v2.1.0

Description

This release includes the new versions of the OWASP Cornucopia Website and Mobile App Editions with QR codes on each card that takes the player to http://cornucopia.owasp.org/ where they can read more about each card in the decks. This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

We would like to thank dotNET lab for donating their website code for this development. Volunteer @jefmeijvis were instrumental in making the website with the help from the rest of the project team. All the source code is located in our repository, providing a way to maintain consistency by using some of the same data sources. The website's repo is at:

https://github.com/OWASP/cornucopia/tree/master/cornucopia.owasp.org

This has allowed us to add a news section, and reinstate an extended version of the Wiki Deck, originally created by former co-leader Darío De Filippis, combining information from that and new content and code kindly donated by dotNET lab. There are now fully browsable cards for both editions (Website app and Mobile app) and which can also be examined by mapping taxonomy (e.g. OWASP ASVS, OWASP MASTG, OWASP Top Ten):

https://cornucopia.owasp.org/cards

https://cornucopia.owasp.org/taxonomy

The card URLs will be the unique end points linked from QR codes on printed cards, and which include guidance, tips and all the taxonomy lookups, making it easier to alter and extend these whenever we want. Recent new additional volunteer names have now been added in the acknowledgements.

In due course, the current site at owasp.org/www-project-cornucopia will be simplified and linked to the new custom website.

New translations

In addition to the new versions of the editions and the OWASP Cornucopia website, the new release also comes with two new translations "PT-PT" (Portuguese-Portugal) and "IT" (Italian) thanks to André Ferreira ( @AndreFerreiraMsc ) and Ruggero DallAglio ( @rdallaglio ), respectively. As with previous translations, these are also delivered in 2 sizes, bridge and tarot, both with and without QR codes in addition to also being delivered as legacy guide documents. The new translations will be available in digital formats for download and print-on-demand.

Printing of the new decks

Additionally, dotNET lab is going to sell the OWASP Cornucopia decks on their web shop (see: https://cornucopia.owap.org/webshop). Both the Website App & Mobile App editions will come with QR codes printed on them.
The new versions of the decks are currently in the process of being printed, but we will keep you informed when these are ready, in the mean time, it's possible to buy the 1.0 Mobile App Edition and 2.0 Website App edition from AgileStationary.

