/sarif-taxonomies

Primary LanguageC#MIT LicenseMIT

SARIF Taxonomies

This repo stores SARIF Taxonomies

Data Source

Taxonomy Version Souce File SARIF File
CWE v4.3 link CWE_v4.3.sarif
CWE v4.4 link CWE_v4.4.sarif
CWE v4.5 link CWE_v4.5.sarif
CWE v4.6 link CWE_v4.6.sarif
CWE v4.7 link CWE_v4.7.sarif
CWE v4.8 link CWE_v4.8.sarif
CWE Seven Pernicious Kingdoms (7PK) v4.5 link CWE_7PK_v4.5.sarif
CWE Top 25 2019 link CWE_Top25_v2019.sarif
CWE Top 25 2020 link CWE_Top25_v2020.sarif
DISA CCI v2 link DISA_CCI_v2.sarif
Nist SP800-53 v4 link NIST_SP800-53_v4.sarif
Nist SP800-53 v5 link NIST_SP800-53_v5.sarif
Nist SP800-63B v1 link NIST_SP800-63B_v1.sarif
OWASP ASVS v4.0.2 link OWASP_ASVS_v4.0.2.sarif
OWASP Mobile Top 10 v2014 link OWASP_MobileTop10_v2014.sarif
OWASP Mobile Top 10 v2016 link OWASP_MobileTop10_v2016.sarif
OWASP Top 10 v2004 link OWASP_Top10_v2004.sarif
OWASP Top 10 v2007 link OWASP_Top10_v2007.sarif
OWASP Top 10 v2010 link OWASP_Top10_v2010.sarif
OWASP Top 10 v2013 link OWASP_Top10_v2013.sarif
OWASP Top 10 v2017 link OWASP_Top10_v2017.sarif
PCI SSF V1.1 link PCI_SSF_V1.1.sarif
PCI DSS V3.2.1 link PCI_DSS_V3.2.1.sarif
PCI DSS V3.2 link PCI_DSS_V3.2.sarif
PCI DSS V3.1 link PCI_DSS_V3.1.sarif
PCI DSS V3.0 link PCI_DSS_V3.0.sarif
PCI DSS V1.2 link PCI_DSS_V1.2.sarif
PCI DSS V1.1 link PCI_DSS_V1.1.sarif
WASC v1.0.0 link WASC_1.00.sarif
WASC v2.0.0 link WASC_2.00.sarif

Tool Usage

Download form official website using the links in Data Source section above. Unzip as needed. Execute the tool with proper parameters, samples below.

Generate CWE Sarif file

generate-cwe --type comprehensive --source-file-path "cwec_v4.4.xml" --target-file-path "CWE_v4.4.sarif" --version "4.4"

Generate CWE Seven Pernicious Kingdoms (7PK) Sarif file

generate-cwe --type 7pk --source-file-path "700.xml" --target-file-path "CWE_7PK_v4.5.sarif" --version "4.5"

Generate CWE Top 25 Sarif file

generate-cwe --type top25 --source-file-path "1350.xml" --target-file-path "CWE_Top25_v2020.sarif" --version "2020"

Generate DISA CCI Sarif file

generate-disa --type cci --source-file-path "U_CCI_List.xml" --target-file-path "DISA_CCI_v2.sarif" --version "2"

Generate OWASP ASVS Sarif file

generate-owasp --type asvs --source-file-path "OWASP Application Security Verification Standard 4.0.2-en.csv" --target-file-path "OWASP_ASVS_v4.0.2.sarif" --version "4.0.2"

Generate OWASP Mobile Top 10 Sarif file

generate-owasp --type mobiletop10 --source-file-path "\www-project-mobile-top-10-master\2014-risks" --target-file-path "OWASP_MobileTop10_v2014.sarif" --version "2014"

Generate OWASP Top 10 Sarif file

generate-owasp --type top10 --source-file-path "https://raw.githubusercontent.com/owasp-top/owasp-top-2004/master/README.md" --target-file-path "OWASP_Top10_v2004.sarif" --version "2004"

Generate NIST SP800-53 Sarif file

generate-nist --type sp80053 --source-file-path "sp800-53r5-control-catalog.csv" --target-file-path "NIST_SP800-53_v5.sarif" --version "5"

Generate NIST SP800-63B Sarif file

generate-nist --type sp80063b --source-folder-path "800-63-3-nist-pages\sp800-63b" --target-file-path "NIST_SP800-63B_v1.sarif" --version "1"

Generate PCI SSF 1.1 Sarif file

generate-pci --type ssf --source-file-path "pci_ssf_v1.1.csv" --target-file-path "..\..\..\..\..\PCI_SSF_V1.1.sarif" --version "1.1"

Generate PCI DSS 3.2.1 Sarif file

generate-pci --type ssf --source-file-path "pci_dss_v3.2.1.csv" --target-file-path "..\..\..\..\..\PCI_DSS_V3.2.1.sarif" --version "3.2.1"

Generate WASC 1.00 (WASC 24 + 2) Sarif file

generate-wasc --source-file-path "wasc_1.00.csv" --target-file-path "..\..\..\..\..\WASC_2.00.sarif" --version "1.00"

Generate WASC 2.00 Sarif file

generate-wasc --source-file-path "http://projects.webappsec.org/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View" --target-file-path "..\..\..\..\..\WASC_2.00.sarif" --version "2.00"

License

Microsoft SARIF Taxonomies are licensed under the MIT license.