "2024-09-13T07:01:18Z",
"author": 43,
"repository": 502,
"assignees": [],
"labels": [
- 71
+ 71,
+ 1115
]
}
},
@@ -10743,6 +11100,7 @@
"node_id": "I_kwDOEAWEP86Bdofc",
"title": "Running threat dragon behind nginx",
"body": "**Describe the bug**:\r\nWhen deploying Threat Dragon to Kubernetes, I can't get the Github Oauth to work. I guess it could be a nginx config needed?\r\n\r\n**Expected behaviour**:\r\nLogin with Github Oauth should work behind a proxy.\r\n\r\n**Logs**:\r\n\r\n```\r\nerror: controllers/auth.js: {\"service\":\"threat-dragon\",\"timestamp\":\"2024-03-06 17:05:09\"}\r\nerror: Unexpected token ' in JSON at position 0 {\"service\":\"threat-dragon\",\"stack\":\"SyntaxError: Unexpected token ' in JSON at position 0\\n at JSON.parse (![\"Screenshot](\"https://user-images.githubusercontent.com/16836050/151833380-a2b12ff4-a7d6-41f0-b4c3-69de7a5e927d.png\")
\r\n\r\nThank You! \r\n",
+ "summary": "Investigate the issue of repeated security checks in Projects -> ASVS L1 -> Authentication Verification Requirements. Confirm whether this duplication is intentional or a result of an error. \n\n1. Review the code responsible for generating the ASVS L1 section to identify where checks are being added.\n2. Compare the entries to ensure they contain identical details and note any discrepancies.\n3. Check the database or data source to see if the duplication exists at the data level.\n4. If confirmed as an error, implement a fix by removing the duplicates.\n5. Test the application to ensure the changes do not affect other functionalities.\n6. Document the findings and the resolution process for future reference. \n\nEnsure to communicate with the team regarding the findings and possible implications on user experience or security.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-security-knowledge-framework/issues/12",
@@ -14879,6 +15383,7 @@
"node_id": "MDU6SXNzdWU5NzQ5MzM5MDU=",
"title": "Stable IDs for (sub-)Headlines of the Proactive Controles",
"body": "Hi \r\nI wonder if you could generate stable IDs for main headlines or even more detailed subtitles as far as you like, please. This could help anybody to get a stable link to the proactive controls (e.g. references from the OWASP Top 10).\r\nThe IDs should be strctured ID numbers (like in a table of contents). If possible these IDs should be usable as http-anchors to access them from other projects and documents. These IDs should stay stable within a version of the cheat sheets.\r\n\r\nPlease let me know if I can help you.\r\n\r\nThanks and Cheers\r\nTorsten",
+ "summary": "The issue discusses the need for stable IDs for main headlines and subtitles in the Proactive Controls documentation. The proposed IDs would facilitate stable linking and referencing, such as from the OWASP Top 10. The IDs should be structured like those in a table of contents and function as HTTP anchors for use in other projects and documents. It is suggested that these IDs remain stable within a version of the cheat sheets. Assistance is offered for this task. \n\nTo address this issue, consider implementing a structured ID system for the headlines and subtitles in the documentation.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-proactive-controls/issues/8",
@@ -14905,6 +15410,7 @@
"node_id": "I_kwDODGfyac6FDdEt",
"title": "Missing concept #2: Trust boundary ",
"body": "The second concept I'll advocate is trust boundaries. They are also a tremendously important part of \"most important areas of concern that software developers must be aware of. \"\r\n\r\nSuggested core text: \"Know what code is trusted to make security decisions, and why that code is resistant to attack by an attacker with a debugger or a proxy.\"",
+ "summary": "The issue discusses the need to include the concept of \"trust boundaries\" as a critical area of concern for software developers. It emphasizes the importance of understanding which code is trusted to make security decisions and the reasons behind its resilience against potential attacks, such as those using a debugger or proxy. It suggests incorporating this concept into the relevant documentation for better awareness and security practices. To address this, the documentation should be updated to include a clear explanation of trust boundaries and their significance in software security.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-proactive-controls/issues/33",
@@ -14929,10 +15435,11 @@
"pk": 523,
"fields": {
"nest_created_at": "2024-09-11T20:39:00.443Z",
- "nest_updated_at": "2024-09-11T20:39:00.443Z",
+ "nest_updated_at": "2024-09-13T04:14:20.834Z",
"node_id": "I_kwDODGfyac6FOTSq",
"title": "Missing concept: supply chain security",
"body": "Modern web development is most commonly done by composing an application from open-source dependencies. \r\n\r\nI suppose most of the supply chain mitigations are not proactive and that's why they're not here yet, but a proactive approach to supply-chain security is possible and emerging.\r\n\r\nSome aspects of Content-Security-Policy are relevant to this. Similarly, Node.js and Deno offer means to limit access to powerful APIs on the process level in case malicious code gets pulled into an app from dependencies.\r\n\r\nUsing tools that inject themselves early in the process and often don't rely on known vulnerability databases (eg. socket.dev) \r\n\r\nEven more proactively, runtime protections can be introduced - see LavaMoat\r\nIntroduction to the concepts:\r\nhttps://www.w3.org/2023/03/secure-the-web-forward/talks/hardened-supply-chain.html\r\n\r\nI'd be interested to contribute to this site if some guidance is provided.",
+ "summary": "The issue discusses the lack of attention to supply chain security in modern web development, where applications are often built using open-source dependencies. It highlights the need for a proactive approach to supply chain security, mentioning relevant tools and concepts such as Content-Security-Policy, Node.js, Deno, and runtime protections like LavaMoat. The author expresses interest in contributing to the project and seeks guidance on how to proceed. \n\nTo address this issue, it may be beneficial to outline specific steps or areas where contributions are needed related to supply chain security practices and tools.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-proactive-controls/issues/36",
@@ -14963,6 +15470,7 @@
"node_id": "I_kwDODGfyac6U_Y6l",
"title": "check v3 markdown files, move information to cheat sheet series and, remove them from the project",
"body": "we still have the doc/pdfs from the 2018/`v3` series stored. The markdown files in `v3/en` are not used by anything.\r\n\r\nCheck if some of the content from the v3 version could be moved to the owasp cheat sheet series. If so, move it there and remove the markdown files from this project.",
+ "summary": "The issue suggests reviewing the markdown files from the v3 series stored in `v3/en`, as they are not currently in use. It proposes transferring relevant content to the OWASP cheat sheet series and subsequently deleting the markdown files from the project. The next steps would involve checking the content for relevance and making the necessary updates.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-proactive-controls/issues/59",
@@ -14987,10 +15495,11 @@
"pk": 525,
"fields": {
"nest_created_at": "2024-09-11T20:39:09.782Z",
- "nest_updated_at": "2024-09-11T20:39:09.782Z",
+ "nest_updated_at": "2024-09-13T16:05:52.597Z",
"node_id": "I_kwDODGfyKs59hvQk",
"title": "SAMM ToolBox point to incorrect link",
"body": "In the file info.md, the \"SAMM Toolbox v2\" point to a broken Excel spread sheet : https://github.com/owaspsamm/core/releases/download/v2.0.3/SAMM_spreadsheet.xlsx\r\nThe correct ressource is located here : https://github.com/owaspsamm/core/releases/download/v2.0.8/SAMM_spreadsheet.xlsx\r\n",
+ "summary": "The issue reports that the link to the \"SAMM Toolbox v2\" in the info.md file directs to a broken Excel spreadsheet. The correct link to the spreadsheet is provided, which points to version 2.0.8 instead of the broken version 2.0.3. The necessary action involves updating the link in the info.md file to the correct resource.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-samm/issues/4",
@@ -15017,6 +15526,7 @@
"node_id": "I_kwDODGfx7M47bKJz",
"title": "Improve the test coverage",
"body": "Unit and integration tests should be written to make sure that the functionalities still work as expected. It would limit the possible regression issues caused by new development/refactorings, especially since there are several possible configuration permutations.\r\n\r\nDetailed manual testing scenarios, executions flows would be very helpful as well because it could also act as a documentation/functional requirements.",
+ "summary": "Improve test coverage by writing comprehensive unit and integration tests to ensure that all functionalities perform as expected. Focus on limiting regression issues that may arise from new developments or refactorings, especially given the various configuration permutations.\n\nStart by identifying critical functionalities and creating a list of test cases that cover different scenarios. Implement automated tests for both unit and integration levels, prioritizing areas with the highest risk of regression. \n\nAdditionally, document detailed manual testing scenarios and execution flows to serve as both functional requirements and a reference for future testing efforts. \n\nBegin by:\n1. Conducting a code review to identify untested areas.\n2. Creating a test plan that outlines key functionalities and configurations to be tested.\n3. Writing unit tests for individual components.\n4. Developing integration tests that simulate real-world usage with different configurations.\n5. Compiling manual testing documentation for comprehensive coverage.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-csrfguard/issues/24",
@@ -15032,9 +15542,9 @@
"repository": 958,
"assignees": [],
"labels": [
+ 128,
126,
- 127,
- 128
+ 127
]
}
},
@@ -15047,6 +15557,7 @@
"node_id": "I_kwDODGfx7M47bK1c",
"title": "Lots of copied code from the Grouper repository",
"body": "The following classes: \r\n* `org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase` ([original source code](https://github.com/Internet2/grouper/blob/master/grouper-misc/grouperActivemq/dist/bin/edu/internet2/middleware/grouperActivemq/config/ConfigPropertiesCascadeBase.java))\r\n* `org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeCommonUtils`\r\n* `org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeUtils`\r\n\r\nwere copied from the [Grouper](https://github.com/Internet2/grouper) repository. \r\n\r\n\r\nIt seems that only a few changes has been made:\r\n* Logging: although the code is commented out, so it's not relevant (`org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#iLogger`)\r\n* Skipping the Expression Language (EL) related processing in `org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#propertiesHelper`: again this is only relevant if there are keys with \".elConfig\" suffix\r\n* The following lines of code: \r\n \r\n ```java\r\n //InputStream inputStream = configFile.getConfigFileType().inputStream(configFile.getConfigFileTypeConfig(), this);\r\n try {\r\n //get the string and store it first (to see if it changes later)\r\n String configFileContents = configFile.retrieveContents(this);\r\n configFile.setContents(configFileContents);\r\n result.properties.load(new StringReader(configFileContents));\r\n ```\r\n in `org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#retrieveFromConfigFiles` which seem to do the same as the original code.\r\n\r\nThe question is, **are these modifications really needed**? If not, the original code could be used as a maven dependency: \r\n```xml\r\n\r\n\r\nOriginally posted by **musaka872** March 27, 2024\r\nHi,\r\nI'm trying to integrate csrfguard 4.3.0 in our project. \r\nI've configured it to use per-session tokens and not per-page tokens. But when I receive the token in the response header it is returned as page token in this form `{pageTokens:{\"/page/uri\":\"csrf-token\"}}` and then when I send this token in a subsequent request csrfguard compares {pageTokens:{\"/page/uri\":\"csrf-token\"}} to \"csrf-token\" and it fails.\r\nI debugged CsrfGuardFilter and in handleSession method we have:\r\n```\r\nprivate void handleSession(final HttpServletRequest httpServletRequest, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,\r\n final LogicalSession logicalSession, final CsrfGuard csrfGuard) throws IOException, ServletException {\r\n\r\n final String logicalSessionKey = logicalSession.getKey();\r\n\r\n if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {\r\n filterChain.doFilter(httpServletRequest, interceptRedirectResponse);\r\n } else {\r\n logInvalidRequest(httpServletRequest);\r\n }\r\n\r\n final String requestURI = httpServletRequest.getRequestURI();\r\n final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);\r\n\r\n CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, interceptRedirectResponse, new TokenTO(Collections.singletonMap(requestURI, generatedToken)));\r\n }\r\n```\r\nIn generateTokenIfAbsent it checks whether the per-page or master token should be generated and generates the correct master token. But then as you can see when TokenTO is created the master token is passed as per-page token and it is send as such in the response header.\r\n\r\nIs this a bug or I'm missing something?\r\n\r\nI don't want to parse the response header to retrieve the \"csrf-token\" that csrfguard returns.\r\n\r\nBest regards,\r\nMartin
",
+ "summary": "Investigate the issue of CSRF token being incorrectly returned as a page token in csrfguard 4.3.0. Confirm that the configuration is set to use per-session tokens, and verify the response header format, which currently appears as `{pageTokens:{\"/page/uri\":\"csrf-token\"}}`. \n\nDebug the `CsrfGuardFilter` class, specifically the `handleSession` method. Observe that the method generates a token using `generateTokensIfAbsent`, which correctly identifies whether to create a master or page token. However, the `TokenTO` constructor incorrectly passes the master token as a per-page token, leading to a mismatch during validation.\n\nAddress the following steps to resolve the issue:\n\n1. Review the implementation of `generateTokensIfAbsent` to ensure it handles master tokens properly.\n2. Modify the `TokenTO` instantiation to correctly identify and pass the generated master token instead of treating it as a page token.\n3. Test the changes to confirm that the response header now reflects the correct token type and that subsequent requests validate successfully. \n\nIf necessary, consult additional documentation on csrfguard or seek input from the community discussion linked in the original issue for further clarification on intended behavior.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-csrfguard/issues/262",
@@ -15180,8 +15695,8 @@
"repository": 958,
"assignees": [],
"labels": [
- 127,
- 130
+ 130,
+ 127
]
}
},
@@ -15190,10 +15705,11 @@
"pk": 532,
"fields": {
"nest_created_at": "2024-09-11T20:39:29.358Z",
- "nest_updated_at": "2024-09-11T20:39:29.358Z",
+ "nest_updated_at": "2024-09-13T16:05:58.377Z",
"node_id": "I_kwDODGfx7M6V-OuV",
"title": "The isValidUrl method in csrfguard.js uses an insecure string-matching technique",
"body": "We had run a scan after upgrading csrfguard library to version 4.3.0 and found below vulnerability with severity 5.4 .\r\nIt also reported that there is no non-vulnerable version of this component.\r\n\r\n**Explanation**\r\nThe csrfguard package is vulnerable to Cross-Site Request Forgery (CSRF). The isValidUrl method in csrfguard.js uses an insecure string-matching technique. Consequently, an attacker could exploit this vulnerability to cause tokens to leak in links to external (attacker-controlled) domains.\r\n\r\n**Version Affected**\r\n[3.1.0,4.4.0]\r\n\r\n**CVSS Details**\r\nSonatype CVSS 3 : 5.4\r\nCVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
+ "summary": "Identify and address the vulnerability in the `isValidUrl` method in `csrfguard.js`. This method utilizes an insecure string-matching technique leading to a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability allows attackers to exploit the method, potentially leaking tokens via links to external, attacker-controlled domains.\n\n**Affected Versions**: 3.1.0 to 4.4.0.\n**Severity**: CVSS score of 5.4.\n\n**First Steps**:\n1. Review the implementation of the `isValidUrl` method for potential flaws in string matching.\n2. Replace the current string-matching logic with a more secure method, such as using regular expressions or a URL parsing library to validate URLs against a whitelist.\n3. Conduct thorough testing to ensure the new implementation effectively mitigates CSRF attacks without introducing new vulnerabilities.\n4. Run security scans post-implementation to confirm the vulnerability is resolved before deploying the updated library.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-csrfguard/issues/299",
@@ -15216,10 +15732,11 @@
"pk": 533,
"fields": {
"nest_created_at": "2024-09-11T20:39:33.539Z",
- "nest_updated_at": "2024-09-11T20:39:33.539Z",
+ "nest_updated_at": "2024-09-13T04:14:37.188Z",
"node_id": "MDU6SXNzdWU1Nzc0OTI2NjQ=",
"title": "Link to the Official CS Website",
"body": "In order to maintain a live updated website, the official website will be the following: https://cheatsheetseries.owasp.org/\r\nCheat sheets will be added in here as ToCs in order to allow for people to link to them if need be.\r\n\r\nThis could be amended once an easy way is created to properly push the live changes from the main repository to the `www` repository of the cheatsheets.",
+ "summary": "The issue discusses the need to link to the official CS website at https://cheatsheetseries.owasp.org/ for maintaining a live updated resource. It suggests that cheat sheets should be added as Table of Contents (ToCs) to facilitate easy linking. Additionally, it mentions that this approach may be revised once a more efficient method for pushing live changes from the main repository to the `www` repository is established. To address this, exploring automation or a streamlined process for updates could be beneficial.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-cheat-sheets/issues/16",
