📦 Link to download the CWE XML file:

- cwe.mitre.org/data/xml/cwe...
- cwe.mitre.org/data/downloa...

#appsec #appsecurity #cwe

The search is performed in the XML reference file, which can be downloaded free of charge from the CWE website.

Nothing very technical here, but I'm sharing it in case anyone else is interested in the same context as me.

#appsec #appsecurity #cwe

💻 Script:

gist.github.com/righettod/77...

💻 Javadoc of the utility class:

righettod.github.io/code-snippet...

📖 Main references used:

- cnpd.public.lu/fr/decisions...
- cnpd.public.lu/content/dam/...
- en.wikipedia.org/wiki/Interna...
- www.iban.com/structure
- en.wikipedia.org/wiki/Payment...

#appsec #appsecurity

- We added a reference to the page about headers for the framework "Next.js".
- We integrated into the ecosystem of the project OWASP Nest.

📖 owasp.org/www-project-...

💡 Source used:

- nest.owasp.org
- nextjs.org/docs/pages/a...
- github.com/santoru/shch...
- developer.mozilla.org/en-US/docs/W...

Very cool design 😉

POC results:

📖 References & tools used:

- ollama.com
- ollama.com/library/qwen...
- github.com/gitleaks/git...
- github.com/righettod/to...

#appsec #appsecurity #sast #ai

🧑‍💻 So, using a model running locally via ollama, I created a small script to "confront" each secret identified by GitLeaks against the model using an tuned system and user prompts to try to determine whether the secret is a real one or not.

💻 POC:

github.com/righettod/to...

📖 References & tools used:

- nvd.nist.gov/vuln/detail/...
- github.com/mgthuramoemy...
- en.wikipedia.org/wiki/XFA