OWASP Cornucopia Ecosystem

Commits

• ec08623: simplify layout and remove unused styles. Fixup mobile layout. (Johan Sydseter) #992
• 93fe96e: minor fixes. (Johan Sydseter) #992
• 5dac3c4: Remove the suit from the url. (Johan Sydseter) #992
• 6e8fe9b: Ensure the mobile menu works without javascript. (Johan Sydseter) #992
• CSS adjustments, manual hero card selection, changed list indentation, external link styling, #992 (Jef Meijvis)
• Fixed external link CSS typo #992 (Jef Meijvis)
• Updated link after pseudo element method so it can match text color #992 (Jef Meijvis)
• Added message and direct youtube link for when javascript is disabled #992 (Jef Meijvis)
• c79f66a: Ensure the site works without javascript (Johan Sydseter) #992
• 3b9c646: Apply revision (Johan Sydseter) #992
• c80b849: Ensure first word is capitalized. (Johan Sydseter) #992
• Removed unused old components #992 (Jef Meijvis)
• e8b5c55: Fix conflict (Johan Sydseter) #992
• a459c28: Fix mapping (Johan Sydseter) #992
• b964c8f: fix case (Johan Sydseter) #992
• 544c532: fix case (Johan Sydseter) #992
• 5f94cfe: fix case (Johan Sydseter) #992
• 445e83c: Fix case issues (Johan Sydseter) #992
• e3f8005: Fix case (Johan Sydseter) #992
• 241ad17: Fix logo (Johan Sydseter) #992
• 16b52a9: remove disc from un ordered markup list. (Johan Sydseter) #992
• 5c87a72: fix spelling (Johan Sydseter) #992
• e344994: remove br (Johan Sydseter) #992
• e352143: use p instead of list (Johan Sydseter) #992
• Updated external link indicator #992 (Jef Meijvis)
• d960fce: correct headers. (Johan Sydseter) #992
• fc83bf3: correct test. (Johan Sydseter) #992
• 4cb686f: Fix styles in markup. (Johan Sydseter) #992
• f02ff34: Remove logging. (Johan Sydseter) #992
• 07a9c8b: Remove commenting from everywhere but the news (Johan Sydseter) #992
• 1015a78: remove sanitization (Johan Sydseter) #992
• 3933bb1: add p instead of list (Johan Sydseter) #992
• Updated opengraph from logo to dedicated image so it fits on services such as Teams, Discord, Facebook, LinkedIn, etc.. #992 (Jef Meijvis)
• adbf6aa: remove duplicate line (Johan Sydseter) #992
• 669f6d4: add csp policy (Johan Sydseter) #992
• 812d132: Ensure a strict csp policy is enforced. (Johan Sydseter) #992
• 5c83aca: fixup (Johan Sydseter) #992
• 6bea73d: fixup (Johan Sydseter) #992
• a910991: fixup (Johan Sydseter) #992
• 35e87a0: Fix revisions. (Johan Sydseter) #992
• cd54339: Add vercel to the policy (Johan Sydseter) #992
• 4652462: Add vercel to the policy (Johan Sydseter) #992
• 5f0d400: Add cso for vite preview (Johan Sydseter) #992
• 95698c6: adding vercel preview config (Johan Sydseter) #992
• 3b50013: Fix url issues. (Johan Sydseter) #992
• cf96a41: ignore missing id when card (Johan Sydseter) #992
• dac3abe: Ensure the id's for the nonscript version of the card browser card isn't navigated to (Johan Sydseter) #992
• 1e05101: Use hooks to add headers. (Johan Sydseter) #992
• b3c9eeb: Add various options for writing the headers file (Johan Sydseter) #992
• a8427ad: Add various options for writing the headers file (Johan Sydseter) #992
• 7a1d032: Fix conflict (Johan Sydseter) #992
• f966bba: Fix conflict (Johan Sydseter) #992
• 10c263f: move code into subfolder (Johan Sydseter) #992
• 079c5da: Adding the website add build job (Johan Sydseter) #992
• 9f90986: build (Johan Sydseter) #992
• bde9f7f: change wd for build (Johan Sydseter) #992
• 3c5facc: Ensure node installs in sub dir (Johan Sydseter) #992
• fb5d8d1: Ensure github is merged (Johan Sydseter) #992
• b216d98: Remove cache (Johan Sydseter) #992
• cb68d17: add cache dir and correct the sync (Johan Sydseter) #992
• 58b7dd9: deploy to cloudflare (Johan Sydseter) #992
• e95ae95: test deploy (Johan Sydseter) #992
• 5b1eb42: Differeniate headers between how-to-play and the rest (Johan Sydseter) #992
• c259e05: Add noindex for now. (Johan Sydseter) #992
• 4b0f12c: allow only one domain (Johan Sydseter) #992
• 725ea38: Add img-src policy (Johan Sydseter) #992
• d32d94e: Fix conflict (Johan Sydseter) #992
• 324ac09: Adding static nonce (Johan Sydseter) #992
• b839d62: call replace all globally (Johan Sydseter) #992
• d325630: add base-uri (Johan Sydseter) #992
• d02c93f: fix baseuri (Johan Sydseter) #992
• 45f544f: fix baseuri (Johan Sydseter) #992
• a048f56: remove header first (Johan Sydseter) #992
• efa050e: remove try adding nonce (Johan Sydseter) #992