@@ -15246,6 +15763,7 @@
"node_id": "I_kwDODGfxq85wCTBV",
"title": "Typo on repo description",
"body": "Hi there, \r\n\r\nI found a typo on repo description. It's written as `Respository` while it should be `Repository`.\r\n\r\n",
+ "summary": "Correct the typo in the repository description. Change `Respository` to `Repository`. \n\n**Technical Steps:**\n1. Navigate to the repository settings on GitHub.\n2. Locate the section for editing the repository description.\n3. Update the description text to fix the typo.\n4. Save the changes to update the repository description. \n\nVerify that the change is reflected in the repository overview after saving.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-webgoat/issues/8",
@@ -15268,10 +15786,11 @@
"pk": 535,
"fields": {
"nest_created_at": "2024-09-11T20:39:38.591Z",
- "nest_updated_at": "2024-09-11T20:39:38.591Z",
+ "nest_updated_at": "2024-09-13T16:06:05.179Z",
"node_id": "I_kwDODGfxq854eFXk",
"title": "There is no space on the left side.",
"body": "\r\n\r\n\r\nOn the left side there should be some space or padding , it will look good.\r\n",
+ "summary": "Add padding or margin to the left side of the layout. Ensure that the design appears balanced and visually appealing by introducing appropriate spacing. \n\n1. Identify the CSS class or element responsible for the left side layout.\n2. Modify the CSS properties by adding a `padding-left` or `margin-left` value to create the desired space.\n3. Test the changes across various screen sizes to maintain responsiveness.\n4. Review the design in different browsers to ensure consistency. \n\nImplement these steps to enhance the user interface.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-webgoat/issues/9",
@@ -15298,6 +15817,7 @@
"node_id": "MDU6SXNzdWU2ODg1OTAwNjY=",
"title": "Broken links in reviewing-code-for-cross-site-request-forgery-issues.md",
"body": "All of the links in www-project-code-review-guide/pages/reviewing-code-for-cross-site-request-forgery-issues.md are broken. I will submit a pull request to fix the ones that I can find/correct.",
+ "summary": "The issue reports that all links in the document \"reviewing-code-for-cross-site-request-forgery-issues.md\" are broken. A pull request is planned to address and correct the faulty links. To resolve this, identifying and fixing the broken links in the document is necessary.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-code-review-guide/issues/1",
@@ -15324,6 +15844,7 @@
"node_id": "I_kwDODGfxjM48fkhM",
"title": "Investigate unknown/unclear sources for information presented in previous Guide 2017",
"body": "In the previous guide (2017), which can be found here https://owasp.org/www-project-code-review-guide/assets/OWASP_Code_Review_Guide_v2.pdf, are several graphs and very interesting statements and facts that do not have proper attribution of source. \r\n\r\nFor example, in Figure 1, a survey result that is only very briefly mentioned is depict. The quality of this source, and its legitimacy needs to be investigated. Based on what the investigation finds, we either will keep, remove or update the information for the upcoming version of the guide.\r\n\r\n\r\n\r\n\r\nInformation and statements that are hard to judge given the information in the guide can be found throughout. Each one of those has to be investigated and evaluated for future-fit in the updated/new guide.\r\n\r\nEach piece of information that needs to be investigated and evaluated should probably become its own issue. This issue can serve as a \"parent\" issue. ",
+ "summary": "The issue highlights the need to investigate and verify the sources of information presented in the 2017 Code Review Guide, particularly regarding graphs and statements that lack proper attribution. The legitimacy of these sources must be examined to determine whether the information should be retained, removed, or updated in the upcoming version of the guide. It suggests that each specific piece of information requiring investigation should be documented as a separate issue, with this issue serving as a parent for those discussions. A thorough review of the guide's content is necessary for its future update.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-code-review-guide/issues/4",
@@ -15350,6 +15871,7 @@
"node_id": "I_kwDODGfxjM49hm0C",
"title": "Add readme file for potential contributors",
"body": "Add a readme that explains \r\n\r\n- the purpose and goal of the guide\r\n- the current state it is in\r\n- how to contribute to the project.\r\n\r\nWe also have to make sure the readme is not part of the deployment process.",
+ "summary": "The issue requests the addition of a README file aimed at potential contributors. The README should outline the purpose and goals of the guide, describe the current state of the project, and provide instructions on how to contribute. Additionally, it is important to ensure that the README is excluded from the deployment process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-code-review-guide/issues/5",
@@ -15372,10 +15894,11 @@
"pk": 539,
"fields": {
"nest_created_at": "2024-09-11T20:39:45.457Z",
- "nest_updated_at": "2024-09-11T20:39:45.457Z",
+ "nest_updated_at": "2024-09-13T04:14:44.616Z",
"node_id": "I_kwDODGfxjM49nWdQ",
"title": "Create discussable outline from code review guide 2.0",
"body": "Create a markdown document that covers the outline of the secure code review guide 2.0, and also has a discussion and decision section for each chapter/section/part. \r\n\r\nThis should guide our discussion on what to keep, adjust and remove from the 2.0 to the 3.0 version. ",
+ "summary": "The issue requests the creation of a markdown document that outlines the secure code review guide 2.0. It should include a discussion and decision section for each chapter, section, or part, facilitating a comprehensive review of what elements to retain, modify, or discard as the guide transitions from version 2.0 to version 3.0. The next step involves developing the markdown document based on these specifications.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-code-review-guide/issues/7",
@@ -15404,6 +15927,7 @@
"node_id": "MDU6SXNzdWU2MDcyMTE3NTU=",
"title": "Mobile should be a high priority",
"body": "The previous layout was much better in mobile.",
+ "summary": "The issue highlights that the current mobile layout is not satisfactory and suggests that the previous version was more effective. It indicates that improving the mobile layout should be a high priority. A review and potential redesign of the mobile interface may be necessary to enhance user experience.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/15",
@@ -15432,6 +15956,7 @@
"node_id": "MDU6SXNzdWU2MjY4ODA4NzY=",
"title": "Add back content for 2013 and 2010 Top 10 Risks",
"body": "Apologies if this has already been discussed during your meetings, but we would find it super valuable to have pages for the older 2010 and 2013 Top 10 vulnerabilities. Our particular use case is that we link to the OWASP pages in our vulnerability reports, and we still find linking to _OWASP TOP 10 2013: Cross-site Request Forgery - CSRF_ useful for our readers. There is also an interest in preserving those pages from a historical perspective, as a lot of good content existed prior to the migration to Jekyll.\r\n\r\nWe totally recognize that OWASP isn't interested in maintaining these older pages (Especially with the 2020 version on the horizon) but I think that could easily be mitigated by making it clear that they've been superseded by the latest version on the pages themselves.\r\n\r\nWe also recognize that the PDF archives still exist (Although not easily found or accessible via the website at this time), but the PDFs are fairly large and heavyweight to serve as a quick reference.\r\n\r\nIf the team is not philosophically opposed to the 2013/2010 content, we might be able to spend the time in creating a PR to get it back on the site.",
+ "summary": "The issue highlights the need for restoring the content related to the 2010 and 2013 Top 10 vulnerabilities on the site. The requester emphasizes the value of these pages for linking in vulnerability reports and preserving historical content, despite the OWASP's focus on newer versions. They acknowledge the existence of PDF archives but note their inaccessibility and size as limitations for quick reference. The suggestion is made that if the team is amenable to this idea, they could potentially create a pull request to reinstate the content. It would be beneficial to clarify that the older versions have been superseded by newer ones if implemented.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/21",
@@ -15462,6 +15987,7 @@
"node_id": "MDU6SXNzdWU3ODg3MDI4ODc=",
"title": "Statistical data for OWASP 2021",
"body": "https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/\r\n\r\nPlease consider reusing this data:\r\n#OWASP | Top-10 2021 | Vulners search query | Avg. CVSS | # of bulletins | Overall score\r\n-- | -- | -- | -- | -- | --\r\nA1 | Injections | injection OR traversal OR lfi OR “os command” OR SSTI OR RCE OR “remote code” | 4.83 | 34061 | 164514.63\r\nA2 | Broken Authentication | authentication | 4.08 | 13735 | 56038.8\r\nA3 | Cross-Site Scripting (XSS) | xss | 0.1 | 433353 | 43335.3\r\nA4 | Sensitive Data Exposure | sensitive AND data | 3.55 | 5990 | 21264.5\r\nA5 | Insecure Deserialization | XXE OR deserialize OR deserialization OR “external entities” | 5.33 | 2985 | 15910.05\r\nA6 | Broken Access Control | access control | 0.72 | 16967 | 12216.24\r\nA7 | Insufficient Logging & Monitoring | logging | 3.35 | 2309 | 7735.15\r\nA8 | Server Side Request Forgery (SSRF) | SSRF OR “server side request forgery” | 3.8 | 1139 | 4328.2\r\nA9 | Known Vulnerabilities | type:cve and (http OR web OR html) | 5.38 | 376 | 2022.88\r\nA10 | Security Misconfiguration | misconfiguration OR misconfigure OR misconfig | 2.27 | 480 | 1089.6\r\n\r\n",
+ "summary": "The issue discusses the potential reuse of statistical data related to the OWASP Top 10 vulnerabilities for 2021. A summary table is provided, which includes details such as average CVSS scores, the number of bulletins for each category, and overall scores for various vulnerabilities, including Injections, Broken Authentication, and Cross-Site Scripting. \n\nTo proceed, it is suggested to consider how this data can be integrated or leveraged in the current project or documentation to enhance understanding or improve security measures.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/31",
@@ -15488,6 +16014,7 @@
"node_id": "MDU6SXNzdWU3OTU1NTM2ODg=",
"title": "Updates",
"body": "It is important to emphasize the updates to new methods, new API's, new versions or fetures. \r\n",
+ "summary": "The issue highlights the need to emphasize updates related to new methods, APIs, versions, or features within the project. To address this, it may be necessary to create a clear documentation or communication strategy that outlines these updates effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/32",
@@ -15514,6 +16041,7 @@
"node_id": "MDU6SXNzdWU5MzY0ODUzNTg=",
"title": "Minor erros and missing pages on \"A10:2017-Insufficient Logging & Monitoring\" page",
"body": "As it uses the & character, the name of the file for the page is `A10_2017-Insufficient_Logging%26Monitoring.md`, but when you are ON the page, the `view on github` link seems to be broken (404).\r\n\r\nThe correct URL (Found on the project main page) is `https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring`.\r\n\r\nThe second issue is the `https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&` link on `average of 191 days` on the same page. The link leads us to a \"Deleted or moved\" page. As the information about the amount itself is not wrong, it's from 2016, therefore, I believe it's not up to date with the Ponemon institute.\r\n\r\n(Sorry if I posted this in the worng place)",
+ "summary": "The issue reports minor errors and missing pages on the \"A10:2017-Insufficient Logging & Monitoring\" page. The file name for the page is incorrectly formatted, leading to a broken \"view on GitHub\" link (404 error). The correct URL is noted. Additionally, a link to an IBM resource regarding the \"average of 191 days\" is broken, as it leads to a deleted or moved page, and the information is outdated. To resolve these issues, the file name and links need to be corrected and updated.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/38",
@@ -15540,6 +16068,7 @@
"node_id": "I_kwDODGfxcc4-Z73Z",
"title": "Comment about A4 on the T10 hompage",
"body": "Page: https://owasp.org/Top10/\r\n\r\nThis sentence under A4 does not make total sense to me, can you help me understand it?\r\n\r\n_An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks._\r\n\r\nI think a little cleanup here would be prudent.\r\n\r\nRespectfully, Jim",
+ "summary": "The issue highlights a sentence under A4 on the OWASP Top 10 homepage that is unclear and potentially confusing. The commenter suggests that the phrasing could benefit from clarification to enhance understanding. A revision of the wording may be necessary to improve its clarity and effectiveness.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/46",
@@ -15566,6 +16095,7 @@
"node_id": "I_kwDODGfxcc5K3jv-",
"title": "Portuguese language change produces missing image",
"body": "From a JIRA ticket: \r\n\r\nIf you go to https://owasp.org/Top10/A00_2021_Introduction/ then change the language setting to Português (Brasil) then you can see the image is not showing. There is error 404 for the image. Please fix as soon as possible.",
+ "summary": "The issue reports that changing the language setting to Português (Brasil) on the specified OWASP page results in a missing image, leading to a 404 error. To resolve this, the missing image needs to be addressed to ensure it displays correctly in the Portuguese version.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/48",
@@ -15590,10 +16120,11 @@
"pk": 547,
"fields": {
"nest_created_at": "2024-09-11T20:39:57.653Z",
- "nest_updated_at": "2024-09-11T20:39:57.653Z",
+ "nest_updated_at": "2024-09-13T04:14:50.707Z",
"node_id": "I_kwDODGfxcc5RqCR6",
"title": "Informe sobre sistemas\nBy tkmx_nc_tkmx ",
"body": "Un pequeño informe sobre las vulnerabilidades ,ataques y puertas traceras sobre un sistema ",
+ "summary": "The issue discusses the need for a brief report on vulnerabilities, attacks, and backdoors in a system. It suggests a focus on identifying and outlining these security concerns. To address this, it may be beneficial to research and compile relevant information on various types of vulnerabilities and potential threats to system integrity.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-top-ten/issues/50",
@@ -15620,6 +16151,7 @@
"node_id": "I_kwDODGfvrc5khoNz",
"title": "fix: merge review from @robvanderveer",
"body": "the following is an initial review taken from Slack logs: https://owasp.slack.com/archives/C04PESBUWRZ/p1677192099712519\r\n\r\nby @robvanderveer\r\n\r\n\r\n---\r\nDear all,\r\nI did a first scan through the list to mainly look at taxonomy. Here are my remarks.\r\n1.\r\nML01\r\nIn 'literature' the term ‘adversarial’ is often used for input manipulation attacks, but also for data poisoning, model extraction etc. Therefore in order to avoid confusion it is probably better to rename the ML01 adversarial attack entry to input manipulation?\r\n2.\r\nIt is worth considering to add ‘model evasion’ aka black box input manipulation to your top 10? Or do you prefer to have one entry for input manipulation all together?\r\n3.\r\nML03\r\nIt is not clear to me how scenarios 1 and 2 work. I must be missing something. Usually model inversion is explained by manipulating synthesized faces until the algorithm behaves like it recognizes the face.\r\n4\r\nML04\r\nIt is not clear to me how scenario 1 works.\r\nStandard methods against overtraining are missing form the ‘how to prevent’ part. Instead the advice is to reduce the training set size - which typically increases the overfitting problem.\r\n5\r\nML05\r\nModel stealing describes a scenario where an attacker steals model parameters, but generally this attack takes place by ways of black box: gathering input-output pairs and training a new model on it.\r\n6\r\nML07\r\nI don’t understand exactly how the presented scenario should work. I do know about the scenario where a pre-trained model was obtained that has been altered by an attacker. This matches the description.\r\n7\r\nML08\r\nIsn’t model skewing the same as data poisoning? If there’s a difference, to me they are not apparent from the scenario and description.\r\n8\r\nML10 is called Neural net reprogramming but I guess the attack of changing parameters will work on any type of algorithm - not just neural networks. The description also mentions changing the training data, but perhaps that is better left out to avoid confusion with data poisoning?",
+ "summary": "The issue addresses a review of the taxonomy related to machine learning attack types. Key points for consideration include:\n\n1. Renaming the \"adversarial attack\" entry to \"input manipulation\" to reduce confusion.\n2. The potential addition of \"model evasion\" to the top 10 list.\n3. Clarification needed on specific scenarios related to model inversion and overfitting.\n4. The distinction between model stealing and black box attacks should be elaborated.\n5. Confusion over the definitions of model skewing and data poisoning.\n6. Reassessing the terminology used in ML10 to ensure it applies broadly across algorithms.\n\nTo resolve these points, a thorough review and clarification of the taxonomy entries, scenarios, and descriptions are necessary.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/2",
@@ -15652,6 +16184,7 @@
"node_id": "I_kwDODGfvrc5sUuDt",
"title": "feat(docs): create page on calculating severity",
