Skip to content

Capec scripts#2054

Closed
sydseter wants to merge 36 commits intomasterfrom
capec-scripts
Closed

Capec scripts#2054
sydseter wants to merge 36 commits intomasterfrom
capec-scripts

Conversation

@sydseter
Copy link
Collaborator

@sydseter sydseter commented Jan 21, 2026

In this pull-request:

Additional Utility Scripts

Converting CAPEC Data

The scripts/convertCAPEC.py script converts CAPEC (Common Attack Pattern Enumeration and Classification) JSON data into Markdown format for the Cornucopia website taxonomy.

python ./scripts/convertCAPEC.py --help
usage: convertCAPEC.py [-h] [-o OUTPUT_PATH] [-i INPUT_PATH] [-d]

Convert CAPEC JSON to Cornucopia format

options:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output-path OUTPUT_PATH
                        Path to store converted CAPEC files
  -i INPUT_PATH, --input-path INPUT_PATH
                        Path to read CAPEC JSON files from
  -d, --debug           Output additional information to debug script

Example usage:

# Convert CAPEC data using default paths
python scripts/convertCAPEC.py

# Convert with custom input and output paths
python scripts/convertCAPEC.py -i data/capec-3.9/3000.json -o cornucopia.owasp.org/data/taxonomy/en/CAPEC-3.9

# Enable debug logging
python scripts/convertCAPEC.py -d

Default paths:

  • Input: cornucopia.owasp.org/data/capec-3.9/3000.json
  • Output: cornucopia.owasp.org/data/taxonomy/en/CAPEC-3.9/
    The script creates individual Markdown files for each CAPEC attack pattern with descriptions and links to the official CAPEC database.

Converting CAPEC Mappings to ASVS Format

The scripts/convertCAPECMapToASVSMap.py script processes webapp-mappings YAML files and generates a consolidated CAPEC-to-ASVS (Application Security Verification Standard) mapping file.

python ./scripts/convertCAPECMapToASVSMap.py --help
usage: convertCAPECMapToASVSMap.py [-h] [-i INPUT_PATH] [-o OUTPUT_PATH] [-d]

Convert webapp-mappings YAML to CAPEC-to-ASVS mapping format

options:
  -h, --help            show this help message and exit
  -i INPUT_PATH, --input-path INPUT_PATH
                        Path to input webapp-mappings YAML file
  -o OUTPUT_PATH, --output-path OUTPUT_PATH
                        Path to save converted CAPEC-to-ASVS mapping YAML file
  -d, --debug           Output additional information to debug script

Example usage:

# Convert mappings using default paths
python scripts/convertCAPECMapToASVSMap.py

# Convert with custom input and output paths
python scripts/convertCAPECMapToASVSMap.py -i source/webapp-mappings-3.0.yaml -o source/webapp-capec-3.0.yaml

# Enable debug logging
python scripts/convertCAPECMapToASVSMap.py -d

Default paths:

  • Input: source/webapp-mappings-3.0.yaml
  • Output: source/webapp-capec-3.0.yaml
    The script:
  1. Reads CAPEC mappings from the suits -> cards -> capec_map structure
  2. Merges all OWASP ASVS requirements for each unique CAPEC code
  3. Outputs a unified YAML file mapping CAPEC codes to their associated ASVS requirements
    Output format:
54:
  owasp_asvs: [4.3.2, 13.2.2, 13.4.1, ...]
116:
  owasp_asvs: [13.2.2, 15.2.3, ...]

@qltysh
Copy link
Contributor

qltysh bot commented Jan 21, 2026
edited
Loading

❌ 8 blocking issues (8 total)