• 2588739: Add nonce to the stylesheet (Johan Sydseter) #992
• ff6ed09: Turn of csp (Johan Sydseter) #992
• 3a3a016: Turn of csp (Johan Sydseter) #992
• 0c4a7ce: remove script-src-elem (Johan Sydseter) #992
• e2c783a: remove self from script-src (Johan Sydseter) #992
• a095773: add unsafe-line (Johan Sydseter) #992
• dd05400: Add self to script-src (Johan Sydseter) #992
• a2c283c: Add self to script-src (Johan Sydseter) #992
• 88d2764: upgrade insecure requests and add anonymous iframe (Johan Sydseter) #992
• 46aeae1: add picture-in-picture support (Johan Sydseter) #992
• 7acb2ab: add picture-in-picture support (Johan Sydseter) #992
• 5a86448: Add wrangler file (Johan Sydseter) #992
• 64820cc: Add wrangler file (Johan Sydseter) #992
• e215447: Fix conflict (Johan Sydseter) #992
• 56e1d68: Ignore GHSA-vg6x-rcgg-rjx6 as there are no exploitable attack vector for static projects. (Johan Sydseter) #992
• aba3b5e: Ignore GHSA-vg6x-rcgg-rjx6 adding comment (Johan Sydseter) #992
• c5a43dd: Fix style for script (Johan Sydseter) #992
• 66d56c4: Fix so that it doesn't do anything to files. (Johan Sydseter) #992
• d967f36: Rename staging token and account id secrets. Correcting the zone name. (Johan Sydseter) #992
• 49b5611: Changing the COM code for mobile cornucopia suit to CM (Johan Sydseter) #992
• a39bfbd: Update deploy-staging.yml (Uncle Joe) #992
• bb31358: Change code for mobile cornucopia suit from COM to CM (Johan Sydseter) #992
• 3eada21: Fix conflict (Johan Sydseter) #992
• 68e980f: resolve conflict (Johan Sydseter) #992
• a232afb: Change the news headline into Cornucopia Community News and add a blog post about Mobile App Threat modeling (Johan Sydseter) #992
• 94899ce: Ensure the content security policy is correctly set for the youtube player. (Johan Sydseter) #1002
• e6d3587: Always run tests for patching (Johan Sydseter) #1002
• d03c0b1: Change to pull-request-target (Johan Sydseter) #1002
• 1b4ac89: Ensure to grab the head (Johan Sydseter) #1002
• 8f1e0f5: Bump vite (dependabot[bot]) #1001
• 7cd999b: Deploy website (Johan Sydseter) #1003
• 358a8ac: Remove robot: noindex for production (Johan Sydseter) #1003
• 0f4e98d: Ensure the sitemap points to staging as long as the production site doesn't exist. (Johan Sydseter) #1003
• 78b3e07: Fix footer (Johan Sydseter) #1003
• 8c507e3: Bump vitest (dependabot[bot]) #1004
• 71b91d0: Bump mypy from 1.14.1 to 1.15.0 (dependabot[bot]) #1005
• a8dc78f: Bump actions/checkout from 4.1.7 to 4.2.2 (dependabot[bot]) #1006
• c2e2a8b: Bump step-security/harden-runner from 2.9.1 to 2.10.4 (dependabot[bot]) #1007
• 7676fea: Bump actions/setup-node from 4.1.0 to 4.2.0 (dependabot[bot]) #1008
• 118f0d4: Change templates to accomodate for qr codes and to use the card codes instead of the face value on the card as template parameters. (Johan Sydseter) #1020
• af83618: Only use one csp as the clien cache causes the video to fail. (Johan Sydseter) #1009
• 139f11c: Make Youtube video playable in mozilla and safari (Johan Sydseter) #1010
• e64a6cd: Update index.md (Uncle Joe) #1010
• 590914d: Update index.md (Uncle Joe) #1010
• 54fa3fe: Bump mypy from 1.14.1 to 1.15.0 (dependabot[bot]) #1011
• a5d9076: Bump hypothesis from 6.125.1 to 6.125.2 (dependabot[bot]) #1012
• 5fd997f: Update install_cornucopia_deps.txt (Uncle Joe) #1011
• a6c1c0e: Update install_cornucopia_deps.txt (Uncle Joe) #1011
• 8fad61d: Update install_cornucopia_deps.txt (Uncle Joe) #1011
• 922ec23: Update EN layout.json (cw-owasp) #1013
• 0c98697: Update ES layout.json (cw-owasp) #1014
• a332142: Update footer (cw-owasp) #1015
• 5225289: Update About index.md (cw-owasp) #1016
• e6a9317: Bump pnpm/action-setup from 4.0.0 to 4.1.0 (dependabot[bot]) #1017
• 54cab84: Bump python from 7788ec8 to 816feb2 (dependabot[bot]) #1018
• 9b98cc4: Typos on index. (Grant Ongers) #1019
• 4af4feb: Corrected URL structure. (Grant Ongers) #1019
• f0f0ebc: Add urls to the qr code cards. Prepare for the introduction of non-western languages. Ensure that the tests can run both on windows, linux and unix (Johan Sydseter) #1020
• d78afd7: Update against-security-1.00-en.yaml (Uncle Joe) #1020
• f510930: parameterize the value of the cards in order to support internazionalization. (Johan Sydseter) #1020
• 1df0449: Support for russian (Johan Sydseter) #1020
• 6edd742: Correct grammer (Johan Sydseter) #1020
• c338733: Adding the scoresheets (Johan Sydseter) #1020