"body": "Each of the Top 10 items are scored according to [OWASP's Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology). There should be a page defining how to use the ratings to provide a severity score. This will assist practitioners in knowing 'what to fix' and 'when'.",
+ "summary": "The issue proposes creating a documentation page that explains how to calculate severity scores based on OWASP's Risk Rating Methodology for the Top 10 items. This resource aims to guide practitioners on prioritizing what needs to be fixed and when. To address this, a detailed page that outlines the rating process and its application should be developed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/15",
@@ -15669,9 +16202,9 @@
238
],
"labels": [
+ 136,
134,
- 135,
- 136
+ 135
]
}
},
@@ -15684,6 +16217,7 @@
"node_id": "I_kwDODGfvrc5sc_TG",
"title": "fix: merge existing body of work from EthicalML https://ethical.institute",
"body": "### Type\n\nDocumentation Issue Report\n\n### What would you like to report?\n\nThere is a comprehensive existing body of work at: https://ethical.institute\r\n\r\nThe intent would be to review the [current Top 10 list in this project](https://owasp.org/www-project-machine-learning-security-top-10/) and:\r\n- merge content where appropriate\r\n- create new content missing \r\n- suggest improvements for areas/scope not curently covered\n\n### Code of Conduct\n\n- [X] I agree to follow this project's Code of Conduct",
+ "summary": "The issue reports a need to merge existing documentation from EthicalML at https://ethical.institute with the current Top 10 list in the project linked. The tasks suggested include merging relevant content, creating new content where it is lacking, and proposing improvements for areas that are currently not covered.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/30",
@@ -15698,12 +16232,12 @@
"author": 238,
"repository": 981,
"assignees": [
- 238,
- 240
+ 240,
+ 238
],
"labels": [
- 132,
- 137
+ 137,
+ 132
]
}
},
@@ -15716,6 +16250,7 @@
"node_id": "I_kwDODGfvrc5ucL4j",
"title": "[Fortnightly] Working Group Meeting - 2023-Aug-17",
"body": "* Date: [Thursday, August 17 at 0500 UTC](https://dateful.com/convert/utc?t=5am&d=2023-08-02)\r\n* Previous agenda: #42 \r\n\r\n## Current agenda\r\n\r\n1. General project status - [v0.2 milestone complete](https://github.com/OWASP/www-project-machine-learning-security-top-10/releases/tag/v0.2)\r\n2. Contributions and [current help wanted](https://github.com/OWASP/www-project-machine-learning-security-top-10/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)\r\n3. Introductions (for new contributors)\r\n\r\n## Discussions\r\n\r\n* [Join the OWASP Slack group](https://owasp.org/slack/invite) and the [#project-mlsec-top-10 channel](https://owasp.slack.com/archives/C04PESBUWRZ)\r\n* [Github Discussions](https://github.com/OWASP/www-project-machine-learning-security-top-10/discussions)\r\n\r\n## Calendar Event\r\n[Download calendar event (ICS)](https://calendar.google.com/calendar/ical/c_f818ec1e3dea1d4c80cb0f872566eccb82c5df9cc1161f3077f93eafc47889dc%40group.calendar.google.com/public/basic.ics)",
+ "summary": "A working group meeting is scheduled for August 17 at 0500 UTC. The agenda includes updates on the project's general status, confirming the completion of the v0.2 milestone, discussing current contributions and help needed, and introducing new contributors. Participants are encouraged to join the OWASP Slack group and the relevant channel, as well as engage in GitHub Discussions. To stay organized, a calendar event is available for download. Further action includes reviewing the contributions and help wanted sections to identify areas for involvement.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/63",
@@ -15746,6 +16281,7 @@
"node_id": "I_kwDODGfvrc5vN6es",
"title": "feat(rendering): make PDF output from Markdown files more presentable",
"body": "The Top 10 list is being rendered using Markdown at https://mltop10.info\r\n\r\nThe site is being rendered using [Quarto](https://quarto.org) and the files from https://github.com/OWASP/www-project-machine-learning-security-top-10/tree/master/docs are mirrored to https://github.com/mltop10-info/mltop10.info\r\n\r\nCurrently a manual process is run for the https://github.com/mltop10-info/mltop10.info locally to render the HTML and PDF outputs which are stored in https://github.com/mltop10-info/mltop10.info/tree/main/docs and used by Github Pages.\r\n\r\nThe rendering for PDF is currently using the default method of LaTeX - example at: https://github.com/mltop10-info/mltop10.info/blob/main/docs/OWASP-Machine-Learning-Security-Top-10.pdf\r\n\r\nQuarto has a lot of formatting options for generating PDF and this needs to be explored to make the PDF and ePUB formats look more presentable.",
+ "summary": "The issue highlights the need to enhance the presentation of PDF outputs generated from Markdown files for a website that lists the Top 10 machine learning security concerns. The current PDF rendering relies on LaTeX's default settings, which are not optimal. It is suggested to explore Quarto's various formatting options to improve the appearance of the PDF and ePUB formats. This involves reviewing and possibly updating the rendering process to utilize these formatting capabilities more effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/99",
@@ -15763,9 +16299,9 @@
238
],
"labels": [
+ 136,
134,
- 135,
- 136
+ 135
]
}
},
@@ -15778,6 +16314,7 @@
"node_id": "I_kwDODGfvrc5vvtvV",
"title": "[Fortnightly] Working Group Meeting - 2023-Aug-31",
"body": "## Current agenda\r\n\r\n1. General project status [v0.3 - in progress](https://github.com/OWASP/www-project-machine-learning-security-top-10/milestone/3)\r\n2. Contributions and [current help wanted](https://github.com/OWASP/www-project-machine-learning-security-top-10/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)\r\n3. Introductions (for new contributors)\r\n\r\n## Discussions\r\n\r\n* [Join the OWASP Slack group](https://owasp.org/slack/invite) and the [#project-mlsec-top-10 channel](https://owasp.slack.com/archives/C04PESBUWRZ)\r\n* [Github Discussions](https://github.com/OWASP/www-project-machine-learning-security-top-10/discussions)\r\n\r\n## Calendar Event\r\n[Download calendar event (ICS)](https://calendar.google.com/calendar/ical/c_f818ec1e3dea1d4c80cb0f872566eccb82c5df9cc1161f3077f93eafc47889dc%40group.calendar.google.com/public/basic.ics)",
+ "summary": "The GitHub issue outlines the agenda for the upcoming working group meeting scheduled for August 31, 2023. Key points include the current status of the project (version 0.3), ongoing contributions, and a welcome for new contributors. Additionally, it encourages joining the OWASP Slack group and engaging in GitHub Discussions. To prepare for the meeting, contributors should check for open issues labeled \"help wanted\" and consider participating in the discussions to enhance collaboration.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/102",
@@ -15808,6 +16345,7 @@
"node_id": "I_kwDODGfvrc5wjpZK",
"title": "Model stealing through interaction is not mentioned",
"body": "The current model stealing only describes the model being stolen through parameters, but the model can also be stolen by presenting inputs, capturing the output and using those combinations to train your own model. See AI guide",
+ "summary": "The issue highlights a gap in the documentation regarding model stealing techniques. It points out that the existing description focuses solely on parameter theft, neglecting the method of stealing a model by interacting with it—specifically by submitting inputs and capturing outputs to train a new model. To address this, the documentation should be updated to include information on this interaction-based model stealing approach.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/113",
@@ -15838,6 +16376,7 @@
"node_id": "I_kwDODGfvrc5w8-kb",
"title": "[Fortnightly] Working Group Meeting - 2023-Sep-14",
"body": "## Current agenda\r\n\r\n1. General project status [v0.3 - in progress](https://github.com/OWASP/www-project-machine-learning-security-top-10/milestone/3)\r\n2. Notable PRs completed since last meeting:\r\n - #104 \r\n - #110 \r\n3. Notable discussions:\r\n - #107\r\n - #108\r\n - #109\r\n 4. Meetings:\r\n - WG meeting will change forward a few hours to accomodate EU morning time zones\r\n5. Contributions and [current help wanted](https://github.com/OWASP/www-project-machine-learning-security-top-10/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)\r\n6. Introductions (for new contributors)\r\n\r\n## Discussions\r\n\r\n* [Join the OWASP Slack group](https://owasp.org/slack/invite) and the [#project-mlsec-top-10 channel](https://owasp.slack.com/archives/C04PESBUWRZ)\r\n* [Github Discussions](https://github.com/OWASP/www-project-machine-learning-security-top-10/discussions)\r\n\r\n## Calendar Event\r\n[Download calendar event (ICS)](https://calendar.google.com/calendar/ical/c_f818ec1e3dea1d4c80cb0f872566eccb82c5df9cc1161f3077f93eafc47889dc%40group.calendar.google.com/public/basic.ics)",
+ "summary": "The issue discusses the agenda for a working group meeting, highlighting the current project status (v0.3 in progress), notable pull requests completed since the last meeting, and key discussions. It mentions the scheduling of future meetings to accommodate EU time zones and encourages contributions, with a link to current help wanted issues. New contributors are welcomed, and it promotes joining the OWASP Slack group and participating in GitHub Discussions. \n\nTo move forward, participants should review the project status and notable discussions, and consider contributing to the identified open issues.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/114",
@@ -15869,6 +16408,7 @@
"node_id": "I_kwDODGfvrc51QqDw",
"title": "feat(docs): create guide for how to use Top 10 list as a ML Engineer",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#ml-engineeranalyst \r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue suggests creating a comprehensive guidelines document for Machine Learning Engineers on how to effectively utilize the Top 10 list in their daily work. This document should draw references from existing materials and provide clear instructions or best practices. The task involves outlining practical applications of the Top 10 list in the context of machine learning security.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/130",
@@ -15884,9 +16424,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -15899,6 +16439,7 @@
"node_id": "I_kwDODGfvrc51QrtJ",
"title": "feat(docs): create guide for how to use Top 10 list as a AppSec Engineer",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#pentestersecurity-engineer\r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue requests the creation of a detailed guidelines document aimed at assisting AppSec Engineers in utilizing the Top 10 list effectively in their daily work. It references existing documentation for context. The task involves outlining practical applications and recommendations based on the Top 10 list.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/131",
@@ -15914,9 +16455,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -15929,6 +16470,7 @@
"node_id": "I_kwDODGfvrc51QsL5",
"title": "feat(docs): create guide for how to use Top 10 list as a CISO",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#ciso\r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue proposes the creation of a detailed guidelines document aimed at helping users understand how to effectively utilize the Top 10 list in their daily activities as a Chief Information Security Officer (CISO). It references existing guidelines and emphasizes the need for a comprehensive resource. To address this, the task involves developing a structured document that outlines practical applications of the Top 10 list in the CISO's workflow.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/132",
@@ -15944,9 +16486,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -15959,6 +16501,7 @@
"node_id": "I_kwDODGfvrc51QsbP",
"title": "feat(docs): create guide for how to use Top 10 list as a Developer",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#developers\r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue proposes the creation of a detailed guidelines document to help developers effectively utilize the Top 10 list. It references existing guidelines and emphasizes the need for practical, daily use instructions. The task involves drafting comprehensive documentation that outlines this usage.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/133",
@@ -15974,9 +16517,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -15989,6 +16532,7 @@
"node_id": "I_kwDODGfvrc51Qswv",
"title": "feat(docs): create guide for how to use Top 10 list as an MLOps Engineer",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#mlops\r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue requests the creation of a comprehensive guidelines document aimed at MLOps Engineers, detailing how to effectively utilize the Top 10 list in their daily operations. It references existing documentation for context. To address this, a structured and informative guide needs to be developed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/134",
@@ -16004,9 +16548,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -16019,6 +16563,7 @@
"node_id": "I_kwDODGfvrc51QtFx",
"title": "feat(docs): create guide for how to use Top 10 list as a Data Engineer",
"body": "Reference https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/GUIDELINES.md#data-engineer\r\n\r\n- [ ] Create a detailed guidelines document for how to use the information in the Top 10 list for use day to day",
+ "summary": "The issue requests the creation of a comprehensive guidelines document aimed at Data Engineers, detailing how to effectively utilize the information provided in the Top 10 list. The guidelines should enhance daily operations and integrate the insights into routine practices. To address this, a structured document outlining practical applications and best practices is needed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/135",
@@ -16034,9 +16579,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 139
+ 139,
+ 135
]
}
},
@@ -16049,6 +16594,7 @@
"node_id": "I_kwDODGfvrc51QyzM",
"title": "feat(docs): create a recorded demo of ML01 Input Manipulation Attack",
"body": "- [ ] Create a recorded video demo (no audio)\r\n\r\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)\r\n",
+ "summary": "A request has been made to create a recorded video demonstration of the ML01 Input Manipulation Attack, which should be without audio. The completed video will be uploaded to the OWASP YouTube Channel. To proceed, the video needs to be recorded and prepared for upload.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/136",
@@ -16066,9 +16612,9 @@
239
],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16081,6 +16627,7 @@
"node_id": "I_kwDODGfvrc51Qz2Z",
"title": "feat(docs): create a recorded demo of ML02 Data Poisoning Attack",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "A request has been made to create a recorded video demo of the ML02 Data Poisoning Attack, which should not include audio. The finished video will be uploaded to the OWASP YouTube Channel. To move forward, the demo needs to be recorded and prepared for upload.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/137",
@@ -16096,9 +16643,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16111,6 +16658,7 @@
"node_id": "I_kwDODGfvrc51Q0B7",
"title": "feat(docs): create a recorded demo of ML03 Model Inversion Attack",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML03 Model Inversion Attack, with the stipulation that the video should not include audio. The completed video will be uploaded to the OWASP YouTube Channel. To address this issue, the demo needs to be recorded and edited accordingly.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/138",
@@ -16126,9 +16674,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16141,6 +16689,7 @@
"node_id": "I_kwDODGfvrc51Q0I_",
"title": "feat(docs): create a recorded demo of ML04 Membership Inference Attack",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML04 Membership Inference Attack, specifically noting that the video should not include audio. The completed video will be uploaded to the OWASP YouTube Channel. To address this, a video demonstration needs to be produced and recorded.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/139",
@@ -16156,9 +16705,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16171,6 +16720,7 @@
"node_id": "I_kwDODGfvrc51Q0N7",
"title": "feat(docs): create a recorded demo of ML05 Model Theft",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML05 Model Theft feature. The video should be without audio and will be uploaded to the OWASP YouTube Channel. To address this issue, a video demonstrating the feature needs to be produced.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/140",
@@ -16186,9 +16736,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16201,6 +16751,7 @@
"node_id": "I_kwDODGfvrc51Q0Sr",
"title": "feat(docs): create a recorded demo of ML06 AI Supply Chain Attacks",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing ML06 AI Supply Chain Attacks, with the stipulation that no audio is required. The completed video will be uploaded to the OWASP YouTube Channel. To address this, a video recording should be planned and executed accordingly.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/141",
@@ -16218,9 +16769,9 @@
241
],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16233,6 +16784,7 @@
"node_id": "I_kwDODGfvrc51Q0X6",
"title": "feat(docs): create a recorded demo of ML07 Transfer Learning Attack",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML07 Transfer Learning Attack. The video should not include audio and is intended to be uploaded to the OWASP YouTube Channel. To address this, a video demonstrating the attack needs to be produced and prepared for upload.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/142",