Tool Category Rule Count
hadolint Lint Avoid use of cache directory with pip. Use pip install \-\-no\-cache\-dir <package> 2
hadolint Lint Pin versions in pip. Instead of pip install <package> use pip install <package>==<version> or pip install \-\-requirement <requirements file> 2
actionlint Lint could not read reusable workflow file for "./.github/workflows/build-website.yaml": open /home/runner/work/cornucopia/.github/workflows/build-website.yaml: no such file or directory 2
hadolint Lint Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check 1
hadolint Lint Multiple consecutive RUN instructions. Consider consolidation. 1

qltysh[bot]
qltysh bot reviewed Jan 21, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 21, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 21, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 21, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.07056bd8363e8f489be10c18a72ae27fff09c17a.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.a68932794d3a95ac0e98185bcadb044331e905cc.zip

qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.ae8a3b9b57c0f91302523230b97935be4f2ef1f9.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.51a0c2d008109c4b2fa261577ad5c1bdc23dfcd9.zip

@sydseter
Copy link
Collaborator Author

sydseter commented Jan 22, 2026

It doesn't look like I am able to fix the clusterfucker. I need to fix this separately. The fuzzing has been failing due to dependency issues for some time.

@sydseter sydseter mentioned this pull request Jan 22, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.6dd6588a84163771088153c07ab3ed8641bea3ce.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.4773f159af86cae227871f75c7f8e6ed0399a7ef.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.0b1fe3a7ddcc75bd031b1cc0df6c6b2a3f5fbbad.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.5318f4cfb3d79ab555dc9e6af54051d6413ccc1f.zip

@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.ad807c5b3ccee0deb8a3aaea7727e50bf477616a.zip

qltysh[bot]
qltysh bot reviewed Jan 22, 2026
View reviewed changes
.clusterfuzzlite/Dockerfile
make \
libxml2-dev \
libxslt-dev \
python3-dev \
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sort these package names alphanumerically. [radarlint-iac:docker:S7018]

.clusterfuzzlite/Dockerfile
RUN apt-get install -y python3-pip
RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.10
RUN python3.10 -m pip install --upgrade wheel setuptools setuptools_scm PyInstaller==6.13.0
RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check [hadolint:DL4006]

.clusterfuzzlite/Dockerfile
RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.10
RUN python3.10 -m pip install --upgrade wheel setuptools setuptools_scm PyInstaller==6.13.0
RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3
RUN python3 -m pip install --upgrade wheel setuptools setuptools_scm PyInstaller==6.18.0
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found 3 issues:

1. Avoid use of cache directory with pip. Use pip install --no-cache-dir [hadolint:DL3042]


2. Pin versions in pip. Instead of pip install use pip install == or pip install --requirement [hadolint:DL3013]


3. Sort these package names alphanumerically. [radarlint-iac:docker:S7018]

.github/workflows/run-tests-for-patches.yaml
call-run-website-tests:
name: Build and run Website Tests
needs: hardening
uses: ./.github/workflows/build-website.yaml
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could not read reusable workflow file for "./.github/workflows/build-website.yaml": open /home/runner/work/cornucopia/.github/workflows/build-website.yaml: no such file or directory [actionlint:workflow-call]

.github/workflows/run-tests-for-patches.yaml
call-run-build-copi-tests:
name: Build and run COPI Tests
needs: hardening
uses: ./.github/workflows/copi-build.yaml No newline at end of file
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could not read reusable workflow file for "./.github/workflows/copi-build.yaml": open /home/runner/work/cornucopia/.github/workflows/copi-build.yaml: no such file or directory [actionlint:workflow-call]

Dockerfile
make
COPY --chown=builder:union requirements.txt ./
RUN pip install -r requirements.txt --require-hashes
RUN pip install pipenv
Copy link
Contributor

@qltysh qltysh bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found 3 issues:

1. Avoid use of cache directory with pip. Use pip install --no-cache-dir [hadolint:DL3042]


2. Pin versions in pip. Instead of pip install use pip install == or pip install --requirement [hadolint:DL3013]


3. Multiple consecutive RUN instructions. Consider consolidation. [hadolint:DL3059]

@sydseter
Copy link
Collaborator Author

sydseter commented Jan 22, 2026

superseeded by #2054

@sydseter sydseter closed this Jan 22, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2026

Build artifacts:

Name Link
Output files cornucopia-build-files.a620955835bbdf261e84c2ca3f0e87549e64e68c.zip

@sydseter sydseter deleted the capec-scripts branch February 13, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qltysh qltysh[bot] qltysh[bot] left review comments

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sydseter