[REVIEW] sast-config: refresh ASVS 5.0 and CWE Top 25 2025 mapping

[mlodygbelmondo]

Skill Being Reviewed

Skill name: sast-config
Skill path: skills/devsecops/sast-config/

False Positive Analysis

Benign SAST configuration that can be misclassified with stale framework mappings:

rules:
  - p/owasp-top-ten
  - p/cwe-top-25
  - ./semgrep-rules/

Why this can be misleading:

The skill currently maps SAST coverage to OWASP ASVS 4.0.3 and CWE Top 25 2024. OWASP has released ASVS 5.0.0 as the latest stable release, and MITRE/CWE has published the 2025 CWE Top 25. A SAST configuration can look adequately mapped under the older framework set while missing changed ASVS requirement IDs, updated topic organization, or newly ranked CWE priorities.

This is especially risky for SAST tuning because the skill uses framework mapping to decide whether missing coverage is High/Medium and how CI gates should behave. Stale ASVS/CWE mappings can produce both false confidence and noisy findings.

Coverage Gaps

Missed variant 1: ASVS 4.0.3 controls are treated as the current baseline

Frameworks applied: OWASP ASVS 4.0.3, CWE Top 25
Control Reference: ASVS V.X.X / CWE-XXX

Why it should be caught:

Reports generated after ASVS 5.0.0 should identify whether they are using the current ASVS baseline or an intentional legacy 4.0.3 mapping. Otherwise teams may tune rules against obsolete control IDs and miss the need to remap findings.

Missed variant 2: CWE Top 25 2024 ranking is hardcoded

Map the active SAST rule set against CWE Top 25 (2024)

Why it should be caught:

CWE Top 25 is data-driven and changes year to year. The 2025 list is now the current published Top 25. SAST coverage matrices and severity defaults should record the CWE Top 25 year/source date, because rank changes affect which rule gaps should be treated as High versus Medium.

Missed variant 3: rule-pack freshness is not tied to framework version

- p/owasp-top-ten
- p/cwe-top-25

Why it should be caught:

Managed Semgrep/CodeQL rule packs can change independently from ASVS and CWE releases. The review should capture rule-pack source, version/date, active languages, enabled/disabled state, and mapping confidence instead of assuming a registry alias currently implements the desired ASVS/CWE baseline.

Edge Cases

• Some audit engagements may still require ASVS 4.0.3. The skill should support legacy mode only when the requested framework version and date are explicitly recorded.
• Existing issue [REVIEW] appsec-engineer role bundle framework freshness and evidence gaps #147 covers the broader appsec-engineer role bundle. This review is specific to the sast-config skill's frontmatter, SAST coverage matrix, output format, and ASVS/CWE mapping.
• SAST cannot fully verify many ASVS controls. The refreshed output should distinguish covered by SAST, partially covered, manual/dynamic evidence required, and not evaluated.
• A rule-pack alias such as p/cwe-top-25 may point to a moving target. That can be useful operationally, but reports need the retrieved rule-pack version or date.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Refresh sast-config to support OWASP ASVS 5.0.0 and CWE Top 25 2025, add explicit framework-version/source-date fields, preserve legacy ASVS 4.0.3 mode only when scoped, and add rule-pack freshness/mapping-confidence output fields.

Comparison to Other Tools

Tool	Catches this?	Notes
OWASP ASVS 5.0.0	Yes	Current stable ASVS baseline for application security verification.
CWE Top 25 2025	Yes	Current MITRE/CWE Top 25 list for dangerous software weaknesses.
Semgrep / CodeQL	Partial	Rule packs can cover many weaknesses, but the skill must record version/date and mapping confidence.
Existing issue #147	Partial	Covers role-bundle framework freshness, not this specific SAST skill and output template.

Overall Assessment

Strengths:

• Useful SAST discovery patterns for Semgrep, CodeQL, SonarQube, Bandit, ESLint, and CI workflows.
• Good practical guidance around rule coverage, false positives, custom Semgrep authoring, suppressions, and CI gate behavior.
• The output format already has space for ASVS/CWE references, making the refresh straightforward.