@@ -16250,9 +16802,9 @@
242
],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16265,6 +16817,7 @@
"node_id": "I_kwDODGfvrc51Q0gj",
"title": "feat(docs): create a recorded demo of ML08 Model Skewing",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue suggests creating a recorded video demo showcasing the ML08 Model Skewing topic, with the requirement that the video should not include audio. Once completed, the video is intended to be uploaded to the OWASP YouTube Channel. Action needs to be taken to produce and finalize the demo.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/143",
@@ -16282,9 +16835,9 @@
239
],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16297,6 +16850,7 @@
"node_id": "I_kwDODGfvrc51Q0l5",
"title": "feat(docs): create a recorded demo of ML09 Output Integrity Attack",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML09 Output Integrity Attack, specifically noting that the video should have no audio. Once completed, the video is intended to be uploaded to the OWASP YouTube Channel. To proceed, a video demonstration needs to be recorded and prepared for upload.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/144",
@@ -16312,9 +16866,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16327,6 +16881,7 @@
"node_id": "I_kwDODGfvrc51Q0p-",
"title": "feat(docs): create a recorded demo of ML10 Model Poisoning",
"body": "- [ ] Create a recorded video demo (no audio)\n\nVideo will be uploaded to [OWASP Youtube Channel](https://www.youtube.com/@owasp-mltop10)",
+ "summary": "The issue requests the creation of a recorded video demo showcasing the ML10 Model Poisoning topic, specifying that the video should not include audio. Once completed, the video will be uploaded to the OWASP YouTube Channel. To address this issue, a video recording demonstrating the concept should be produced.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/145",
@@ -16342,9 +16897,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 140
+ 140,
+ 135
]
}
},
@@ -16357,6 +16912,7 @@
"node_id": "I_kwDODGfvrc51Q5WF",
"title": "feat(docs): create a cheatsheet for ML01 Input Manipulation Attacks ",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\r\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\r\n- [ ] Is there a need for a new cheatsheet topic?\r\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\r\n\r\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\r\n\r\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)\r\n\r\n",
+ "summary": "The issue discusses the need for a cheatsheet focused on ML01 Input Manipulation Attacks. It outlines several tasks: checking for existing cheatsheets on the OWASP site, determining if they require updates for machine learning applications, assessing the necessity for a new cheatsheet topic, and potentially adding the new or updated cheatsheet as a reference in the Top 10 risk document. To move forward, it would be essential to review the current resources and identify any gaps related to input manipulation in the context of machine learning.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/147",
@@ -16371,14 +16927,14 @@
"author": 238,
"repository": 981,
"assignees": [
+ 243,
238,
- 239,
- 243
+ 239
],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16391,6 +16947,7 @@
"node_id": "I_kwDODGfvrc51RcoQ",
"title": "feat(docs): create a cheatsheet for ML02 Data Poisoning Attack ",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the creation of a cheatsheet specifically for the ML02 Data Poisoning Attack. It outlines several tasks: checking for existing cheatsheets on the OWASP platform, assessing whether any need updates to include machine learning use cases, determining if a new cheatsheet topic is necessary, and referencing the existing or new cheatsheet in the Top 10 risk document. To proceed, review the current OWASP cheatsheets and identify any gaps related to data poisoning attacks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/150",
@@ -16409,9 +16966,9 @@
239
],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16424,6 +16981,7 @@
"node_id": "I_kwDODGfvrc51Rc0V",
"title": "feat(docs): create a cheatsheet for ML03 Model Inversion Attack",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the need to create a cheatsheet for the ML03 Model Inversion Attack. Several tasks have been outlined, including checking for existing cheatsheets on the OWASP website, determining if any existing cheatsheets require updates for machine learning contexts, assessing the necessity for a new cheatsheet topic, and adding relevant cheatsheets to the Top 10 risk document. \n\nTo proceed, one should first review existing resources and identify gaps that the new cheatsheet could fill.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/151",
@@ -16439,9 +16997,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16454,6 +17012,7 @@
"node_id": "I_kwDODGfvrc51Rc9t",
"title": "feat(docs): create a cheatsheet for ML04 Membership Inference Attack",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the creation of a cheatsheet specifically for the ML04 Membership Inference Attack. Key tasks include checking for existing cheatsheets on the OWASP site, determining if any need updates to address machine learning scenarios, assessing the necessity for a new cheatsheet topic, and referencing the relevant cheatsheet in the Top 10 risk document. To move forward, one should begin by reviewing existing resources and identifying gaps related to membership inference attacks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/152",
@@ -16469,9 +17028,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16484,6 +17043,7 @@
"node_id": "I_kwDODGfvrc51RdB5",
"title": "feat(docs): create a cheatsheet for ML05 Model Theft",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue suggests creating a cheatsheet specifically for ML05 Model Theft. It involves checking if there are existing cheatsheets on the OWASP Cheatsheets site and determining whether they require updates for machine learning contexts. Additionally, it explores the necessity of a new cheatsheet topic and proposes adding either the existing or new cheatsheet as a reference to the Top 10 risk document. To proceed, it is essential to evaluate current resources and identify any gaps related to model theft in machine learning.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/153",
@@ -16499,9 +17059,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16514,6 +17074,7 @@
"node_id": "I_kwDODGfvrc51RdHk",
"title": "feat(docs): create a cheatsheet for ML06 AI Supply Chain Attacks",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue proposes the creation of a cheatsheet specifically for ML06 AI Supply Chain Attacks. It includes several tasks: checking for existing cheatsheets on the OWASP Cheatsheets site, determining if any need updates for machine learning contexts, assessing the necessity for a new cheatsheet topic, and linking the relevant cheatsheet to the Top 10 risk document. To proceed, one should start by reviewing the current resources and identifying gaps that need to be addressed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/154",
@@ -16528,14 +17089,14 @@
"author": 238,
"repository": 981,
"assignees": [
+ 241,
238,
- 239,
- 241
+ 239
],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16548,6 +17109,7 @@
"node_id": "I_kwDODGfvrc51RdMG",
"title": "feat(docs): create a cheatsheet for ML07 Transfer Learning Attack",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the need to create a cheatsheet for the ML07 Transfer Learning Attack. It raises several points for consideration: checking for existing cheatsheets on the OWASP site, determining if any existing cheatsheets require updates for machine learning applications, assessing the necessity for a new cheatsheet topic, and including the new or updated cheatsheet as a reference in the Top 10 risk document. \n\nTo move forward, it would be helpful to review the current cheatsheets and identify any gaps related to transfer learning attacks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/155",
@@ -16562,14 +17124,14 @@
"author": 238,
"repository": 981,
"assignees": [
- 238,
- 239,
242,
- 244
+ 244,
+ 238,
+ 239
],
"labels": [
- 135,
- 141
+ 141,
+ 135
]
}
},
@@ -16582,6 +17144,7 @@
"node_id": "I_kwDODGfvrc51RdSW",
"title": "feat(docs): create a cheatsheet for ML08 Model Skewing",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue proposes the creation of a cheatsheet specifically for ML08 Model Skewing. It outlines several tasks, including checking for existing cheatsheets on the OWASP Cheatsheets site, determining if any need updates to address machine learning scenarios, and assessing the necessity of a new cheatsheet topic. Additionally, it suggests adding either the existing or new cheatsheet to the Top 10 risk document. To proceed, a review of current resources and potential updates or additions is needed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/156",
@@ -16597,9 +17160,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16612,6 +17175,7 @@
"node_id": "I_kwDODGfvrc51RdYf",
"title": "feat(docs): create a cheatsheet for ML09 Output Integrity Attack",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the creation of a cheatsheet for the ML09 Output Integrity Attack. It outlines several tasks, including checking for existing cheatsheets on the OWASP site, determining if they require updates for machine learning contexts, assessing the need for a new cheatsheet, and adding any relevant cheatsheet to the Top 10 risk document. It references examples of existing cheatsheets and how they are linked to the Top 10 risks. The next steps involve conducting the checks and updates as outlined.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/157",
@@ -16627,9 +17191,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16642,6 +17206,7 @@
"node_id": "I_kwDODGfvrc51RddC",
"title": "feat(docs): create a cheatsheet for ML10 Model Poisoning",
"body": "- [ ] Is there existing cheatsheets at [OWASP Cheatsheets](https://cheatsheetseries.owasp.org/Glossary.html)\n- [ ] If there is an existing cheatsheet, does it need updating at the source to cater for machine learning use cases?\n- [ ] Is there a need for a new cheatsheet topic?\n- [ ] Add existing or new cheatsheet as a reference to the Top 10 risk document\n\nExample Cheatsheet: [Input Validation Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md)\n\nExample of Top 10 risk referencing cheatsheets: [ML01 Input Manipulation Attacks - Cheatsheets](https://github.com/OWASP/www-project-machine-learning-security-top-10/blob/master/docs/cheatsheets/ML01_2023-Input_Manipulation_Attack-Cheatsheet.md)",
+ "summary": "The issue discusses the creation of a cheatsheet for ML10 Model Poisoning. Key tasks include checking for existing cheatsheets on the OWASP website, determining if any need updates to address machine learning use cases, assessing the necessity for a new cheatsheet topic, and incorporating either an existing or a new cheatsheet as a reference in the Top 10 risk document. It may be beneficial to explore related examples for guidance.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/158",
@@ -16657,9 +17222,9 @@
"repository": 981,
"assignees": [],
"labels": [
- 135,
136,
- 141
+ 141,
+ 135
]
}
},
@@ -16672,6 +17237,7 @@
"node_id": "I_kwDODGfvrc51Rx2I",
"title": "chore(admin): assign owner(s) for ML01 Input Validation Attack",
"body": "- [x] Assigned Lead Contributor for ML01\n- [x] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML01 will also be assigned to the cheatsheet - ref: #147 ",
+ "summary": "The issue involves assigning an owner for the ML01 Input Validation Attack and updating the CODEOWNERS file with the relevant contributor details. It has been noted that the Lead Contributor for ML01 should also be linked to the associated cheatsheet, as referenced in a previous issue. To complete the task, ensure that the Lead Contributor is assigned appropriately and that the CODEOWNERS file reflects these changes.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/163",
@@ -16703,6 +17269,7 @@
"node_id": "I_kwDODGfvrc51RzAU",
"title": "chore(admin): assign owner(s) for ML03 Model Inversion Attack",
"body": "- [ ] Assigned Lead Contributor for ML03\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML03 will also be assigned to the cheatsheet - ref: #151 ",
+ "summary": "The issue involves assigning a lead contributor for the ML03 Model Inversion Attack and updating the CODEOWNERS file with the contributor's details. Additionally, it is suggested that the lead contributor for ML03 should also be assigned to the associated cheatsheet referenced in another issue. The tasks to be completed include identifying and assigning the lead contributor and making the necessary updates to the CODEOWNERS file.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/165",
@@ -16732,6 +17299,7 @@
"node_id": "I_kwDODGfvrc51RzRE",
"title": "chore(admin): assign owner(s) for ML04 Membership Inference Attack",
"body": "- [ ] Assigned Lead Contributor for ML04\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML04 will also be assigned to the cheatsheet - ref: #152 ",
+ "summary": "The issue involves assigning a Lead Contributor for the ML04 Membership Inference Attack and updating the CODEOWNERS file with the contributor's details. It is suggested that the Lead Contributor for ML04 should also be designated for the associated cheatsheet. Action items include identifying and assigning the Lead Contributor and making the necessary updates to the CODEOWNERS file.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/166",
@@ -16761,6 +17329,7 @@
"node_id": "I_kwDODGfvrc51Rzdy",
"title": "chore(admin): assign owner(s) for ML05 Model Theft",
"body": "- [ ] Assigned Lead Contributor for ML05\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML05 will also be assigned to the cheatsheet - ref: #153 ",
+ "summary": "The issue involves assigning a Lead Contributor for the ML05 Model Theft project and updating the CODEOWNERS file to include the contributor's details. Additionally, it suggests that the Lead Contributor should also be assigned to the related cheatsheet. To resolve this, the necessary assignments and updates should be made.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/167",
@@ -16790,6 +17359,7 @@
"node_id": "I_kwDODGfvrc51R0Mh",
"title": "chore(admin): assign owner(s) for ML08 Model Skewing",
"body": "- [ ] Assigned Lead Contributor for ML08\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML08 will also be assigned to the cheatsheet - ref: #156 ",
+ "summary": "The issue involves assigning a Lead Contributor for the ML08 Model Skewing and updating the CODEOWNERS file with the contributor's details. Additionally, it suggests that the Lead Contributor should also be involved with the cheatsheet referenced in another issue. To address this, the assigned contributor needs to be determined and the necessary updates made to the CODEOWNERS file.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/170",
@@ -16819,6 +17389,7 @@
"node_id": "I_kwDODGfvrc51R0Zy",
"title": "chore(admin): assign owner(s) for ML09 Output Integrity Attack",
"body": "- [ ] Assigned Lead Contributor for ML09\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML09 will also be assigned to the cheatsheet - ref: #157 ",
+ "summary": "The issue highlights the need to assign a Lead Contributor for the ML09 Output Integrity Attack and to update the CODEOWNERS file with the contributor's details. Additionally, it suggests that the Lead Contributor should also be linked to the cheatsheet referenced in another issue. Action items include assigning a contributor and updating relevant documentation.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/171",
@@ -16848,6 +17419,7 @@
"node_id": "I_kwDODGfvrc51R0sl",
"title": "chore(admin): assign owner(s) for ML10 Model Poisoning",
"body": "- [ ] Assigned Lead Contributor for ML10\n- [ ] Update CODEOWNERS with contributor details\n\nIdeally the Lead Contributor for ML10 will also be assigned to the cheatsheet - ref: #158 ",
+ "summary": "The issue discusses the need to assign a Lead Contributor for the ML10 Model Poisoning project and to update the CODEOWNERS file with the contributor's details. Additionally, it suggests that the Lead Contributor should also be assigned to the related cheatsheet as referenced in another issue. To resolve this, the necessary assignments should be made and the CODEOWNERS file updated accordingly.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/172",
@@ -16877,6 +17449,7 @@
"node_id": "I_kwDODGfvrc51eUcp",
"title": "feat(docs): create a GLOSSARY page of commonly used terms",
"body": "Machine Learning has a lot of terminology that may be new to people. Need to create a glossary page of commonly used terms.",
+ "summary": "A request has been made to create a glossary page that defines commonly used terms in Machine Learning, as the existing terminology may be unfamiliar to many users. To address this, a glossary with clear definitions of key terms should be developed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/178",
@@ -16894,8 +17467,8 @@
244
],
"labels": [
- 134,
- 136
+ 136,
+ 134
]
}
},
@@ -16908,6 +17481,7 @@
"node_id": "I_kwDODGfvrc51e28g",
"title": "fix: merge review from @harrietf",
