ASVS
ASVS copied to clipboard
OWASP
Machine parseable format does not include informative text
The informative (not normative) descriptions are missing from the electronic formats (csv, json, etc). This omits the context for the next set of controls.
E.g. Section 1.2 has a description of the set of controls, but this is not included in the CSV, JSON output.
We want the CSV to stay strictly machine-readable requirements and do not want to add section metadata.
But we will add it to the JSON!
This would be a big change and require a significant re-work of the output scripts. As long as it is in the document style outputs, I am not sure I want the time investment required to get this into the XML, JSON and CSV formats.
@jmanico @vanderaj any major objections?
(Separately, I also think these descriptions should be cut down anyway.)
I'm learning Go. I'd like to use Go to have a shot at this for 5.0. I know Go can output the formats above, but consuming markdown tables is gonna be interesting. Give me like a month, and I'll let you know how I go. Go would not need anything other than standard libraries here, so it will likely be extremely portable to multiple platforms.
I mean the existing scripts are written in python so Go would be a bit of a departure, the nice thing about python is that it is also pretty portable and to be honest given that this all happens in a docker container, I am not sure portability even matters that much...
If you want to test out your go, what would be really cool would be verification scripts to check various formatting but also warn when numbers of requirements change or something else changes. It would help a lot when validating translations :)
#1300 and #1301 have been created.
In the meantime, if there are any python ninjas interested in getting the asvs.py export script to also parse the text between requirements, that would be cool :)