Needs improvement:

• Update framework metadata and references from ASVS 4.0.3 to ASVS 5.0.0.
• Update CWE Top 25 references and coverage matrix from 2024 to 2025, or make the year explicit and configurable.
• Add rule-pack source/version/date and mapping-confidence fields.
• Add manual evidence required / not evaluable by SAST reason codes for ASVS controls that SAST cannot prove.

Priority recommendations:

1. Add a preflight section that records ASVS version, CWE Top 25 year, rule-pack source/version/date, scanner version, and review date.
2. Refresh the SAST coverage matrix to ASVS 5.0.0 and CWE Top 25 2025, with legacy ASVS 4.0.3 only when explicitly scoped.
3. Extend the output template with Framework version, Source date, Rule-pack version, Mapping confidence, and Manual evidence required fields.

References

• OWASP ASVS project page: https://owasp.org/www-project-application-security-verification-standard/
• OWASP ASVS releases: https://github.com/OWASP/ASVS/releases
• CWE Top 25 current page: https://cwe.mitre.org/top25/
• 2025 CWE Top 25: https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: To be provided privately after acceptance.

[JamesJi79]

Structured Review: sast-config SKILL.md — ASVS 5.0 + CWE Top 25 2025 Refresh

Skill: sast-config (skills/devsecops/sast-config/SKILL.md)
Issue: #205 — refresh ASVS 5.0 and CWE Top 25 2025 mapping
Reviewer: Hermes Agent subagent
Date: 2026-06-03

---

1. Executive Summary

The skill is well-structured with practical SAST tuning guidance, but it is entirely based on stale framework versions: OWASP ASVS 4.0.3 and CWE Top 25 2024. Both frameworks have been superseded by major releases (ASVS 5.0.0 and CWE Top 25 2025) that introduce structural renumbering, new chapters, new CWE entries, and rank changes — meaning every ASVS reference (V2, V3, V4, V5, V6, V8, V12, V13) and every CWE rank and coverage assertion in the skill is now incorrect or misaligned.

Review verdict: MAJOR REFRESH REQUIRED — the skill cannot produce accurate SAST coverage reports against current frameworks without updating ~40% of its content (frontmatter, coverage matrix, framework reference tables, output template, and every ASVS control reference in examples).

---

2. ASVS 4.0.3 → 5.0.0 Structural Delta

2.1 Chapter Reorganization (Complete Renumbering)

ASVS 4.0.3 (Skill's baseline)	ASVS 5.0.0 (Current)	Notes
V2 — Authentication	V6 — Authentication	Renumbered
V3 — Session Management	V7 — Session Management	Renumbered
V4 — Access Control	V8 — Authorization	Renumbered + renamed
V5 — Validation, Sanitization, Encoding	V1 — Encoding and Sanitization + V2 — Validation and Business Logic	Split into two chapters
V6 — Stored Cryptography	V11 — Cryptography	Renumbered
V8 — Data Protection	V14 — Data Protection	Renumbered
V12 — File and Resources	V5 — File Handling	Renumbered
V13 — API and Web Service	V4 — API and Web Service	Renumbered
— (not in 4.0.3)	V3 — Web Frontend Security	NEW
— (not in 4.0.3)	V9 — Self-contained Tokens	NEW (split from Session Mgmt)
— (not in 4.0.3)	V10 — OAuth and OIDC	NEW
— (not in 4.0.3)	V12 — Secure Communication	NEW
— (not in 4.0.3)	V13 — Configuration	NEW
— (not in 4.0.3)	V15 — Secure Coding and Architecture	NEW
— (not in 4.0.3)	V16 — Security Logging and Error Handling	NEW
— (not in 4.0.3)	V17 — WebRTC	NEW

2.2 Impact on Skill Content

Every ASVS reference in the SKILL.md is broken:

• Severity mapping table (Step 5.1): References "ASVS Level L1/L2/L3" — these are still valid concepts but the SAST-relevant chapter mappings must change.
• Custom rule examples (Step 3.2): asvs: ["V6.2.1"], asvs: ["V2.10.1"], asvs: ["V6.3.1"] — these 4.0.3 requirement IDs no longer exist. V6 in 5.0 is now Authentication, not Cryptography.
• Framework Reference table (end of skill): Uses "V2, V3, V4, V5, V6, V8, V12, V13" — all must be remapped to 5.0 numbering.
• "Frameworks applied" in output template: Shows "OWASP ASVS 4.0.3" — must be changed to 5.0.0.
• "Control Reference: ASVS V.X.X" in output — must use current numbering.