"body": "[Harriet Farlow](https://www.linkedin.com/in/harriet-farlow-654963b7/) sent through her feedback via mail.\r\n\r\nUploading Word doc and also outputting to Markdown in this issue to track.\r\n\r\nFeedback in Word doc: [OWASP Top Ten Feedback.docx](https://github.com/OWASP/www-project-machine-learning-security-top-10/files/13219930/OWASP.Top.Ten.Feedback.docx)\r\n\r\n\r\n\r\nOutput in Markdown from Word doc below:\r\n---\r\n**General feedback - the list and the home page**\r\n\r\nI think this is great! Some feedback below:\r\n\r\n- I would also add something about these kinds of mitigations being\r\n risk-based, and that each organisation should make a risk-based\r\n assessment of which specific attacks are more likely to be employed\r\n against their models, how impactful the ramifications would be (ie.\r\n would they lose massive amounts of PII or would someone just get a\r\n bad customer experience) and then decide on their ML security\r\n posture from there.\r\n\r\n- I would also highlight some of the reasons why ML systems are\r\n different to traditional cyber systems (ie. ML systems are\r\n probabilistic while cyber systems are rules based, ML systems learn\r\n and evolve while cyber systems are more static). From an\r\n organisational perspective this means that it is unfair to expect\r\n cyber security professionals to automatically know how best to\r\n secure ML systems, and that there should be investment in training\r\n and/or the creation of new roles\r\n\r\n- I would also add a comment about the terminology here being ML\r\n security vs AI security. Clarify the difference between ML and AI\r\n (ie. AI is a broader set of technologies while ML refers\r\n specifically to the AI sub-field of ML models). For example, I\r\n usually refer to my work as AI Security to be more encompassing of\r\n an audience who is used to hearing about AI, but most of what I talk\r\n about is actually ML security. Adding something here about these\r\n terms would be useful for non-ML folk.\r\n\r\n**Some questions before I give feedback on these things**\r\n\r\n- Is the intention of the top 10 list that it is also ordered so that\r\n #1 is most threatening, or is it unordered?\r\n\r\n- What is the methodology/reference for the risk factor values under\r\n each threat? (I know it comes from the specific scenarios, but is it\r\n meant to also be representative of 'common' ways of implementing the\r\n attack? Because it could be very different and might be interpreted\r\n as generic)\r\n\r\n**ML01:2023 Input Manipulation Attack**\r\n\r\n- Where Adversarial Attacks are referenced in the intro, I usually see\r\n this referred to as an Adversarial Example instead and this language\r\n would be more consistent. I'm also not sure what it means by saying\r\n it's an umbrella term, what are the other attacks underneath this\r\n umbrella?\r\n\r\n- The list Adversarial Training, Robust Models, Input Validation are\r\n all good to include but could be rephrased to be mutually exclusive\r\n (ie. the Robust Models section references both Adversarial Training\r\n and Input Validation as the way to make models robust). You could\r\n start with Robust Models first and still mention that those other\r\n two techniques are some ways to make model robust, but is also\r\n dependent on good data quality (clean data, good feature\r\n engineering, complete data), model selection (having to choose an\r\n appropriate balance between accuracy and interpretability, which are\r\n usually trade-offs), considering ensemble methods instead of a\r\n single model (ie. you get results from multiple models as a way of\r\n checking and validation output). You can then into system level\r\n security measures (input validation) and process-based security\r\n measures (incorporating adversarial training).\r\n\r\n- Love the scenarios, that really helps to put it in perspective.\r\n\r\n**ML02:2023 Data Poisoning Attack**\r\n\r\n- Would be worth including more here in the 'about' section around how\r\n this normally happens (an organisation's data repository could have\r\n new data added, or existing data altered), why it works (an ML\r\n model's heavy reliance on training data and the fact that it needs\r\n LOTS of it, which means it's also very hard to spot if it has been\r\n tampered with), who is likely to do this (someone either needs\r\n access to the data repository if the model is trained on internal\r\n data only in which case an insider threat scenario is more likely,\r\n or if the model learns from 'new' data fed from the outside like a\r\n chatbot that learns off inputs without validation (ie. Tay) then\r\n this is a much easier attack) etc. Also clarify how this is\r\n different to the cyber security challenge of just keeping data\r\n secure (ie. it's more about the statistical distribution of the data\r\n than the likelihood of data breach).\r\n\r\n- The 'how to prevent this section' is great, and adding more info\r\n beforehand might help make it clearer as to why these measures are\r\n important, and why the measure to secure data is for different\r\n reasons than traditional cyber security threat models.\r\n\r\n- Again, great examples. You could add something like a chatbot or\r\n social media model here to underscore how publicly injected data is\r\n also a risk here.\r\n\r\n**ML03:2023 Model Inversion Attack & ML04:2023 Membership Inference\r\nAttack**\r\n\r\n- These two attacks could be clarified as to exactly how they're\r\n different, and depending on how you expect someone might use the Top\r\n 10, you could consider combining them. For example, they both leak\r\n information about data used to train the model but model inversion\r\n is about leaking any data, and membership inference is more about\r\n seeing if a specific piece of data was used. Or you could clarify\r\n that they are separate based on the different controls used to\r\n prevent it (ie. is the focus on differentiation here the goal of\r\n attack, or the means of securing it)\r\n\r\n- Model inversion - you could explain what it means to\r\n 'reverse-engineer' in this context. Ie. it is more about targeted\r\n prompting than reverse engineering in a cyber context. This would\r\n also explain why the suggested controls (ie. input verification)\r\n work.\r\n\r\n**ML05:2023 Model Stealing**\r\n\r\n- This is good! Again, I think a longer description would be helpful.\r\n\r\n**ML06:2023 AI Supply Chain Attacks**\r\n\r\n- Yes, love that this is included!\r\n\r\n- Why are we switching from ML to AI here?\r\n\r\n**ML07:2023 Transfer Learning Attack**\r\n\r\n- This is interesting.. In my mind this is more an AI misuse issue\r\n than an AI security issue, but it really depends on the scenario I\r\n think. Could be worth clarifying here.\r\n\r\n**ML08:2023 Model Skewing**\r\n\r\n- This also seems the same as the data poisoning attack.. It's not\r\n clear how they're different. Usually when I saw model skewing the\r\n attack is based on being able to change the model outcome without\r\n actually touching the training data.. Would be worth clarifying\r\n here.\r\n\r\n**ML09:2023 Output Integrity Attack**\r\n\r\n- Again, this attack overlaps a lot with other attacks already listed\r\n that aim to impact the output, it's almost more of an umbrella term\r\n in my mind. Or it could be different but it depends on how an\r\n organisation creates its threat model. The controls mentioned here\r\n are good though, so it's worth clarifying why this is listed as a\r\n different attack and if it's based on the controls suggested (which\r\n would also apply to the other attacks listed).\r\n\r\n**ML10:2023 Model Poisoning**\r\n\r\n- Yes, this is good, and worth adding a bit more about how this can\r\n happen (ie. direct alteration of the model through injection, the\r\n interaction with hardware here and how this can be done in memory\r\n etc)\r\n\r\n",
+ "summary": "The issue discusses feedback received on a project related to ML security threats. The feedback covers various aspects, including the need for a risk-based approach to mitigations, differentiation between ML and AI security, and clarity on specific attacks. Detailed comments are provided on each of the top ten threats, suggesting improvements in terminology, descriptions, and explanations of concepts. \n\nKey points include:\n\n- Incorporating risk assessments for organizations regarding potential attacks.\n- Highlighting the differences between ML and traditional cyber systems.\n- Clarifying terminology used for ML and AI security.\n- Providing further details on specific attacks and their prevention methods.\n\nTo address the feedback, it may be necessary to revise the documentation with clearer definitions, additional context for the attacks, and an explanation of the methodology behind the rankings and risk factors.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/182",
@@ -16940,6 +17514,7 @@
"node_id": "I_kwDODGfvrc53FVcs",
"title": "[FEEDBACK]: Sync attack names between LLMT10 and MLT10 where appropriate",
"body": "### Type\n\nSuggestions for Improvement\n\n### What would you like to report?\n\nI would like to make the suggestion that we consolidate the terms used in the LLM and ML top 10 documents.\r\n\r\nMany of the top 10 items in each are closely related or even the same.\r\nWhere possible, the same term should be used (i.e. Model Theft vs Model Stealing, Data Poisoning Attack vs Training data Poisoning).\r\n\r\nThanks!\n\n### Code of Conduct\n\n- [X] I agree to follow this project's Code of Conduct",
+ "summary": "The issue suggests consolidating the terminology used in the LLM and ML top 10 documents, as many items are closely related or identical. It recommends using consistent terms, such as \"Model Theft\" instead of \"Model Stealing,\" and \"Data Poisoning Attack\" instead of \"Training Data Poisoning.\" The next steps would involve reviewing both documents to identify and align the related terms.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/187",
@@ -16971,6 +17546,7 @@
"node_id": "I_kwDODGfvrc53Iuq0",
"title": "[FEEDBACK]: Include MLOps vulnerabilties somewhere in the Supply Chain Security category ",
"body": "### Type\r\n\r\nSuggestions for Improvement\r\n\r\n### What would you like to report?\r\n\r\n**Context**\r\nOne of the parts of the supply chain in modern ML systems is MLOps software - like i.e. MLFlow, Prefect etc. Those systems are vulnerable to classic web based attacks and they seem to be \"misconfured by default\". I've described it here: https://hackstery.com/2023/10/13/no-one-is-prefect-is-your-mlops-infrastructure-leaking-secrets/ or here: https://github.com/logspace-ai/langflow/issues/1145 \r\n\r\n**Suggestion for improvement**\r\nI'd suggest including MLOps-related vulnerabilities in the ML06 (or maybe in some other categories as well? I am open for suggestions). \r\n\r\n### Code of Conduct\r\n\r\n- [X] I agree to follow this project's Code of Conduct",
+ "summary": "The issue raises a suggestion to include MLOps-related vulnerabilities within the Supply Chain Security category, highlighting that MLOps software, such as MLFlow and Prefect, is susceptible to common web-based attacks and often comes misconfigured by default. The author points to existing resources that elaborate on these vulnerabilities. The suggestion is to categorize these vulnerabilities appropriately, potentially under ML06 or other suitable categories. To address this, it may be necessary to assess current categories and determine where MLOps vulnerabilities can be integrated.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/188",
@@ -16985,8 +17561,8 @@
"author": 241,
"repository": 981,
"assignees": [
- 238,
- 241
+ 241,
+ 238
],
"labels": [
132,
@@ -17003,6 +17579,7 @@
"node_id": "I_kwDODGfvrc53sTiJ",
"title": "[FEEDBACK]: Include a page with a brief descriptions of each of the vulnerabilities",
"body": "### Type\n\nSuggestions for Improvement\n\n### What would you like to report?\n\nFor example in Top10 for LLM there's this page with a summary of each of the vulnerabilities, which I think would be pretty useful to have in Top10 for ML as well. \r\n\r\nSometimes when you e.g. work on some slides for a presentation, you just want to get a short summary of each of the vulnerabilities. In my opinion including such a page in Top10 for ML would be an improvement: \r\n\r\n\n\n### Code of Conduct\n\n- [X] I agree to follow this project's Code of Conduct",
+ "summary": "The issue suggests adding a page that provides brief descriptions of each vulnerability in the Top10 for Machine Learning (ML) project. This addition is seen as beneficial for users who may need quick summaries for presentations or other purposes, similar to a feature available in the Top10 for LLM. Implementing this suggestion could enhance the usability of the resource.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/189",
@@ -17034,6 +17611,7 @@
"node_id": "I_kwDODGfvrc6B14iW",
"title": "OWASP Top 10 ML Summaries",
"body": "Ref: https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/189\r\n\r\nAs of now, do we need a markdown file for this or a powerpoint page which contains all the summaries for the project? \r\n\r\ncc: @shsingh @mik0w ",
+ "summary": "The issue discusses whether a markdown file or a PowerPoint slide should be created to compile all the summaries related to the OWASP Top 10 Machine Learning Security project. It is suggested that a decision needs to be made on the format for presenting this information. Consideration should be given to the best way to organize and share the summaries effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/205",
@@ -17058,10 +17636,11 @@
"pk": 595,
"fields": {
"nest_created_at": "2024-09-11T20:42:41.693Z",
- "nest_updated_at": "2024-09-11T20:42:41.693Z",
+ "nest_updated_at": "2024-09-13T16:07:00.058Z",
"node_id": "I_kwDODGfvrc6LD2Xp",
"title": "[FEEDBACK]: Description of ML04 Membership Inference Attack",
"body": "### Type\n\nGeneral Feedback\n\n### What would you like to report?\n\nhttps://github.com/OWASP/www-project-machine-learning-security-top-10/blob/f1cf662ca9ce5cfcd4c72ab8d4bff91ea64f46d7/docs/ML04_2023-Membership_Inference_Attack.md?plain=1#L27\r\n\r\nHere, the documentation states that `an attacker manipulates the model’s training data`, but from my understanding the objective of a membership inference attack is to [\"\\[...\\] predict whether or not a particular example was contained in the model’s training dataset.\"](https://ieeexplore.ieee.org/document/9833649), so the attacker shouldn't have access to the training data.\r\n\r\nI can create a pull request to update the documentation. Let me know if you'd like me to proceed.\n\n### Code of Conduct\n\n- [X] I agree to follow this project's Code of Conduct",
+ "summary": "The issue raises a concern regarding the description of a membership inference attack in the documentation. It points out that the current wording suggests the attacker manipulates the model's training data, which contradicts the fundamental nature of such attacks, where the attacker typically does not have access to the training data. The user is willing to create a pull request to clarify this point in the documentation if it is deemed necessary. \n\nTo address this, a review of the documentation's language is suggested to ensure it accurately reflects the mechanics of membership inference attacks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-machine-learning-security-top-10/issues/210",
@@ -17079,8 +17658,8 @@
238
],
"labels": [
- 132,
- 143
+ 143,
+ 132
]
}
},
@@ -17089,10 +17668,11 @@
"pk": 596,
"fields": {
"nest_created_at": "2024-09-11T20:43:41.238Z",
- "nest_updated_at": "2024-09-11T20:43:41.238Z",
+ "nest_updated_at": "2024-09-13T16:07:47.175Z",
"node_id": "I_kwDODGftyc5feB1C",
"title": "small grammar error",
"body": "In the index.md, and in CNAS-1: Insecure cloud, container or orchestration configuration\r\nshould 'Imrpoper permissions' change to 'Improper permissions' ?",
+ "summary": "There is a small grammar error in the index.md file, specifically in the section titled \"CNAS-1: Insecure cloud, container or orchestration configuration.\" The term \"Imrpoper permissions\" should be corrected to \"Improper permissions.\" A fix is needed to update the text accordingly.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-cloud-native-application-security-top-10/issues/8",
@@ -17115,10 +17695,11 @@
"pk": 597,
"fields": {
"nest_created_at": "2024-09-11T20:43:57.448Z",
- "nest_updated_at": "2024-09-11T20:43:57.448Z",
+ "nest_updated_at": "2024-09-13T16:08:00.528Z",
"node_id": "I_kwDODGftZc5fWt9s",
"title": "SwSec 5D Survey",
"body": "\r\n",
+ "summary": "The issue discusses the SwSec 5D Survey and includes an image related to it. The main focus appears to be on gathering feedback or information regarding the survey. It may be beneficial to clarify the survey's objectives or instructions for participants to ensure effective responses.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-software-security-5d-framework/issues/1",
@@ -17141,10 +17722,11 @@
"pk": 598,
"fields": {
"nest_created_at": "2024-09-11T20:44:07.768Z",
- "nest_updated_at": "2024-09-11T20:44:07.768Z",
+ "nest_updated_at": "2024-09-13T16:08:09.039Z",
"node_id": "MDU6SXNzdWU5NTIzODAyOTU=",
"title": "Add a Matrix ",
"body": "Add a matrix (likely an .xlsx file) that:\r\n\r\n* Can be used as a checklist and note-taking / task-tracking\r\n* Includes links from each task’s inputs and outputs to their corresponding tasks, as described in the OWASP-Vuln-MGM-Guide-Jul23-2020.pdf file",
+ "summary": "The issue suggests adding a matrix, probably in the form of an .xlsx file, that serves as a checklist and allows for note-taking or task tracking. It should also include links connecting each task's inputs and outputs to related tasks as outlined in the specified OWASP guide. To address this, one would need to create the matrix and ensure it aligns with the guidelines from the referenced document.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-vulnerability-management-guide/issues/1",
@@ -17171,10 +17753,11 @@
"pk": 599,
"fields": {
"nest_created_at": "2024-09-11T20:44:19.189Z",
- "nest_updated_at": "2024-09-11T20:44:19.189Z",
+ "nest_updated_at": "2024-09-13T16:08:18.147Z",
"node_id": "I_kwDODGfszM5G7xDs",
"title": "Attack Surface Detector plugin will allways start spider",
"body": "After executing Attack Surface Detector plugin in Owasp Zap Proxy, it will try to spider the application even if the checkbox **Automatically start spider after importing endpoints** is unchecked. \r\n\r\nHere is a print showing the problem:\r\n\r\n",