• 134cb0b: Resolve merge (Johan Sydseter) #1020
• 8bc9291: Prepare for release (Johan Sydseter) #1021
• 54c370a: Update source files to point to the next edition. Update tests (Johan Sydseter) #1021
• 5fb3a01: Fix artifact upload (Johan Sydseter) #1022
• cee9c95: change to production status (Johan Sydseter) #1022
• 5da7e1e: Bump pyinstaller from 6.11.1 to 6.12.0 (dependabot[bot]) #1023
• 152a1e6: Bump coverage from 7.6.10 to 7.6.11 (dependabot[bot]) #1024
• ac1025e: Bump github/codeql-action from 3.28.8 to 3.28.9 (dependabot[bot]) #1025
• e45cb28: Bump mvdan/shfmt from f3d0d6f to 0eb8266 (dependabot[bot]) #1026
• eafdfce: fix validation (Johan Sydseter) #1022
• ef7137f: Update install_cornucopia_deps.txt (Uncle Joe) #1023
• 3a0b655: Update install_cornucopia_deps.txt (Uncle Joe) #1023
• d047546: Ensure the latest version of the cards are fetched. (Johan Sydseter) #1022
• 2e7d956: Update version (Johan Sydseter) #1022
• d9bc0bb: Fix the mobile deck colors (Johan Sydseter) #1022
• 803080f: Update install_cornucopia_deps.txt (Grant Ongers) #1023
• bba466b: Fix broken qr codes (Johan Sydseter) #1027
• 65d2e13: Add error page to ensure non-valid cards return 404 (Johan Sydseter) #1028
• 4278b6a: cleanup css and code (Johan Sydseter) #1029
• e5a4ea3: Fixing 404 (Johan Sydseter) #1030
• bc06ad4: Go back to static (Johan Sydseter) #1030
• 2d1d6c0: prerender from the layout (Johan Sydseter) #1030
• 9cbc32e: use the cloudflare adapter to ensure the 404 falback is applied (Johan Sydseter) #1030
• 25ffbb0: cloudflare adapter not generating build as intended (Johan Sydseter) #1030
• 41de2dc: Correcting the mobile mapping for the card preview (Johan Sydseter) #1031
• 6eb3cd0: Fix the colors for J,Q,K for all suits and correct the mobile mapping description (Johan Sydseter) #1031
• cff623b: Bump cloudflare/wrangler-action from 3.13.1 to 3.14.0 (dependabot[bot]) #1032
• 3d25b3b: Bump virtualenv from 20.29.1 to 20.29.2 (dependabot[bot]) #1033
• 3012845: Bump lxml from 5.2.1 to 5.3.1 (dependabot[bot]) #1034
• ea1f30b: Bump coverage from 7.6.10 to 7.6.11 (dependabot[bot]) #1035
• f0e19c4: Add an error route to handle 404 (Johan Sydseter) #1036
• 93d6830: static error message (Johan Sydseter) #1036
• 2dcec25: rename to 404 not to conflict with error route. (Johan Sydseter) #1037
• dcd2cf9: Ensure the nonce is appropriatly created (Johan Sydseter) #1037
• 80f6447: correct version number (Johan Sydseter) #1038
• 1a9ea3a: Do not show the breadcrumbs for error pages. (Johan Sydseter) #1039
• 3fcc064: Merge branch 'master' into hide-breadcrumbs (Johan Sydseter) #1039
• 8993640: Bump lxml from 5.2.1 to 5.3.1 (dependabot[bot]) #1041
• c692423: Bump coverage from 7.6.11 to 7.6.12 (dependabot[bot]) #1042
• 08804fb: Bump hypothesis from 6.125.2 to 6.125.3 (dependabot[bot]) #1043
• 3726f2a: Fix issues as reviewed by Colin. (Johan Sydseter) #1044
• 2be5b3d: Adding corrections according to Colin's comments (Johan Sydseter) #1044
• 8d294d9: fix artifact upload (Johan Sydseter) #1044
• 21eaf96: Update install_cornucopia_deps.txt (Uncle Joe) #1041
• 87c61d2: hide breadcrumbs when receiving a 404 (Johan Sydseter) #1044
• 8a46e37: correct artifact upload (Johan Sydseter) #1044
• 372de61: Merge branch 'breadcrumbs' into review (Johan Sydseter) #1044
• a5d2026: Pin docker dependencies (Johan Sydseter) #1045
• 325abde: Update install_cornucopia_deps.txt (Uncle Joe) #1041
• 9f500d4: Pin docker dependencies (Johan Sydseter) #1045
• 3805175: make Ass have white background. (Johan Sydseter) #1046
• 70d68f6: Bump coverage from 7.6.11 to 7.6.12 (dependabot[bot]) #1047
• 7897e2f: Ensure everything except jokers and royal cards are white (Johan Sydseter) #1046
• c5f51ea: Update install_cornucopia_deps.txt (Uncle Joe) #1047
• a7b7652: Update install_cornucopia_deps.txt (Grant Ongers) #1047
• 4db201f: Update install_cornucopia_deps.txt (Grant Ongers) #1047
• 602de6f: Correct copy right year on leaflets. (Johan Sydseter) #1048
• 67ceaf3: Display the SAFECode mapping. (Johan Sydseter) #1049
• 2afe6d6: Correct the styling and ensure the capec is added (Johan Sydseter) #1049
• 0277e65: Ensure the card value is in white for jokers and royal cards. (Johan Sydseter) #1049
• 668ce63: Fix the card ordering. (Johan Sydseter) #1050
• 13d792c: Ensure that when the card is requested with a lower case code, the card still is returned (Johan Sydseter) #1051