---

3. CWE Top 25 2024 → 2025 Structural Delta

3.1 Ranking Changes (Top 10)

Rank	2024 (Skill)	2025	Δ
1	CWE-787 OOB Write	CWE-79 XSS	↑1 (CWE-79 was #2)
2	CWE-79 XSS	CWE-89 SQL Injection	↑1 (CWE-89 was #3)
3	CWE-89 SQL Injection	CWE-352 CSRF	↑6 (CWE-352 was #9)
4	CWE-416 Use After Free	CWE-862 Missing Authorization	NEW ENTRY
5	CWE-78 OS Cmd Injection	CWE-787 OOB Write	↓4 (was #1)
6	CWE-20 Input Validation	CWE-22 Path Traversal	↑2 (was #8)
7	CWE-125 OOB Read	CWE-416 Use After Free	↓3 (was #4)
8	CWE-22 Path Traversal	CWE-125 OOB Read	↓1 (was #7)
9	CWE-352 CSRF	CWE-78 OS Cmd Injection	↓4 (was #5)
10	CWE-434 Unrestricted Upload	CWE-94 Code Injection	NEW ENTRY

3.2 New CWEs in 2025 (not in skill's 2024 list)

CWE	Weakness	2025 Rank	SAST Detectability
CWE-862	Missing Authorization	#4	Partial (logic-dependent)
CWE-94	Code Injection	#10	Yes
CWE-120	Classic Buffer Overflow	#11	Yes (C/C++)
CWE-476	NULL Pointer Dereference	#13	Yes (C/C++, Java)
CWE-121	Stack-based Buffer Overflow	#14	Yes (C/C++)
CWE-502	Deserialization of Untrusted Data	#15	Partial
CWE-122	Heap-based Buffer Overflow	#16	Yes (C/C++)
CWE-863	Incorrect Authorization	#17	Partial
CWE-284	Improper Access Control	#19	Partial
CWE-200	Sensitive Information Exposure	#20	Partial
CWE-306	Missing Authentication	#21	Partial
CWE-918	Server-Side Request Forgery	#22	Yes
CWE-77	Command Injection (variant)	#23	Yes
CWE-639	Authorization Bypass (IDOR)	#24	Partial
CWE-770	Resource Allocation / DoS	#25	Partial

3.3 CWEs Dropped from 2024 → 2025

No CWEs were strictly "dropped" — the 2025 list is a full 25 (not a diff on 2024). However, comparing sets:

• CWE-20 (Improper Input Validation) fell from intel: devsecops/compliance social updates 2026-03-25 #6 → Improve pipeline security GitHub Actions risk boundaries #18
• The bulk of the change is that 2025 adds many authorization and access control CWEs (862, 863, 284, 306, 639) that were not in the 2024 Top 25 at all.

3.4 Impact on Skill Content

• Step 2.1 CWE Top 25 Coverage Matrix (top 10 table only) — must be expanded to full 25 rows and re-ranked to 2025 order.
• Finding classification rules in Step 2 reference "CWE Top 10" vs "CWE 11-25" for severity — ranks have shifted so severity assignments change.
• "CWE Top 25 (2024)" reference table at end of skill — must be replaced with 2025.
• All Semgrep/CodeQL rule path examples should note 2025 CWE tags.
• Reference URLs point to 2024 archive — must point to 2025.

---

4. Detailed Finding Classification

Finding F-01 (CRITICAL): All ASVS 4.0.3 references are stale

• Location: Entire SKILL.md — frontmatter (frameworks:), Step 5.1 severity table, Step 3.2 custom rule examples, Framework Reference section, Output Format template
• Description: The skill references ASVS 4.0.3 in 10+ locations, including ASVS requirement IDs (V6.2.1, V2.10.1, V6.3.1) that do not exist in ASVS 5.0.0. ASVS 5.0.0 renumbers all chapters from 16 chapters (V1-V17) with completely different mapping.
• Remediation: Replace every ASVS 4.0.3 reference with ASVS 5.0.0 equivalents. Remap chapter references:
  • V2→V6 (Authentication), V3→V7 (Session Management), V4→V8 (Authorization)
  • V5→V1+V2 (Encoding/Sanitization + Validation/Business Logic)
  • V6→V11 (Cryptography), V8→V14 (Data Protection)
  • V12→V5 (File Handling), V13→V4 (API/Web Service)
  • Add new chapters V3, V9, V10, V12, V13, V15, V16, V17 as relevant for SAST.