+ "summary": "Investigate the Attack Surface Detector plugin behavior in OWASP ZAP Proxy. Confirm that the plugin starts the spider process regardless of the **Automatically start spider after importing endpoints** option being unchecked. \n\n1. Review the code responsible for the Attack Surface Detector plugin's configuration and execution flow.\n2. Identify where the spider initiation logic is implemented and check for any conditional checks tied to the checkbox state.\n3. Implement logging to capture the state of the checkbox when the plugin runs and the spider starts.\n4. Test the plugin with various configurations to reproduce the issue consistently.\n5. Propose a solution to ensure the spider only starts when the checkbox is checked. \n\nDocument findings and submit a pull request with the necessary changes once the root cause is identified.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www-project-attack-surface-detector/issues/1",
@@ -17201,6 +17784,7 @@
"node_id": "MDU6SXNzdWU2MDE3MzM5MDI=",
"title": "Request for a bit more explanation",
"body": "Congrats on the new release! Looks really useful!\r\nI do wonder about a few requirements (See below): can you help me understand what they mean? It would be great if the document can provide a bit more explanation on them!\r\n\r\n`2.8: SBOM is analyzed for risk` ; what type of risk? is that development risks ? (e.g. continuity due to often changing signature of the functions it provides?) or only security risk? Or project continuity risk (e.g. license removed, etc.)\r\n\r\n`2.11: SBOM contains metadata about the asset or software the SBOM describes `: what type of metadata are we talking about :) ?\r\n\r\n`3.9; Application build pipeline prohibits alteration of certificate trust stores` ; if you do infrastructure as code and use a 4-eyed/hardened/etc. gitlab configuring pipeline which triggers a certificate manager from the underlying infrastructure to update trust-stores... then that is a lot safer than doing it my hand ... Ofcourse the requirement says application build pipeline, but i wonder: is there a split between configuration pipeline/application pipeline/infra pipeline?\r\n\r\n` 4.6: Package repository supports security incident reporting` ; where should it report to?\r\n\r\n`4.18: Package manager does not execute code` : do you mean of the packages that it stores, because a lot of the functionality described is only available when you \"upgrade\"/\"install plugin X for manager Y\", etc.?\r\n\r\nI love the standard already; it helps explaining what people should expect from the component management side of things! Will you incorporate something like a verification guide and/or a compliancy list like at the MSTG does for the MASVS? Then it could be easily incorporated into existing standardization processes!",
+ "summary": "There is a request for clarification on several requirements related to a recent software release. The user seeks additional details on the following points:\n\n1. Requirement 2.8 regarding the types of risks analyzed in the SBOM (Software Bill of Materials), questioning whether it includes development, security, or project continuity risks.\n2. Requirement 2.11 asks for specifics on the type of metadata included in the SBOM.\n3. Requirement 3.9 raises concerns about the distinction between different types of pipelines (configuration, application, infrastructure) in relation to certificate trust stores.\n4. Requirement 4.6 inquires about the destination for security incident reporting.\n5. Requirement 4.18 seeks clarification on whether the restriction on executing code pertains to the packages stored in the manager.\n\nAdditionally, there is a suggestion to create a verification guide or compliance list similar to existing standards to enhance integration into standardization processes. A response addressing these points would be beneficial.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Software-Component-Verification-Standard/issues/9",
@@ -17229,6 +17813,7 @@
"node_id": "MDU6SXNzdWU2MDMzNDE5MjM=",
"title": "David A. Wheeler's comments",
"body": "Comments on OWASP “Software Component Verification Standard” by David A. Wheeler\r\n\r\nHere are my comments on the “Software Component Verification Standard” Version 1.0.0-RC.1 (Public Preview), 16 April 2020, https://owasp-scvs.gitbook.io/scvs/ My apologies that’s it’s one long document; I wrote my comments & then discovered that comments were wanted via GitHub. Had I known that I would have split this up. But hopefully they’ll be useful anyway.\r\n\r\nThis document’s frontispiece says it’s a “grouping of controls, separated by domain, which can be used by architects, developers, security, legal, and compliance to define, build, and verify the integrity of their software supply chain.” So I’m commenting on the document based on that understanding. My high-level comments:\r\n\r\n1. Many requirements are far too vague. It’s impossible to properly review this document without knowing what is necessary to meet its requirements. For every requirement it should be clear how it could and could not be met. See my detailed comments before for many examples of this vagueness. In many cases a key issue is “how far down (transitively) does this go?” Similarly, how much provenance & pedigree information is enough? It appears that the world wide web plus Google would count as a package manager; I presume that was not intended. I recommend trying to rewrite the requirements assuming that a lazy or malicious contractor will re-interpret them in the lowest-cost or most evil way. You can’t really make requirements impossible to re-interpret that way, but that exercise will help turn these vague requirements into more precise requirements that can be reviewed and applied.\r\n2. It’s not clear some of these requirements are practical (again, primarily because they’re too vague to know what they mean). In some cases, depending on their interpretation, the only way they’ll be widely practical is if their implementations are embedded into OSS package managers as OSS. If OWASP intends to help implement some of these in OSS package managers, that could be great, but OWASP needs to avoid mandating impractical or excessively expensive requirements.\r\n3. Does this really apply to entire organizations? The preface suggests it, but in many cases this is probably impractical. The document should instead discuss it being applied to specific projects within an organization, or a specific project, not necessarily a whole organization. That way, organizations can grow into these requirements if they desire.\r\n4. Is this intended to apply to open source software (OSS) projects themselves? OSS projects themselves have supply chains, and their supply chains become the supply chains of their downstream users. I wanted to see if these requirements could be practically met by OSS projects. However, the vagueness of the requirements makes it impossible to determine if an OSS project could implement them. I think the requirements need to be revised to specifically ensure that OSS projects could meet the requirements. Imagine at least one way that an OSS project could implement them. If these requirements can’t be met by OSS projects, then this document is probably impractical, because those dependencies will become transitive requirements on all their users including practically all serious projects today. So again: please review these requirements with that specifically in mind (once the requirements are reworded enough so they can be analyzed).\r\n5. There is no identified threat model, nor any mapping to show that these controls are both adequate and the minimum necessary to counter those threats. What attacks are you trying to counter? Are there controls missing? Are some unnecessary?\r\n6. In some cases it’s not even obvious why anyone would want to meet the requirement as stated. Why would that help? In some cases that would help the vagueness, e.g., “Do XYZ so that \n \n\n\n \n \n \n \n
\n\n \n\n\n \n Skip to content\n \n \n \n \n \n\n\n\n\n\n\n\n\n\n \n \n \n\n\n\n\n \n\n
\n\n \n\n\n\n\n\n\n\n\n\n \n \n
\n\n\n \n \n \n \n \n
\n\n \n \n \n \n
\n\n\n \n
\n \n
\n\n \n \n \n \n \n \n
\n\n\n \n \n \n \n \n
\n\n\n\n\n\n \n\n \n \n \n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp.github.io/issues/297",
@@ -17910,6 +18519,7 @@
"node_id": "I_kwDOC5rsi858vun1",
"title": "error message not found ",
"body": "https://github.com/microsoft/vscode/issues/202966",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp.github.io/issues/298",
@@ -17936,6 +18546,7 @@
"node_id": "I_kwDOC5rsi86LHHRP",
"title": "The number of URLs is increasing for 'CSP: script-src unsafe-inline' and 'CSP: style-src unsafe-inline' after fixing 'CSP: Wildcard Directive'",
"body": "Hello.\r\n1) I has the next report:\r\n\r\nThe value of CSP was \r\n**\"default-src 'self'; script-src 'self' cdn.jsdelivr.net 'unsafe-inline'; img-src 'self' validator.swagger.io bootswatch.com getbootstrap.com data:; style-src 'self' cdn.jsdelivr.net 'unsafe-inline'; font-src 'self' cdn.jsdelivr.net data:; connect-src 'self' bootswatch.com;\"**\r\n2) I fixed CSP: Wildcard Directive by adding **form-action 'self'; frame-ancestors 'self'** and received the next report:\r\n\r\n3) My question is why the number of URLs in **CSP: script-src unsafe-inline** and **CSP: style-src unsafe-inline** was increased? ",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp.github.io/issues/313",
@@ -17958,10 +18569,11 @@
"pk": 628,
"fields": {
"nest_created_at": "2024-09-11T20:46:12.507Z",
- "nest_updated_at": "2024-09-11T20:46:12.507Z",
+ "nest_updated_at": "2024-09-13T04:18:07.591Z",
"node_id": "I_kwDOC5rsi86LdgsJ",
"title": "@yaseenaljamal",
"body": "https://www.apache.org/licenses/LICENSE-2.0.txt",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp.github.io/issues/317",
@@ -17988,6 +18600,7 @@
"node_id": "MDU6SXNzdWU1MzgwNTk3MzA=",
"title": "Subdirs",
"body": "\r\n.. are not working or am I missing something?\r\n\r\nFor our German Chapter we have links like https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg and https://www.owasp.org/index.php/Germany/Chapter_Meetings (cc @bkimminich).\r\n\r\nThx, Dirk\r\n\r\n\r\n\r\n\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www--site-theme/issues/32",
@@ -18014,6 +18627,7 @@
"node_id": "MDU6SXNzdWU1NzAwMjE0NTE=",
"title": "Twitter cards social preview content needed",
"body": "It looks like the site inserts OpenGraph metatags (for Facebook etc), however it doesn't insert the tags necessary for Twitter which is used quite extensively as a sharing platform in the industry. It would be nice if the necessary tags for that were populated as well.\r\n\r\nRefs:\r\n- https://developer.twitter.com/en/docs/tweets/optimize-with-cards/overview/abouts-cards\r\n- https://brianbunke.com/blog/2017/09/06/twitter-cards-on-jekyll/\r\n\r\nEdit: It seems twitter will fall back to OpenGraph.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www--site-theme/issues/52",
@@ -18040,6 +18654,7 @@
"node_id": "MDU6SXNzdWU2NTI5OTczNDU=",
"title": "Cookie banner not compliant with EU law",
"body": "I'm not a lawyer, but I think we might be making fools of ourselves with this cookie banner (see screenshot) that doesn't even meet current EU legislation demanding an \"opt in\" to all tracking and non-essential cookies and not accepting plain \"Accept\"-banners any longer...\n\n https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf\n\n\n\nI ran an automated conformity test, and the `_ga` and `_gid` cookies (Google Analytics) need to be locked until explicitly accepted by the user in an opt-in fashion. The website I used marked the other cookies from CloudFlare and Stripe as essential and therefore compliant.\n\nReport can be found in the corresponding Slack discussion: https://owasp.slack.com/files/U1S23SNE7/F016556FB61/report-owasporg-4183554.pdf\n\n_Sent from my Pixel 3 XL using [FastHub](https://play.google.com/store/apps/details?id=com.fastaccess.github)_",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www--site-theme/issues/65",
@@ -18066,6 +18681,7 @@
"node_id": "MDU6SXNzdWU4NDIxNjY5NTk=",
"title": "OWASP/www-chapter-colombo: Page build failure",
"body": "After updating Colombo chapter page repo [1], I noticed there was a page build failure. \r\nI highly appreciate if you can help me to fix this.\r\n\r\n`The page build failed for the `master` branch with the following error:\r\n\r\nA file was included in `/_layouts/col-sidebar.html` that is a symlink or does not exist in your `_includes` directory. For more information, see https://docs.github.com/github/working-with-github-pages/troubleshooting-jekyll-build-errors-for-github-pages-sites#file-is-a-symlink.\r\n\r\nFor information on troubleshooting Jekyll see:\r\n\r\n https://docs.github.com/articles/troubleshooting-jekyll-builds\r\n\r\nIf you have any questions you can submit a request at https://support.github.com/contact?repo_id=221790172&page_build_id=242477598\r\n\r\n`\r\n[1] https://github.com/OWASP/www-chapter-colombo\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www--site-theme/issues/79",
@@ -18088,10 +18704,11 @@
"pk": 633,
"fields": {
"nest_created_at": "2024-09-11T20:46:20.590Z",
- "nest_updated_at": "2024-09-11T20:46:20.590Z",
+ "nest_updated_at": "2024-09-13T16:09:29.696Z",
"node_id": "I_kwDOC5rfps6FvH03",
"title": "Improve the OWASP UI",
"body": "The overall UI for the entire OWASP site looks and feels inconsistent, which can cause new visitors to quickly lose their trust in OWASP itself, which doesn't give a good impression, especially for an organisation that focuses on cybersecurity.\r\n\r\nI'm aware that OWASP use a customised theme for the site, but I believe that they can benefit from having their website redesigned from the ground up, so that it looks more consistent, trustworthy, and professional, not just for newcomers, but also for returning visitors and paying members.\r\n\r\nFurther, isn't one of OWASP's Top 10 items Insecure Design?\r\n\r\nNot only does that relate to how cybersecurity solutions themselves are designed (so that they can be secure), but also how those solutions (specifically user interfaces on an app, websites, etc) look visually, since in this case, you pretty much have to judge a book by its cover to determine whether it is secure and trustworthy by design (both in terms of security and aesthetics), since poorly designed websites and badly formatted emails can be viewed as a cybersecurity threat, and in most cases, that's how they're often perceived.\r\n\r\nSource: I am currently a UI Designer for a cybersecurity startup, so improving the UI for OWASP is something that I am fully able to do.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/www--site-theme/issues/113",
@@ -18114,10 +18731,11 @@
"pk": 634,
"fields": {
"nest_created_at": "2024-09-11T21:07:22.730Z",
- "nest_updated_at": "2024-09-11T21:07:22.730Z",
+ "nest_updated_at": "2024-09-13T16:09:36.725Z",
"node_id": "I_kwDOC5InlM5bC3YM",
"title": "Head and Body tag is missing in 'index.html' file.",
"body": "Head and Body tag is missing in 'index.html' file. This may cause problem in live reloading as well in SEO.",
+ "summary": "",
"state": "open",
"state_reason": "reopened",
"url": "https://github.com/OWASP/video-portal/issues/7",
@@ -18144,6 +18762,7 @@
"node_id": "MDU6SXNzdWU0OTQ0OTQ3MDg=",
"title": "The Output of the script is showing jumbled characters",
"body": "Hello team, \r\n\r\n Nice work with this static tool. I love it. \r\n\r\nThis issue might not be of code and more of my linux (ubuntu) setup. Please find attached image showing this. \r\n\r\nRequest your inputs on how to make it look like a neat table like in your screenshot..\r\n\r\n\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/wpBullet/issues/1",
@@ -18166,10 +18785,11 @@
"pk": 636,
"fields": {
"nest_created_at": "2024-09-11T21:07:32.198Z",
- "nest_updated_at": "2024-09-11T21:07:32.198Z",
+ "nest_updated_at": "2024-09-13T16:09:43.429Z",
"node_id": "MDU6SXNzdWU0OTQ0OTY4NzE=",
"title": "Installation of PIP doesn't work",
"body": "Hi team, \r\n\r\n This might be obvious to few people, but i wanted to put it out here anyway for future reference. \r\n\r\nI tried installing pip-python, but it installs an older version by default and doesn't install the requirements as well. \r\n\r\nWhat worked is when i installed pip3/python3 as follows in UBUNTU:\r\n\r\n apt install python3\r\n apt install python3-pip\r\n pip3 install -r requirements.txt\r\n python3 wpbullet.py -path=\"\"",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/wpBullet/issues/2",
@@ -18192,10 +18812,11 @@
"pk": 637,
"fields": {
"nest_created_at": "2024-09-11T21:08:24.538Z",
- "nest_updated_at": "2024-09-11T21:08:24.538Z",
+ "nest_updated_at": "2024-09-13T04:19:07.338Z",
"node_id": "MDU6SXNzdWU0NTIxNjQ3MTA=",
"title": "CheatSheetSeries.Java.pdf not clear about the fact it's java",
"body": "The list of cheatsheets at the bottom, are not presented as Java related. All we have is a Java logo on the top left, and that's it. We should say how to do it.\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/community-docs/issues/1",
@@ -18224,6 +18845,7 @@
"node_id": "MDU6SXNzdWU0MzE2NDAwNjg=",
"title": "Better define MFA support",
"body": "Take NPM as an example - there is an option to configure MFA, and you can enforce it per package (see the [docs](https://docs.npmjs.com/about-two-factor-authentication)). But once MFA is enabled, you cannot use a CI to publish your packages - publish is done automatically. I think this should be reflected somehow, WDYT?",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/2",
@@ -18250,6 +18872,7 @@
"node_id": "MDU6SXNzdWU0MzY0MTE1NTg=",
"title": "Add WAPM",
"body": "Web Assembly Package Manager was announced today, seems like a valid modern package manager to add to the list.\r\n\r\nhttps://medium.com/wasmer/announcing-wapm-the-webassembly-package-manager-18d52fae0eea",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/12",
@@ -18276,6 +18899,7 @@
"node_id": "MDU6SXNzdWU0MzkwMzkwNjg=",
"title": "Review proposed Golang ecosystem changes",
"body": "https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/13",
@@ -18304,6 +18928,7 @@
"node_id": "MDU6SXNzdWU1NjQ2NzY3OTk=",
"title": "Clarification of support levels for items in Tiers",
