ossf
diff --git a/‎docs/Secure-Coding-Guide-for-Python/readme.md‎
Lines changed: 31 additions & 29 deletions b/‎docs/Secure-Coding-Guide-for-Python/readme.md‎
Lines changed: 31 additions & 29 deletions
diff --git a/‎docs/labs/argument-injection.js‎
Lines changed: 20 additions & 17 deletions b/‎docs/labs/argument-injection.js‎
Lines changed: 20 additions & 17 deletions
diff --git a/‎docs/labs/assert.js‎
Lines changed: 10 additions & 7 deletions b/‎docs/labs/assert.js‎
Lines changed: 10 additions & 7 deletions
@@ -1,36 +1,37 @@
 # Secure Coding One Stop Shop for Python
 
-Promote secure products by knowing the difference between secure compliant
-and non-compliant code with `CPython >= 3.9` using modules listed on
+An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in `CPython >= 3.9` with working code examples.
 
-[Python Module Index](https://docs.python.org/3.9/py-modindex.html) [Python 2023].
+Documentation is written in academic style to support security researchers while using plain English to cater for an international audience.
 
-This page is an initiative by the OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on
-Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023].
-
-Some rules only contain code examples, documentation will follow.
+Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are specifically not covered by this document.
+The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)].
 
 ## Disclaimer
 
-Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt).
+Content comes __WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED__, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt).
 Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full.
 Code examples are NOT to be used to cause harm of any kind to anyone or anything.
 
 ## Introduction
 
 Every person writing code shall study the following:
 
-* OWASP Secure Coding [Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/) [OWASP 2022]
-* OWASP Top 10 Report [OWASP 2022](https://owasp.org/www-project-top-ten/) [OWASP 2022]
-* CWE Top 25 2022 [CWE 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [MITRE 2023]
+* _OWASP Developer Guide_ [[OWASP dev 2024](https://owasp.org/www-project-developer-guide/release/)]
+* _OWASP Top 10 Report_ [[OWASP 2021](https://owasp.org/www-project-top-ten/)]
+* _CWE Top 25_ [[MITRE 2024](https://cwe.mitre.org/top25/index.html)]
 
 ## Secure Coding Standard for Python
 
-Code examples are written to explain security design with as little code as possible demonstrating the issue in the `noncompliantXX.py` titled Python file.
-The `compliantXX.py` file demonstrates only the mitigation or removal of the described risk.
-None of the code examples are intendet to be used 'as is' for production. Using the code is at your own risk.
+Code examples are written to explain security design with as little code as possible. __None__ of the code examples are intendet to be used 'as is' for production. Using the code is at your own risk!
+
+__Code file naminng conventions:__
+
+* `noncompliantXX.py`  anti-pattern.
+* `compliantXX.py` mitigation for mitigating or removal of __ONLY__ the described risk.
+* `exampleXX.py` to allow understanding the documented behaviour.
 
-It is **not production code** and requires code-style or python best practices to be added such as:
+It is __not production code__ and requires code-style or python best practices to be added such as:
 
 * Inline documentation
 * Custom exceptions
@@ -41,20 +42,20 @@ It is **not production code** and requires code-style or python best practices t
 
 |[CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html)|Prominent CVE|
 |:-----------------------------------------------------------------------------------------------------------------------------------------------|:----|
-|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/README.md)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),<br/>CVSSv3.1: **9.8**,<br/>EPSS: **00.37** (01.12.2023)|
+|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/README.md)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),<br/>CVSSv3.1: __9.8__,<br/>EPSS: __00.37__ (01.12.2023)|
 |[CWE-197: Numeric Truncation Error](CWE-664/CWE-197/README.md)||
 |[CWE-197: Control rounding when converting to less precise numbers](CWE-664/CWE-197/01/README.md)||
 |[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)||
 |[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/.)||
 |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)||
-|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),<br/>CVSSv3.0: **8.8**,<br/>EPSS: **00.20** (23.11.2023)|
-|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),<br/>CVSSv3.0: **7.5**,<br/>EPSS: **00.11** (05.11.2024)|
-|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),<br/>CVSSv3.0: **9.8**,<br/>EPSS: **93.54** (05.11.2024)|
-|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),<br/>CVSSv3.1: **9.8**,<br/>EPSS: **0.04** (01.11.2024)|
+|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),<br/>CVSSv3.0: __8.8__,<br/>EPSS: __00.20__ (23.11.2023)|
+|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),<br/>CVSSv3.0: __7.5__,<br/>EPSS: __00.11__ (05.11.2024)|
+|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),<br/>CVSSv3.0: __9.8__,<br/>EPSS: __93.54__ (05.11.2024)|
+|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),<br/>CVSSv3.1: __9.8__,<br/>EPSS: __0.04__ (01.11.2024)|
 |[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)||
 |[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)||
 |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)||
-|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),<br/>CVSSv3.1: **7.8**,<br/>EPSS: **00.05** (05.11.2024)|
+|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),<br/>CVSSv3.1: __7.8__,<br/>EPSS: __00.05__ (05.11.2024)|
 |[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)||
 