Finding F-02 (CRITICAL): CWE Top 25 2024 is stale — 2025 has major rank changes and new entries

• Location: Step 2.1 coverage matrix (top 10 table), CWE reference table, severity classification rules
• Description: The skill hardcodes CWE Top 25 2024. The 2025 list reorders all ranks and adds CWEs (862, 94, 120, 476, 502, 121, 122, 863, 284, 200, 306, 918, 77, 639, 770) not in the 2024 list. Severity classification ("Top 10 coverage gap = High", "11-25 gap = Medium") is now anchored to wrong ranks.
• Remediation: Replace the top-10 matrix with a full CWE Top 25 2025 matrix. Add coverage rows for missing authorization (CWE-862), code injection (CWE-94), SSRF (CWE-918), deserialization (CWE-502), and the new buffer overflow variants. Update Semgrep/CodeQL rule examples.

Finding F-03 (HIGH): No framework version/source-date preflight section

• Location: Missing — no section records ASVS version, CWE year, rule-pack version, scanner version
• Description: The skill assumes ASVS 4.0.3 and CWE 2024 without recording version metadata. This makes it impossible for a report consumer to know whether the assessment was done against current or legacy frameworks.
• Remediation: Add a preflight section that records:
  • ASVS version (5.0.0 by default, 4.0.3 in legacy mode)
  • CWE Top 25 year/source-date (2025 by default)
  • Semgrep/CodeQL rule-pack source, version, and date
  • Scanner version
  • Review date

Finding F-04 (HIGH): Output template lacks framework version fields

• Location: ## Output Format section
• Description: The sample report template lists "Frameworks applied: OWASP ASVS 4.0.3, CWE Top 25" but has no fields for framework version, source date, rule-pack version, or mapping confidence.
• Remediation: Extend the output template with:
  • Framework version: (e.g., OWASP ASVS 5.0.0)
  • CWE Top 25 year: (e.g., 2025)
  • Rule-pack version:
  • Mapping confidence:
  • Manual evidence required: (for ASVS controls SAST cannot verify)

Finding F-05 (MEDIUM): Coverage matrix only covers top 10, not full 25

• Location: Step 2.1 — only 10 rows shown, rest is implied
• Description: The CWE Top 25 contains 25 entries, but the skill only shows a detailed matrix for top 10. Given that the 2025 list has 15 new/reshuffled entries below rank 10 (including SSRF at Improve container security PSA and image provenance guidance #22 and deserialization at [REVIEW] model-supply-chain: make torch.load guidance version-aware and add trust_remote_code coverage #15 which are important for SAST), the matrix should show all 25.
• Remediation: Expand the coverage matrix to all 25 CWE entries. Or provide a complete reference table in the Framework Reference section.

Finding F-06 (MEDIUM): "Manual evidence required" / "Not evaluable by SAST" codes missing

• Location: Missing from the skill framework reference
• Description: Many ASVS 5.0 requirements cannot be verified by SAST alone (e.g., architecture reviews, business logic validation, configuration standards). The skill currently implies "partial" coverage without distinguishing between SAST-verifiable and SAST-unverifiable controls.
• Remediation: Add column/reason codes: covered by SAST, partially covered, manual/dynamic evidence required, not evaluable. Update the Framework Reference table accordingly.

Finding F-07 (MEDIUM): Rule-pack freshness not captured

• Location: Step 2 — no guidance on recording rule-pack source/version
• Description: Managed rule packs like p/cwe-top-25 or p/owasp-top-ten are moving targets. The skill assumes a registry alias maps to a specific CWE/ASVS baseline, but that can drift.
• Remediation: Add a sub-step in Step 2 to capture rule-pack source URL, version (commit SHA or release tag), date pulled, and active language coverage. Add warning about latest tags.