"body": "Can we add a description of values and their definitions for security criteria items so that it is better understood what each mean. For example, I found the following for [npm.md](./npm.md) unclear:\r\n* Strong authentication: Partial - what does it mean?\r\n* Update notifications - Partials - means what exactly? Is it just the single maintainer who published but not all others who are listed as maintainers or the team that manages it?\r\n* Package Manager Does Not Run Code - Optional - If it is optional, how does this score? is it a +1 for flagging as passing the criteria or not?\r\n\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/18",
@@ -18330,6 +18955,7 @@
"node_id": "MDU6SXNzdWU1NjQ3MjExNjc=",
"title": "Suggestion: add new criteria for Package Manager FS operations",
"body": "I would like to add a new criteria for package managers which revolves around other operations that they do. We've nailed down running code with `Package Manager Does Not Run Code` and doing call-home stuff with `Package Manager Does Not Collect Info` but package managers also do filesystem operations, such as linking and so I want to add a new item `Package Managers Does FS Linking` (or can think of a better name if you have suggestions).\r\n\r\nThis is based on the recent security vulnerabilities that impacted all three popular JS package managers (npm, yarn and pnpm) due to their filesystem operations when packages with executables defined are installed. Full story for reference: https://snyk.io/blog/understanding-filesystem-takeover-vulnerabilities-in-npm-javascript-package-manager/",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/19",
@@ -18356,6 +18982,7 @@
"node_id": "MDU6SXNzdWU1NjQ3MjM0ODA=",
"title": "Suggestion: adding lockfile and security related to it",
"body": "Due to recent research I published with regards to [lockfile security](https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/) - I'd be happy if we also cover lockfiles as a general use-case, but also the traits of lockfiles, such as whether they are tracked for direct or all dependencies, do they include signatures or checksums and so on.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/20",
@@ -18382,6 +19009,7 @@
"node_id": "MDU6SXNzdWU1NzAyNTE5OTk=",
"title": "Operating System package Managers",
"body": "I think OS packager managers are a major blind spot and I have done extensive research on many of them and their various ranking in this system.\r\n\r\nWould there be interest in me contributing my research on the security of brew, pacman, apt, yum, etc?",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/21",
@@ -18408,6 +19036,7 @@
"node_id": "MDU6SXNzdWU2MDE5ODg0MTY=",
"title": "Update Python for recent and upcoming PyPI changes",
"body": "Is this effort still active? I can't see much mention of it or activity around it apart from this repository and the original blog post announcement.\r\n\r\n[PyPI Now Supports Two-Factor Login via WebAuthn](http://pyfound.blogspot.com/2019/06/pypi-now-supports-two-factor-login-via.html) and [API tokens for uploads](http://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi.html), I'd be happy to write up a Packman page for Python/PyPI.\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/22",
@@ -18434,6 +19063,7 @@
"node_id": "MDU6SXNzdWU4MTkxMzcxODE=",
"title": "Corrections / Clarifications about Swift Package Manager",
"body": "Thank you for putting together this resource. For the past year, I've been working on a proposal to add a [registry to Swift Package Manager](https://github.com/apple/swift-evolution/blob/main/proposals/0292-package-registry-service.md), and I found the information in this project helpful as I considered how that should work.\r\n\r\nI'm happy to report that the new registry interface promises to substantially improve the security and reliability story for Swift Package Manager (both immediately, and in follow-up proposals building on top of the original). \r\n\r\nIn the meantime, I wanted to contribute to this project by offering corrections or clarifications to some details in the current report:\r\n\r\n* * *\r\n\r\n> ### Security Contacts and Process\r\n>\r\n> To satisfy this requirement, the package manager must have a way to receive security information from the community and a process for handling such feedback. A published email such as security@, together with a mechanism to ensure that the feedback is captured and responded to would satisfy this requirement.\r\n\r\nThe majority of Swift packages (>99.9%) are hosted on GitHub. Some packages define a security policy on GitHub (for example, see [@Flight-School/Money](https://github.com/Flight-School/Money/security/policy)). \r\n\r\nThis is currently listed as **No**. If we follow the same criteria as we do for MFA, should this be updated to **Optional** with a comment? \r\n\r\n* * *\r\n\r\n> ### Code Signing\r\n>\r\n> It should be possible for developers to sign their code. When they do, the package manager should verify the signatures and provide a way for those to be distributed to consumers of the package.\r\n\r\n\r\nSwift Package Manager has built-in support for [code-signed binary artifacts](https://github.com/apple/swift-evolution/blob/master/proposals/0272-swiftpm-binary-dependencies.md#binary-signatures). \r\n\r\nThis is currently listed as **No**. Should this be updated to **Partial** with a comment?\r\n\r\n* * *\r\n\r\n> ### Package Manager Does Not Run Code\r\n>\r\n> The package manager should not run code on package install.\r\n\r\nIn fact, Swift Package Manager _does_ evaluate package manifests. On macOS, it's run through a sandboxed process (`sandbox-exec`) to mitigate the effects of arbitrary code execution (see https://github.com/apple/swift-package-manager/blob/4bef41f12f082d55a4cb979a489379bfcf69f0c7/Sources/PackageLoading/ManifestLoader.swift#L776). \r\n\r\nThis is currently listed as **Yes** (that is, it doesn't run code). Should this entry be updated to **No** or something else?\r\n\r\n* * *\r\n\r\n> ### Integrity verification\r\n> \r\n> Package manager provides a method for verifying the integrity of the downloaded package.\r\n>\r\n> None - no integrity verification is done Partial - integrity verification is done using a weak method* Yes - Verification is done using a sufficiently secure method\r\n\r\nIntegrity verification is offered for [binary artifacts](https://github.com/apple/swift-evolution/blob/master/proposals/0272-swiftpm-binary-dependencies.md#checksum-computation), using SHA256. Conventional, source-based dependencies don't currently offer any integrity verification functionality. \r\n\r\nThis isn't currently listed for Swift Package Manager. Should this entry be set to **No**, **Partial**, or something else?",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/23",
@@ -18456,10 +19086,11 @@
"pk": 647,
"fields": {
"nest_created_at": "2024-09-11T21:08:37.437Z",
- "nest_updated_at": "2024-09-11T21:08:37.437Z",
+ "nest_updated_at": "2024-09-13T16:10:29.385Z",
"node_id": "I_kwDOCsQxbc5VqGws",
"title": "Track if a published version can be deleted",
"body": "Very useful project. Thank you.\r\n\r\nThere was a twitter thread a few months ago, around the time of [this incident](https://twitter.com/balloob/status/1545510244381446144).\r\n\r\n\"which package ecosystems protect downstream libs/apps from a published version of an upstream lib being deleted\"\r\nhttps://twitter.com/mrinal/status/1546250871784108033\r\n\r\nThe thread captured, state of this for:\r\n\r\n- Rust https://twitter.com/mrinal/status/1546250872711024641\r\n- JS https://twitter.com/mrinal/status/1546250873851875329\r\n- Go https://twitter.com/mrinal/status/1546250874908921858\r\n- Erlang/Elixir https://twitter.com/mrinal/status/1546250875961675776\r\n- Java / Scala/ other JVM https://twitter.com/mrinal/status/1546250876997685249\r\n- Ruby https://twitter.com/mrinal/status/1546250878008537089\r\n- Swift https://twitter.com/mrinal/status/1546250878977380353\r\n- Python https://twitter.com/mrinal/status/1546250879853928448\r\n- Github Packages https://twitter.com/mrinal/status/1546265142580547584\r\n- Docker Hub https://twitter.com/mrinal/status/1546266861989351424\r\n\r\nI [wished at the time](https://twitter.com/mrinal/status/1546270715334180866) for something like packman and today someone pointed me packman :)\r\n\r\nIf there is interest in tracking this aspect, I'd be happy to send pull request.\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/packman/issues/24",
@@ -18482,10 +19113,11 @@
"pk": 648,
"fields": {
"nest_created_at": "2024-09-11T21:08:53.173Z",
- "nest_updated_at": "2024-09-11T21:08:53.173Z",
+ "nest_updated_at": "2024-09-13T04:19:24.722Z",
"node_id": "MDU6SXNzdWU1NzQyMjQ5MTI=",
"title": "Make hook feature for report",
"body": "Dot env for send data:\r\n`hook=\"URL$text\"`",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/D4N155/issues/11",
@@ -18514,6 +19146,7 @@
"node_id": "MDU6SXNzdWU2OTE2MTQ1MzM=",
"title": "Não está salvando a lista de textos estaticos apartir da forma interativa",
"body": "Bct q ódio, resolver esse B.O né",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/D4N155/issues/17",
@@ -18536,10 +19169,11 @@
"pk": 650,
"fields": {
"nest_created_at": "2024-09-11T21:09:12.077Z",
- "nest_updated_at": "2024-09-11T21:09:12.077Z",
+ "nest_updated_at": "2024-09-13T16:10:49.058Z",
"node_id": "MDU6SXNzdWU2Njg2ODQ3OTY=",
"title": "Link to OWASP project page gives 404",
"body": "It's shown in github's main page: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Application\r\nThanks",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Vulnerable-Web-Application/issues/4",
@@ -18566,6 +19200,7 @@
"node_id": "MDU6SXNzdWU4NTUzNDEzMTE=",
"title": "mysqli_error()",
"body": "https://github.com/OWASP/Vulnerable-Web-Application/blob/c0f2689f4adc3dab4e310a4c709bbee9386c6b02/SQL/sql3.php#L43\r\nshould be mysqli_error()",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Vulnerable-Web-Application/issues/8",
@@ -18592,6 +19227,7 @@
"node_id": "MDU6SXNzdWU2MDYxODk1MTY=",
"title": "Maintain and develop new test cases for Cloud Testing guide",
"body": "Hi everyone,\r\n\r\nI have seen this repo not update anymore from Nov 29, 2019. I have some question below:\r\n\r\n- How can I contribute for this repo?\r\n- Where I will find a template for test cases?\r\n- I think *Cloud Security Testing Guide* is better than this name now\r\n\r\nThank for your response.",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp-cstg/issues/3",
@@ -18614,10 +19250,11 @@
"pk": 653,
"fields": {
"nest_created_at": "2024-09-11T21:09:26.043Z",
- "nest_updated_at": "2024-09-11T21:09:26.043Z",
+ "nest_updated_at": "2024-09-13T16:10:58.503Z",
"node_id": "I_kwDOClJnec5DVrCk",
"title": "Project Development",
"body": "**What would you like added?**\r\nThis is 2 years from the last Project update. Seem like this project is not developed anymore. So please assign me to join as a leader and contribute for this one. \r\n\r\nWould you like to be assigned to this issue?\r\n- [x] Assign me, please!\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/owasp-cstg/issues/6",
@@ -18642,10 +19279,11 @@
"pk": 654,
"fields": {
"nest_created_at": "2024-09-11T21:09:35.034Z",
- "nest_updated_at": "2024-09-11T21:09:35.034Z",
+ "nest_updated_at": "2024-09-13T16:11:05.605Z",
"node_id": "MDU6SXNzdWU2MTkzMTkwMDM=",
"title": "Update Contribution Guidelines",
"body": "Enhance the 'CONTRIBUTING.md' doc with more details",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Intelligent-Intrusion-Detection-System/issues/7",
@@ -18677,6 +19315,7 @@
"node_id": "MDU6SXNzdWU2MTkzMjA2NjQ=",
"title": "Add coding guidelines doc",
"body": "Add a document describing the coding guidelines and standards that the developers of this project should follow",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Intelligent-Intrusion-Detection-System/issues/8",
@@ -18708,6 +19347,7 @@
"node_id": "MDU6SXNzdWU2NTgzNzE3OTE=",
"title": "Add a Feature Extractor for input Pcap files",
"body": "A Feature Extractor, which would extract all the necessary features from the Input Pcap file and save it in a csv format.\r\nThe list of features could be found [here ](https://kdd.ics.uci.edu/databases/kddcup99/task.html)\r\n\r\nFor reference, Check this [Repo](https://github.com/nrajasin/Network-intrusion-dataset-creator)",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Intelligent-Intrusion-Detection-System/issues/14",
@@ -18734,6 +19374,7 @@
"node_id": "MDU6SXNzdWU4MjA5NDc3MDY=",
"title": "Wiki page have some bugs",
"body": "**Describe the bug**\r\nThe view of the wiki page is broken. The HTML tags are visible rather than the sentence also the image is also giving a 404 error. Also, the resources which are provided are repeating also all the links are broken and pointing to just the home of the Github repo.\r\n\r\n**To Reproduce**\r\nSteps to reproduce the behavior:\r\n1. We just have to simply modify the wiki page on GitHub.\r\n\r\n**Expected behavior**\r\nThe page should not contain HTML tags and the image should be visible.\r\n\r\n**Screenshots**\r\n\r\n\r\n\r\n\r\n**Desktop (please complete the following information):**\r\n - OS: Ubuntu 18.04\r\n - Browser: Chrome\r\n\r\n**Additional context**\r\n@hardlyhuman I would like to fix it, also will you please give some details on the image that has to be there.\r\nThanks\r\n",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Intelligent-Intrusion-Detection-System/issues/24",
@@ -18760,6 +19401,7 @@
"node_id": "MDU6SXNzdWU4MzA4NzQyNTE=",
"title": "requirements.txt Not Present",
"body": "Django CI/build is failing as there is no **requirements.txt** file. ",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Intelligent-Intrusion-Detection-System/issues/26",
@@ -18782,10 +19424,11 @@
"pk": 659,
"fields": {
"nest_created_at": "2024-09-11T21:09:45.435Z",
- "nest_updated_at": "2024-09-11T21:09:45.436Z",
+ "nest_updated_at": "2024-09-13T16:11:10.336Z",
"node_id": "MDU6SXNzdWU0MTM5MzE3NjQ=",
"title": "Add Secure-Header-Checker tool written in python",
"body": "Hi, Can I make PR that contain Secure-Header-Checker tool written in python for this project?",
+ "summary": "",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/Secure-Headers/issues/1",
@@ -18812,6 +19455,7 @@
"node_id": "MDU6SXNzdWU0NjQ3Mzk0NTI=",
"title": "Information about tools and payloads",
"body": "Hi, team! Thanks for the great project. I think it would be useful to add more information about different tools that can be used to test an application and detect security issues. For example, Arachni, ZAP, Burp Suite, .etc. One more thing that would be useful for application developers, QA engineers, security experts - links or examples of possible payloads that can be used to test an application API. There is a cool repository, called PayloadAllTheThings that contains a lot of payload examples to use during a security testing process. I can provide more information about tools and useful sources if it needed.\r\n\r\nBest regards,\r\nIhor",
+ "summary": "The issue suggests enhancing the project by including more information on various tools for application testing and security issue detection, such as Arachni, ZAP, and Burp Suite. Additionally, it proposes adding links or examples of potential payloads for API testing, referencing the \"PayloadAllTheThings\" repository as a valuable resource. The author is open to providing further information about tools and sources if required. \n\nTo address this issue, consider compiling a list of recommended tools and payloads along with relevant documentation or examples.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/17",
@@ -18842,6 +19486,7 @@
"node_id": "MDU6SXNzdWU0OTY2ODQ0OTc=",
"title": "Translation es ",
"body": "Hi, I found this resources super helpful and I would like non-english speakers to be able to benefit from this as well. \r\n\r\nDo you have translation projects or do you accept translation PRs? \r\nI see the sources are in `2019/en`, so I guess I could create a `2019/es` for a Spanish translation to work in. \r\n\r\nWould that be something you'd want/like? I'm willing to make the Spanish translation, but let me know if there is an established way to contribute on this matter (maybe there is a separated repo for translations or you already have a Spanish version that I couldn't find. ",
+ "summary": "A user has expressed interest in translating resources into Spanish to make them accessible for non-English speakers. They are inquiring whether there are existing translation projects or if translation pull requests (PRs) are accepted. The user proposes creating a `2019/es` folder for the Spanish translation and is willing to contribute. Clarification is sought on how to proceed with this contribution, including any established protocols or existing resources. \n\nTo address this, it would be beneficial to provide information on the translation process, any existing repositories for translations, or confirmation if a Spanish version is already available.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/22",
@@ -18874,6 +19519,7 @@
"node_id": "MDU6SXNzdWU2Nzg3MDkzODk=",
"title": "Translation German",
"body": "Hey!\r\n\r\nI really appreciate your efforts and think this projects should be translated into as many languages as possible.\r\nI'd like to provide a translation into german.\r\n\r\nCheers,\r\nch4rl353y",
+ "summary": "A user has expressed appreciation for the project's efforts and is interested in contributing by providing a German translation. It may be beneficial to outline the process for submitting translations and any specific guidelines that should be followed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/36",
@@ -18905,6 +19551,7 @@
"node_id": "MDU6SXNzdWU5MzQ4NjU0NDE=",
"title": "Translation Dutch",
"body": "Hi everybody,\r\n\r\nWe want to translate API-Security to the Dutch language, any contributors are welcome!",
+ "summary": "The issue discusses the need for translating the API-Security documentation into Dutch and invites contributors to assist with this task. If interested, potential contributors should offer their help in the translation process.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/44",
@@ -18936,6 +19583,7 @@
"node_id": "I_kwDOCdd2e85AjLIG",