 |[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE|
@@ -83,12 +84,12 @@ It is **not production code** and requires code-style or python best practices t
 |[CWE-390: Detection of Error Condition without Action](CWE-703/CWE-390/)||
 |[CWE-392: Missing Report of Error Condition](CWE-703/CWE-392/README.md)||
 |[CWE-754: Improper Check for Unusual or Exceptional Conditions](CWE-703/CWE-754/.)||
-|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),<br/>CVSSv3.1: **6.5**,<br/>EPSS: **0.04** (01.11.2024)|
+|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),<br/>CVSSv3.1: __6.5__,<br/>EPSS: __0.04__ (01.11.2024)|
 
 |[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE|
 |:----------------------------------------------------------------|:----|
-|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|[CVE-2024-43804](https://www.cvedetails.com/cve/CVE-2024-43804/),<br/>CVSSv3.1: **8.8**,<br/>EPSS: **00.06** (08.11.2024)|
-|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/README.md)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),<br/>CVSSv3.1: **9.8**,<br/>EPSS: **01.43** (18.02.2024)|
+|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|[CVE-2024-43804](https://www.cvedetails.com/cve/CVE-2024-43804/),<br/>CVSSv3.1: __8.8__,<br/>EPSS: __00.06__ (08.11.2024)|
+|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/README.md)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),<br/>CVSSv3.1: __9.8__,<br/>EPSS: __01.43__ (18.02.2024)|
 |[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/.)||
 |[CWE-175: Improper Handling of Mixed Encoding](CWE-707/CWE-175/README.md)||
 |[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)||
@@ -103,11 +104,12 @@ It is **not production code** and requires code-style or python best practices t
 
 |Ref|Detail|
 |-----|-----|
-|[Python 2023]|[3.9 Module Index](https://docs.python.org/3.9/py-modindex.html)|
-|[mitre.org 2023]|[CWE - CWE-1000: Research Concepts](https://cwe.mitre.org/data/definitions/1000.html)|
-|[OWASP 2022]|[Secure Coding Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)|
-|[OWASP 2022]|[OWASP Top 10 Report 2022](https://owasp.org/www-project-top-ten/)|
-|[MITRE 2023]|[CWE Top 25 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)|
+|[Python 2023]|3.9 Module Index [online], available from [https://docs.python.org/3.9/py-modindex.html](https://docs.python.org/3.9/py-modindex.html) [accessed Dec 2024]|
+|[mitre.org 2023]|CWE - CWE-1000: Research Concepts [online], available from [https://cwe.mitre.org/data/definitions/1000.html](https://cwe.mitre.org/data/definitions/1000.html) [accessed Dec 2024]|
+|[OWASP dev 2024]|OWASP Developer Guide [online], available from [https://owasp.org/www-project-developer-guide/release/](https://owasp.org/www-project-developer-guide/release/) [accessed Dec 2024]|
+|[OWASP 2021]|OWASP Top 10 Report 2021 [online], available from [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/)|
+|[MITRE Pillar 2024]|_Pillar Weakness_ [online], available form [https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [accessed Dec 2024]|
+|[MITRE 2024]|CWE Top 25 [online], available form [https://cwe.mitre.org/top25/index.html](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [accessed Dec 2024]|
 