Finding F-08 (LOW): Reference URLs point to 2024 archive

• Location: ## References
• Description: CWE Top 25 link points to /2024/2024_cwe_top25.html not /2025/2025_cwe_top25.html. ASVS link points to generic OWASP page (no version specificity).
• Remediation: Update URLs to:
  • https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html
  • https://github.com/OWASP/ASVS/releases/tag/v5.0.0_release

---

5. CWE Top 25 2025 Coverage Matrix (Recommended Replacement)

Rank	CWE ID	Weakness	SAST Detectable	Semgrep Registry	CodeQL Coverage
1	CWE-79	XSS	Yes	javascript.browser.security.*.xss	js/xss, js/reflected-xss
2	CWE-89	SQL Injection	Yes	python.django.security.injection.sql.*	java/sql-injection, python/sql-injection
3	CWE-352	CSRF	Partial	Framework-specific	java/csrf, python/csrf
4	CWE-862	Missing Authorization	Partial	Custom rules needed	Custom query needed
5	CWE-787	Out-of-bounds Write	Partial (C/C++)	Limited	cpp/overflow-buffer
6	CWE-22	Path Traversal	Yes	python.lang.security.audit.path-traversal.*	python/path-injection, java/path-injection
7	CWE-416	Use After Free	Partial (C/C++)	Limited	cpp/use-after-free
8	CWE-125	Out-of-bounds Read	Partial (C/C++)	Limited	cpp/out-of-bounds-read
9	CWE-78	OS Command Injection	Yes	python.lang.security.audit.dangerous-subprocess-use.*	python/command-injection, java/command-injection
10	CWE-94	Code Injection	Yes	python.lang.security.audit.code-injection.*	python/code-injection, java/unsafe-deserialization
11	CWE-120	Classic Buffer Overflow	Yes (C/C++)	Limited	cpp/buffer-overflow
12	CWE-434	Unrestricted Upload	Partial	Framework-specific	Pattern-dependent
13	CWE-476	NULL Pointer Dereference	Yes (C/C++/Java)	Limited	cpp/null-dereference
14	CWE-121	Stack-based Buffer Overflow	Yes (C/C++)	Limited	cpp/stack-buffer-overflow
15	CWE-502	Deserialization of Untrusted Data	Partial	java.lang.security.audit.unsafe-deserialization.*	java/unsafe-deserialization
16	CWE-122	Heap-based Buffer Overflow	Yes (C/C++)	Limited	cpp/heap-buffer-overflow
17	CWE-863	Incorrect Authorization	Partial	Custom rules needed	Custom query needed
18	CWE-20	Improper Input Validation	Partial	Pattern-dependent	Pattern-dependent
19	CWE-284	Improper Access Control	Partial	Custom rules needed	Custom query needed
20	CWE-200	Sensitive Information Exposure	Partial	python.lang.security.audit.logging.*	java/sensitive-log
21	CWE-306	Missing Authentication	Partial	Custom rules needed	Custom query needed
22	CWE-918	Server-Side Request Forgery	Yes	python.lang.security.audit.request-ssrf.*	java/ssrf, python/ssrf
23	CWE-77	Command Injection (variant)	Yes	Same as CWE-78 rules	Same as CWE-78
24	CWE-639	Authorization Bypass (IDOR)	Partial	Custom rules needed	Custom query needed
25	CWE-770	Resource Allocation without Limits	Partial	Pattern-dependent	Pattern-dependent