"title": "Translation Chinese",
"body": "Hi Team, \r\n\r\nGlad to see this project, I am an engineer in this area, I could contribute to the Chinese version.\r\n\r\n\r\n\r\n",
+ "summary": "A user is expressing interest in contributing to the project by providing a Chinese translation. It would be beneficial to coordinate with this individual to facilitate the translation process and integrate their contributions effectively.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/46",
@@ -18967,6 +19615,7 @@
"node_id": "I_kwDOCdd2e85PJnlO",
"title": "Turkish Translation",
"body": "Hey!\r\n\r\nFirst of all thanks for this outstanding repository about API security.\r\nI would be happy to contribute to the translation of this repository into **Turkish**.\r\n\r\n\r\n",
+ "summary": "A user has expressed interest in contributing to the translation of the repository into Turkish. To move forward, it would be beneficial to establish a process for managing translations and possibly provide guidelines for contributors.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/58",
@@ -18998,6 +19647,7 @@
"node_id": "I_kwDOCdd2e85aRUqH",
"title": "Hindi Translation",
"body": "Hey there,\r\nMore than happy to do translation in hindi. I'm developer from India",
+ "summary": "A user has expressed their willingness to contribute by providing Hindi translations for the project. It may be beneficial to coordinate with them to outline specific areas or content that require translation.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/59",
@@ -19029,6 +19679,7 @@
"node_id": "I_kwDOCdd2e85glIOu",
"title": "Odata with EF and .Net core Security risks with Front End queries through web components",
"body": "A demo would be good to show Odata with EF and .Net core Security risks while we query using expression trees that hold any query.'\r\nWould the security be compromised at some point in operation?",
+ "summary": "The issue discusses potential security risks associated with using OData with Entity Framework in a .NET Core application, particularly when handling front-end queries through web components. The author suggests that a demonstration would be beneficial to illustrate these risks, especially in the context of expression trees that can represent any query. The main concern is whether the security of the application could be compromised during operations involving these queries. It may be necessary to explore and implement security measures to mitigate these risks.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/99",
@@ -19055,6 +19706,7 @@
"node_id": "I_kwDOCdd2e85x6X4h",
"title": "Contradictory risk classification for \"Unsafe Consumption of APIs\"",
"body": "The *Exploitability* of [API10:2023][1] is graded with the highest rating of `easy`.\r\nAt the same time, the corresponding textual explanation actually tells the opposite, that exploitation of this should be rather hard:\r\n\r\n```\r\nExploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable.\r\n```\r\n\r\n[1]: https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/",
+ "summary": "There is a contradiction in the risk classification for \"Unsafe Consumption of APIs\" where the exploitability is rated as `easy`, while the explanation suggests that exploitation is actually difficult due to the need for attackers to identify and compromise other integrated APIs/services, which are typically not publicly accessible or easily exploitable. \n\nTo resolve this issue, a review of the exploitability rating and the accompanying explanation is needed to ensure they align accurately.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/123",
@@ -19070,8 +19722,8 @@
"repository": 1067,
"assignees": [],
"labels": [
- 159,
- 160
+ 160,
+ 159
]
}
},
@@ -19084,6 +19736,7 @@
"node_id": "I_kwDOCdd2e85yAnUc",
"title": "Persian Translation for 2023",
"body": "Hi Guys\r\nI could contribute to translate the API TOP10 2023RC to Farsi/Persian & would want to know your opinion on this matter. We did the Persian translation for 2019 version as well.\r\n@PauloASilva \r\n",
+ "summary": "A request has been made to contribute a Persian translation for the API TOP10 2023RC, building on a previous translation effort for the 2019 version. Feedback and opinions on this contribution are being sought. It would be beneficial to assess the feasibility and scope of this translation project.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/124",
@@ -19101,8 +19754,8 @@
298
],
"labels": [
- 156,
- 160
+ 160,
+ 156
]
}
},
@@ -19115,6 +19768,7 @@
"node_id": "I_kwDOCdd2e856DNXN",
"title": "Translation to Portuguese (pt-PT) for 2023 version",
"body": "Hello,\r\nI want to help with the translation to Portuguese (pt-PT) for 2023 version.\r\nI've followed the instructions detailed here: [https://github.com/OWASP/API-Security/issues/124#issuecomment-1737308376](https://github.com/OWASP/API-Security/issues/124#issuecomment-1737308376)\r\nAnd I'm working on the translation here: [https://github.com/RiuSalvi/API-Security/tree/translation/pt-pt](https://github.com/RiuSalvi/API-Security/tree/translation/pt-pt)\r\n\r\nBest regards,\r\nRui Silva",
+ "summary": "The issue discusses the intention to assist with the translation of the 2023 version into Portuguese (pt-PT). The contributor has followed the provided instructions and is currently working on the translation in a designated repository. To progress, further collaboration or review of the translation work may be needed.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/127",
@@ -19132,8 +19786,8 @@
299
],
"labels": [
- 156,
- 160
+ 160,
+ 156
]
}
},
@@ -19146,6 +19800,7 @@
"node_id": "I_kwDOCdd2e86Eehb0",
"title": "Translation to brasilian portuguese (pt-BR)",
"body": "Hi Guys\r\nI could contribute to translate the API TOP10 2023 to Brasilian Portuguese (pt-BR). \r\n\r\nRegards,\r\nLuca Regne",
+ "summary": "A user has expressed willingness to contribute by translating the API TOP10 2023 to Brazilian Portuguese (pt-BR). It may be useful to review the translation process and guidelines to facilitate this contribution.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/131",
@@ -19161,8 +19816,8 @@
"repository": 1067,
"assignees": [],
"labels": [
- 156,
- 160
+ 160,
+ 156
]
}
},
@@ -19171,10 +19826,11 @@
"pk": 672,
"fields": {
"nest_created_at": "2024-09-11T21:10:16.989Z",
- "nest_updated_at": "2024-09-12T02:32:00.271Z",
+ "nest_updated_at": "2024-09-13T16:26:39.350Z",
"node_id": "I_kwDOCdd2e86UP58v",
"title": "Reference to OWASP Risk Rating Methodology",
"body": "https://github.com/OWASP/API-Security/blob/ef8e6b306de85950cd6df8a30671566e5bd134e3/editions/2023/en/0xd0-about-data.md?plain=1#L68C1-L68C67\r\n\r\nOWASP Risk Rating Methodology (https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) references to OWASP Risk Assessment Framework (https://owasp.org/www-project-risk-assessment-framework/).\r\n\r\nProbably due to the changes on OWASP project pages.",
+ "summary": "The issue highlights the need for updated references to the OWASP Risk Rating Methodology and the OWASP Risk Assessment Framework within the provided documentation link. It suggests that changes to OWASP project pages may have affected the existing links. To resolve this, the documentation should be reviewed and corrected to ensure accurate and current references are provided.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/API-Security/issues/133",
@@ -19201,6 +19857,7 @@
"node_id": "MDU6SXNzdWU4MTI2NTEzNDc=",
"title": "New CS proposal: React Security CheatSheet",
"body": "## What is the proposed Cheat Sheet about?\r\nBuilding secure React applications by avoiding common vulnerabilities.\r\n\r\n## What security issues are commonly encountered related to this area?\r\nCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\r\nCWE-602: Client-Side Enforcement of Server-Side Security\r\nCWE-603: Use of Client-Side Authentication\r\nCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\r\nCWE-89: Improper Neutralization of Special Elements used in an SQL Command\r\nCWE-94: Improper Control of Generation of Code ('Code Injection')\r\n\r\n## What is the objective of the Cheat Sheet?\r\nExamples of vulnerable code and how to fix it. \r\n\r\n## What other resources exist in this area?\r\nI've written about this topic, and made videos related to it in the past. I want to make some new content that goes deeper and broader here.\r\n\r\nhttps://www.youtube.com/watch?v=VtNotePFuJY\r\nhttps://snyk.io/blog/10-react-security-best-practices/\r\nhttps://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412\r\nhttps://medium.com/javascript-security/avoiding-xss-via-markdown-in-react-91665479900\r\nhttps://www.synopsys.com/software-integrity/training/software-security-courses/react-js-security.html",
+ "summary": "A new proposal has been made for a React Security Cheat Sheet aimed at helping developers build secure React applications by addressing common vulnerabilities. Key issues identified include cross-site scripting (CWE-79), client-side security enforcement (CWE-602), client-side authentication (CWE-603), path traversal (CWE-22), SQL command vulnerabilities (CWE-89), and code injection (CWE-94). The objective is to provide examples of vulnerable code alongside solutions for fixing these issues. The proposal also references existing resources and content that delve into these security topics. To move forward, it would be beneficial to compile and organize these examples and solutions into a comprehensive guide.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/CheatSheetSeries/issues/543",
@@ -19232,6 +19889,7 @@
"node_id": "MDU6SXNzdWU4NjY5Mjk3Nzk=",
"title": "Update: Vulnerable Dependency Management Cheat Sheet with Dependency Confusion",
"body": "## What is missing or needs to be updated?\r\n\r\nI have found this [post](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) about *Dependency Confusion* attack and I think that it can be interesting to add a section about protection against this attack in the [Vulnerable Dependency Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md).\r\n\r\n## How should this be resolved?\r\n\r\nI propose to add a small section showing some protection that can applied.\r\n\r\nThanks a lot in advance and also thanks a lot for your amazing work on this project ❤️ \r\n",
+ "summary": "The issue suggests adding a section on \"Dependency Confusion\" attacks to the Vulnerable Dependency Management Cheat Sheet. It references a blog post that provides insights on this topic and proposes including protective measures against such attacks. An update should be made to the cheat sheet to incorporate this information.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/CheatSheetSeries/issues/641",
@@ -19263,6 +19921,7 @@
"node_id": "MDU6SXNzdWU5MjY0MTcwMTM=",
"title": "Update: [Multifactor Authentication Cheat Sheet]: Further info about TOTP secret-key storage",
"body": "## What is missing or needs to be updated?\r\nThere is no info about the proper way to store users' secrets for TOTP MFA. Should these secrets be stored in plaintext or be 2-way encrypted? If encrypted should it use a dedicated key on the server or use something like the user's password or email address or username?\r\n\r\n## How should this be resolved?\r\nA brief subsection or bullet point, or perhaps a link to a separate cheat-sheet, describing the industry-standard (if such exists) for how to store the users' secret-keys for TOTP authentication. Or at least a line saying whether these secrets need to be encrypted or not.\r\n\r\nI don't know the answer to the above question, so I won't propose any text.",
+ "summary": "The issue highlights the absence of guidance on the proper storage methods for users' secrets related to TOTP MFA. Specifically, it questions whether these secrets should be stored in plaintext or encrypted, and if encrypted, what key should be used for encryption. \n\nTo resolve this, it is suggested to add a subsection or bullet point to the cheat sheet that outlines the industry standards for storing TOTP secret keys, including recommendations on encryption practices. If no definitive answer exists, at minimum, a statement regarding the necessity of encryption should be included.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/CheatSheetSeries/issues/678",
@@ -19293,6 +19952,7 @@
"node_id": "I_kwDOCbL1IM5C5qWm",
"title": "Update: Secrets_Management_CheatSheet.",
"body": "## What is missing or needs to be updated?\r\n\r\nThe following tasks require to be executed post-mvp of the cheatsheet as agreed with various team-members:\r\n\r\n- [ ] Further extend and re-evaluate the concepts of https://github.com/OWASP/CheatSheetSeries/pull/842\r\n- [ ] show more how you can create an architecture that allows for rotation in examples (so not just tell, but show examples)\r\n- [ ] show how passwordless (openID connect) can help, but tokens need security as well (might be a cheatsheet for to refer to?)\r\n- [ ] The ease of onboarding needs to be further expanded as explained by @dominikdesmit https://owasp.slack.com/archives/C02LSHXKVU5/p1643453874955679?thread_ts=1643442691.915449&cid=C02LSHXKVU5\r\n\r\n\r\n\r\nPlease note that I only file this issue for tracking as requested by multiple team-members for now, but will not have the time to pick this up timely myself.",
+ "summary": "The issue outlines several tasks that need to be addressed for the Secrets Management CheatSheet after the MVP phase. The tasks include:\n\n- Extending and re-evaluating concepts from a specific pull request.\n- Providing examples of architecture that facilitates rotation.\n- Demonstrating how passwordless authentication (like OpenID Connect) can enhance security, while also addressing token security.\n- Expanding on the ease of onboarding, as discussed by a team member.\n\nThis issue serves as a tracking mechanism for these updates, indicating that further contributions are needed from the team to progress on these items.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/CheatSheetSeries/issues/845",
@@ -19323,6 +19983,7 @@
"node_id": "I_kwDOCbL1IM5FfdWK",
"title": "New Security with CORS CS ",
"body": "## What is missing or needs to be updated?\r\nThe [HTML5 security cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html) currently says\r\n\r\n> Keep in mind that CORS does not prevent the requested data from going to an unauthorized location. It's still important for the server to perform usual [CSRF](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) prevention.\r\n\r\nIt is absolutely true that CSRF protection is required for CORS, but it's a little imprecise. Specifically, the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#cross-site-request-forgery-prevention-cheat-sheet) lists the double-submit cookie as the first line of defense, but that pattern is not possible in a CORS environment. (Unless the Origin and request domains happen to be subdomains of a shared parent on which the cookie could be set.)\r\n\r\n## How should this be resolved?\r\n\r\nI suggest clarifying -- in either or both of the cheat sheets -- which CSRF protection mechanisms are best suited to CORS environments.\r\n\r\nMixMax's [Using CORS policies to implement CSRF protection](https://www.mixmax.com/engineering/modern-csrf) has some additional information on using Origin verification to protect against CSRF attacks on CORS requests.",
+ "summary": "The issue highlights a gap in the current HTML5 security cheat sheet regarding the relationship between CORS and CSRF protection. It points out that while CSRF protection is necessary in CORS scenarios, the existing guidance may not adequately address the limitations of the double-submit cookie technique in such environments. The author suggests that the cheat sheets should clarify which CSRF protection mechanisms are most effective for CORS and references additional resources for further information on this topic. \n\nTo resolve this, it would be beneficial to update the cheat sheets to include guidance on appropriate CSRF protection strategies specifically tailored for CORS contexts.",
"state": "open",
"state_reason": "",
"url": "https://github.com/OWASP/CheatSheetSeries/issues/875",
@@ -19353,6 +20014,7 @@
"node_id": "I_kwDOCbL1IM5Ww4_8",
"title": "Update: Cross-Site Request Forgery Prevention Cheat Sheet",
"body": "## What is missing or needs to be updated?\r\n\r\nCross-Site Request Forgery attacks occur because untrusted browser code can cause requests to be sent to a vulnerable server that are \"special\" in a way that the attacker could not send from their own machines. Typically this \"special\"-ness is that they contain cookies from a targeted user's browser. Less commonly, this could mean they contain basic auth credentials or that the server makes authorization assumptions based on the client's network (eg, explicitly looking at the client's IP address to make decisions, or by putting the server on a private network and assuming that any client talking to this server is authorized).\r\n\r\nThe mitigations discussed in the cheat sheet all assume that these \"special\" request qualities must exist in your system. However, an entirely different approach to solving CSRF is to avoid giving special treatment based on cookies, basic auth, and network properties. This approach may be appropriate for web servers that are primarily serving \"API-style\" traffic and which websites only communicate with via AJAX-style calls.\r\n\r\nFor example, a server that makes authentication decisions only based on a custom HTTP header (perhaps set from a value stored in browser `localStorage`) or a value in the body of a POST and not on cookies or network should be considered successfully defended against CSRF. Developers who have built servers with this property should not feel like they need to also set up token-based mitigation or (if #1010 is accepted) header-based mitigation.\r\n\r\n\r\n## How should this be resolved?\r\n\r\nA new top-level section should be added describing \"don't care about cookies/etc\" as an appropriate mitigation technique, with the drawback that it is not helpful if you need your endpoint to be accessible via HTML `