Merge branch 'master' into master

.github/workflows/docgenerator.yml

@@ -34,6 +34,9 @@ jobs:
     - name: Generate CycloneDX JSON
       run: python3 ./tools/generate_masvs_cyclonedx.py
 
+    - name: Generate SARIF
+      run: python3 ./tools/generate_masvs_sarif.py
+
     - name: Upload Artifacts
       uses: actions/upload-artifact@v3
       with:
@@ -61,5 +64,6 @@ jobs:
             OWASP_MASVS.epub
             OWASP_MASVS.yaml
             OWASP_MASVS.cdx.json
+            OWASP_MASVS.sarif
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Document/11-MASVS-RESILIENCE.md

@@ -9,4 +9,4 @@ Defense-in-depth measures such as code obfuscation, anti-debugging, anti-tamperi
 
 The controls in this category aim to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app's intended functionality. Additionally, the controls impede comprehension by making it difficult to figure out how the app works using static analysis and prevent dynamic analysis and instrumentation that could allow an attacker to modify the code at runtime.
 
-However, note that the lack of any of these measures does not necessarily cause vulnerabilities - instead, they add threat-specific additional protection to apps which must also fulfil the rest of the OWASP MASVS security controls according to their specific threat models.
+Note, however, that **the absence of any of these measures does not necessarily cause vulnerabilities** - instead, they provide additional threat-specific protection. **All apps must also fulfill the rest of the OWASP MASVS** security controls according to their specific threat models.

README.md

@@ -9,12 +9,6 @@
 [![Markdown Linter](https://github.com/OWASP/owasp-masvs/workflows/Markdown%20Linter/badge.svg)](https://github.com/OWASP/owasp-masvs/actions/workflows/markdown-linter.yml)
 [![URL Checker](https://github.com/OWASP/owasp-masvs/workflows/URL%20Checker/badge.svg)](https://github.com/OWASP/owasp-masvs/actions/workflows/url-checker.yml)
 
-**NEW❗ The MASVS 2.0.0 is already available as a spreadsheet. We're currently working on updating this page and the related documents. Learn more about the refactoring process [here](https://github.com/OWASP/owasp-masvs/discussions/categories/big-masvs-refactoring).**
-
-**[Access the MASVS v2.0.0](https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2PfA/edit?usp=sharing)**
-
-<br>
-
 This is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The MASVS establishes baseline security requirements for mobile apps that are useful in many scenarios. You can use it:
 
 - As a metric - To provide a security standard against which existing mobile apps can be compared by developers and application owners.

tools/docker/pandoc_makedocs.sh

@@ -9,7 +9,7 @@ MASTG_VERSION=${3:-SNAPSHOT}
 
 # You can also use the environment variables below to adapt the build process
 IMG=${IMG:-dalibo/pandocker}
-TAG=${TAG:-stable} # /!\ use stable-full for non-european languages
+TAG=${TAG:-23.03} # /!\ use stable-full for non-european languages
 LATEX_TEMPLATE=${LATEX_TEMPLATE:-eisvogel}
 TITLE=${TITLE:-OWASP Mobile Application Security Verification Standard ${MASVS_VERSION}}
 

tools/generate_masvs_sarif.py

@@ -0,0 +1,64 @@
+import yaml
+import json
+from datetime import datetime
+
+MASVS_SARIF_GUID = "77cf1749-d61e-4cfe-98f7-a217e3b5448c"
+
+# Re-examining the YAML content for structure
+masvs_parsed = yaml.safe_load(open("OWASP_MASVS.yaml"))
+version = masvs_parsed["metadata"]["version"]
+if version.startswith("v"):
+    version = version[1:]
+current_date_str = datetime.now().strftime("%Y-%m-%d")
+
+# Creating a new SARIF template for the corrected conversion
+sarif_corrected_template = {
+    "$schema": "http://json.schemastore.org/sarif-2.1.0",
+    "version": "2.1.0",
+    "runs": [{
+        "tool": {
+            "driver": {
+                "name": "OWASP MASVS",
+                "fullName": "OWASP Mobile Application Security Verification Standard (MASVS)",
+                "version": version,
+                "releaseDateUtc": current_date_str,
+                "organization": "OWASP",
+                "informationUri": "https://mas.owasp.org/MASVS/",
+                "downloadUri": "https://github.com/OWASP/owasp-masvs/releases"
+            }
+        },
+        "taxonomies": [{
+            "name": "OWASP MASVS",
+            "guid": MASVS_SARIF_GUID,
+            "isComprehensive": True,
+            "taxa": []
+        }]
+    }]
+}
+
+# Counter to ensure we capture the total number of controls
+total_controls_count = 0
+
+# Iterating through groups and their controls
+for group in masvs_parsed.get("groups", []):
+    for control in group.get("controls", []):
+        total_controls_count += 1
+        taxa_element = {
+            "id": control["id"],
+            "name": control.get("id", ""),
+            "shortDescription": {
+                "text": control.get("statement", "")
+            },
+            "fullDescription": {
+                "text": control.get("description", "")
+            }
+        }
+        sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"].append(taxa_element)
+
+# Verify the total number of taxa elements matches the total number of controls
+total_taxa_count = len(sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"])
+
+# Save the correctly populated SARIF output
+sarif_corrected_output_path = 'OWASP_MASVS.sarif'
+with open(sarif_corrected_output_path, 'w') as file:
+    json.dump(sarif_corrected_template, file, indent=2)

tools/populate_masvs_categories_md.py

@@ -30,15 +30,14 @@ def yaml_to_md(input_dir, input_file, for_website):
 
                 if group_id_in_file == group_id:
                     with open(os.path.join(input_dir, file), "a") as f:
-                        if for_website == False:
-                            f.write('\n## Controls\n\n')
-                        else:
+                        f.write('\n## Controls\n\n')
+                        if for_website == True:
                             f.write('\n<style> table { width: 100%; } </style>\n\n')
                         f.write('| ID | Control |\n')
                         f.write('|----|-----------|\n')
                         for control in controls:
                             if for_website == True:
-                                control_id = f'[{control["id"]}](/MASVS/Controls/{control["id"]})'
+                                control_id = f'[{control["id"]}](/MASVS/controls/{control["id"]})'
                             else:
                                 control_id = control["id"]