ACOMMONS-34 Expose Standards OWASP LLM Top 10 2025, OWASP Top 10 2025, ASVS 5.0, STIG ASD_V6, MASVS 2 metadata#370
Conversation
…, ASVS 5.0, STIG ASD_V6, MASVS 2 metadata
nils-werner-sonarsource
left a comment
There was a problem hiding this comment.
LGTM! Some nitpick comments
pom.xml
Outdated
| <properties> | ||
| <!-- versions --> | ||
| <version.sonar>11.4.0.2922</version.sonar> | ||
| <version.sonar>13.3.0.3209</version.sonar> |
There was a problem hiding this comment.
It may be worth renaming the property to sonar-plugin-api. In the past, the API was released with SQS, but it now has its own development cycle.
| .containsExactlyInAnyOrder("cwe:311", "cwe:315", "cwe:614", | ||
| "owaspTop10:a2", "owaspTop10:a3", | ||
| "owaspTop10-2021:a4", "owaspTop10-2021:a5"); |
There was a problem hiding this comment.
Nitpick: Since this is a list, I prefer not to have two values on the same line, as it suggests a key-value mapping.
| "cwe:311", "cwe:315", "cwe:614", | ||
| "masvs-1:MSTG-STORAGE-14", "masvs-2:MASVS-STORAGE-15", | ||
| "owaspTop10:a2", "owaspTop10:a3", | ||
| "owaspTop10-2021:a4", "owaspTop10-2021:a5", | ||
| "owaspTop10-2025:a6", "owaspTop10-2025:a7", | ||
| "pciDss-3.2:1.1.1", "pciDss-3.2:1.1.2", | ||
| "owaspAsvs-4.0:2.1.1", "owaspAsvs-4.0:2.1.2", | ||
| "owaspAsvs-5:2.1.3", "owaspAsvs-5:2.1.4", | ||
| "stig-ASD_V5R3:V-222612", | ||
| "stig-ASD_V6:V-222613", | ||
| "owaspMobileTop10-2024:m3", "owaspMobileTop10-2024:m4", | ||
| "owaspLlmTop10-2025:llm01", "owaspLlmTop10-2025:llm10" |
There was a problem hiding this comment.
Having three, two, or just one value on a line makes it harder to read.
There was a problem hiding this comment.
Each line refers to one version of a standard.
"owaspTop10:a2", "owaspTop10:a3", -> OWASP Top 10 2017
"owaspTop10-2021:a4", "owaspTop10-2021:a5", -> OWASP Top 10 2021
"owaspTop10-2025:a6", "owaspTop10-2025:a7", -> OWASP Top 10 2025
"pciDss-3.2:1.1.1", "pciDss-3.2:1.1.2", -> PCI DSS 3.2
IMO, it helps to follow what is related to each of them.
What would you prefer as an alternative?
I can put everything on one line (with a max size) (not my favorite):
assertThat(securityStandards).containsExactlyInAnyOrder(
"cwe:311", "cwe:315", "cwe:614", "masvs-1:MSTG-STORAGE-14", "masvs-2:MASVS-STORAGE-15", "owaspTop10:a2", "owaspTop10:a3", "owaspTop10-2021:a4", "owaspTop10-2021:a5",
"owaspTop10-2025:a6", "owaspTop10-2025:a7", "pciDss-3.2:1.1.1", "pciDss-3.2:1.1.2", "owaspAsvs-4.0:2.1.1", "owaspAsvs-4.0:2.1.2", "owaspAsvs-5:2.1.3", "owaspAsvs-5:2.1.4",
"stig-ASD_V5R3:V-222612", "stig-ASD_V6:V-222613", "owaspMobileTop10-2024:m3", "owaspMobileTop10-2024:m4", "owaspLlmTop10-2025:llm01", "owaspLlmTop10-2025:llm10"
);
Or just have one element per line (IMO it's long but readable):
assertThat(securityStandards).containsExactlyInAnyOrder(
"cwe:311",
"cwe:315",
"cwe:614",
"masvs-1:MSTG-STORAGE-14",
"masvs-2:MASVS-STORAGE-15",
"owaspTop10:a2",
"owaspTop10:a3",
"owaspTop10-2021:a4",
"owaspTop10-2021:a5",
"owaspTop10-2025:a6",
"owaspTop10-2025:a7",
"pciDss-3.2:1.1.1",
"pciDss-3.2:1.1.2",
"owaspAsvs-4.0:2.1.1",
"owaspAsvs-4.0:2.1.2",
"owaspAsvs-5:2.1.3",
"owaspAsvs-5:2.1.4",
"stig-ASD_V5R3:V-222612",
"stig-ASD_V6:V-222613",
"owaspMobileTop10-2024:m3",
"owaspMobileTop10-2024:m4",
"owaspLlmTop10-2025:llm01",
"owaspLlmTop10-2025:llm10"
);
There was a problem hiding this comment.
I prefer the second option. While grouping standards by line can be helpful, it is not clear what would happen if we have six OWASP mobile standards, as we could exceed the character limit for that line.
| "owaspAsvs-4.0:2.1.1", "owaspAsvs-4.0:2.1.2", | ||
| "stig-ASD_V5R3:V-222612", | ||
| "owaspMobileTop10-2024:m3", "owaspMobileTop10-2024:m4" | ||
| "cwe:311", "cwe:315", "cwe:614", |
There was a problem hiding this comment.
Same as above.
|
ACOMMONS-34
Part of