 ## License
 
 
@@ -1,75 +1,78 @@
+// Copyright (C) Open Source Security Foundation (OpenSSF) and its contributors.
+// SPDX-License-Identifier: MIT
+
 info =
 {
   hints: [
     {
       present: String.raw`exec \(`,
-      text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security."
+      text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security.",
     },
     {
       absent: String.raw`^[\n\r]*\s*execFile\s*\(`,
-      text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`."
+      text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`.",
     },
     {
       absent: String.raw`execFile\s*\(\s*['"${BACKQUOTE}]git['"${BACKQUOTE}]\s*,`,
-      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments."
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments.",
     },
     {
       present: String.raw`['"${BACKQUOTE}]git\x20blame['"${BACKQUOTE}]`,
-      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`."
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`.",
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame`,
-      text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`."
+      text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`.",
     },
     {
       present: "--",
       absent: String.raw`['"${BACKQUOTE}]--['"${BACKQUOTE}]`,
-      text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`."
+      text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`.",
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] ,`,
-      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`."
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`.",
     },
     {
       present: String.raw`['"${BACKQUOTE}]filePath['"${BACKQUOTE}]`,
-      text: "`filePath` is a variable, use it directly without using quote marks."
+      text: "`filePath` is a variable, use it directly without using quote marks.",
     },
     {
       present: String.raw`['"]\$\{filePath\}['"]`,
-      text: "`filePath` is a variable, use it directly without using quote marks."
+      text: "`filePath` is a variable, use it directly without using quote marks.",
     },
     {
       present: String.raw`${BACKQUOTE}\$\{filePath\}${BACKQUOTE}`,
-      text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name."
+      text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name.",
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] , filePath \]`,
-      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`."
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`.",
     },
     {
       present: "shell = [fF]alse",
-      text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`."
+      text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`.",
     },
     {
       present: "[F]alse",
-      text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`."
+      text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`.",
     },
     {
       absent: String.raw`\{ shell : false \}`,
       present: "shell : false",
-      text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`."
+      text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`.",
     },
     {
       absent: String.raw`\{ shell : false \}`,
-      text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`"
+      text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`",
     },
     {
       absent: String.raw`\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)\s*=>`,
-      text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable)."
+      text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable).",
     },
     {
       present: String.raw`\) \) =>`,
-      text: "The `exec` function should be closed in later lines, not here."
+      text: "The `exec` function should be closed in later lines, not here.",
     },
   ],
   expected: [
 
@@ -1,3 +1,6 @@
+// Copyright (C) Open Source Security Foundation (OpenSSF) and its contributors.
+// SPDX-License-Identifier: MIT
+
 info =
 {
   hints: [
@@ -17,11 +20,11 @@ info =
     },
     {
       present: "(bindingresult|BindingResult)",
-      text: "Java is case-sensitive. Use `bindingResult`, not `bindingresult` nor `BindingResult`."
+      text: "Java is case-sensitive. Use `bindingResult`, not `bindingresult` nor `BindingResult`.",
     },
     {
       present: "(haserrors|HasErrors)",
-      text: "Java is case-sensitive. Use `hasErrors`, not `haserrors` nor `HasErrors`."
+      text: "Java is case-sensitive. Use `hasErrors`, not `haserrors` nor `HasErrors`.",
     },
     {
       present: String.raw`^\s*if\s*[^\(\s]`,
@@ -39,25 +42,25 @@ info =
     },
     {
       absent: String.raw`^ if \( bindingResult \. hasErrors \( \) \) `,
-      text: "Begin the answer with the text `if (bindingResult.hasErrors())` so that a statement will be executed if that condition is true."
+      text: "Begin the answer with the text `if (bindingResult.hasErrors())` so that a statement will be executed if that condition is true.",
     },
     {
       present: String.raw`if \( bindingResult \. hasErrors \( \) \) [^\{\s] `,
-      text: "Follow the conditional with an open brace, e.g., `if (bindingResult.hasErrors()) {...`."
+      text: "Follow the conditional with an open brace, e.g., `if (bindingResult.hasErrors()) {...`.",
     },
     {
       absent: String.raw`return "form"
 `,
-      text: "You need to use `return \"form\";` somewhere."
+      text: "You need to use `return \"form\";` somewhere.",
     },
     {
       present: String.raw`return "form"`,
       absent: String.raw`return "form" ;`,
-      text: "You need to use `;` (semicolon) after `return \"form\"` because in Java statements must be followed by a semicolon."
+      text: "You need to use `;` (semicolon) after `return \"form\"` because in Java statements must be followed by a semicolon.",
     },
     {
       absent: String.raw`\} $`,
-      text: "The answer needs to end with `}` (closing brace)."
+      text: "The answer needs to end with `}` (closing brace).",
     },
   ],
   expected: [