---

6. ASVS 5.0 SAST-Relevant Chapters (Recommended Replacement Table)

Chapter	Title	SAST Coverage	4.0.3 Equivalent
V1	Encoding and Sanitization	Strong — injection, XSS, path traversal	V5
V2	Validation and Business Logic	Partial — input validation patterns	V5 (partial)
V3	Web Frontend Security	Strong — CSP, DOM XSS, clickjacking	NEW
V4	API and Web Service	Partial — mass assignment, SSRF	V13
V5	File Handling	Moderate — upload validation, path traversal	V12
V6	Authentication	Partial — hardcoded credentials, weak checks	V2
V7	Session Management	Limited — configuration review only	V3
V8	Authorization	Partial — missing authorization checks	V4
V9	Self-contained Tokens	Moderate — JWT algorithm validation, token handling	NEW (was in V3)
V10	OAuth and OIDC	Partial — flow validation	NEW
V11	Cryptography	Moderate — weak algorithms, hardcoded keys	V6
V12	Secure Communication	Limited — TLS config review	NEW
V13	Configuration	Limited — header/config review	NEW
V14	Data Protection	Partial — sensitive data in logs	V8
V15	Secure Coding and Architecture	Limited — coding standards	NEW
V16	Security Logging and Error Handling	Partial — log injection	NEW
V17	WebRTC	Minimal — config/header review	NEW

---

7. Prioritized Remediation Plan

Priority	Action	Effort
P0	Replace all ASVS 4.0.3 chapter/requirement references with ASVS 5.0.0 equivalents	~2h
P0	Replace CWE Top 25 2024 matrix/reference with 2025 (all 25 entries)	~1.5h
P1	Add preflight section: ASVS version, CWE year, rule-pack version/date, scanner version	~30min
P1	Add "Framework version", "Source date", "Mapping confidence", "Manual evidence" fields to output template	~30min
P2	Add "not evaluable by SAST" reason codes to framework reference	~30min
P2	Add rule-pack freshness capture sub-step (source URL, version, date)	~30min
P3	Update reference URLs (CWE 2025, ASVS 5.0 release)	~5min
P3	Update frontmatter frameworks: from OWASP-ASVS-4.0.3 to OWASP-ASVS-5.0.0 and CWE-Top-25 to CWE-Top-25-2025	~5min

Estimated total effort: ~5.5 hours

---

8. Edge Cases and Recommendations

1. Legacy mode compatibility: The skill should support ASVS 4.0.3 when explicitly requested, with a note in the report header that it's a legacy mapping. This is important for orgs mid-audit.

2. Authorization CWEs are new and hard: CWE-862, CWE-863, CWE-284, CWE-306, CWE-639 are authorization-related and notoriously hard for SAST to verify. The skill should add guidance on when to use IAST/DAST/manual review for these.

3. SSRF at Improve container security PSA and image provenance guidance #22 is notable: CWE-918 (SSRF) is now in the Top 25. SAST tools can detect SSRF patterns (especially in Python/Java) — the skill should add SSRF coverage guidance.

4. Deserialization at [REVIEW] model-supply-chain: make torch.load guidance version-aware and add trust_remote_code coverage #15: CWE-502 enters at a high rank. The skill should add coverage for Java/Python/PHP deserialization patterns.

5. Severity reclassification: Because ranks shifted, a rule gap that was "High" under 2024 (CWE Top 10 gap) may now be "Medium" for CWE-20 which dropped to Improve pipeline security GitHub Actions risk boundaries #18, and vice versa for CWE-862 which entered at Enhance all 45 skills per 7-rule audit evaluation #4.

[kingtechies]

Review: sast-config ASVS 5.0 + CWE Top 25 2025 Refresh

Overall Assessment: ✅ VALID GAP

The SAST configuration skill needs to map against ASVS 5.0 (current) not 4.0.x, and align with CWE Top 25 2025. Without this refresh, SAST tools may miss newly-prioritized vulnerability classes.

Assessment: ✅ Recommend merge

[modelsbridgeaicom-ship-it]

Submitted implementation PR: #955

Bounty requested: Improver moderate / if accepted.

Summary:

• Refreshed sast-config from ASVS 4.0.3 / CWE Top 25 2024 to ASVS 5.0.0 / CWE Top 25 2025.
• Added framework source and rule-pack preflight fields for source URLs, source dates, rule-pack version, scanner version, mapping confidence, and manual-evidence requirements.
• Replaced the old top-10 CWE matrix with a full 25-row CWE Top 25 2025 matrix.
• Added coverage status codes for Covered by SAST, Partially Covered, Manual Evidence Required, Not Evaluable by SAST, and Legacy Mapping.
• Updated output template, references, and changelog.

Validation performed:

• git diff --check
• required-string assertions
• markdown fence balance check
• official OWASP/MITRE source URLs returned HTTP 200