The OWASP Category Mapping scanner classifies security-related findings into OWASP Top 10 (2021) categories. This enables security-first triage and compliance reporting without requiring separate security tools.
OWASP Top 10 (2021) Categories
| ID | Category | Vibgrate Findings |
|---|---|---|
| A01 | Broken Access Control | N/A (code analysis required) |
| A02 | Cryptographic Failures | Outdated crypto packages |
| A03 | Injection | N/A (code analysis required) |
| A04 | Insecure Design | N/A (design review required) |
| A05 | Security Misconfiguration | Missing lockfiles, tracked .env files |
| A06 | Vulnerable & Outdated Components | Deprecated packages, old dependencies |
| A07 | Identification & Authentication Failures | Outdated auth packages |
| A08 | Software & Data Integrity Failures | Missing lockfiles, inconsistent dependencies |
| A09 | Security Logging & Monitoring Failures | Missing observability packages |
| A10 | Server-Side Request Forgery | N/A (code analysis required) |
Note: Vibgrate focuses on dependency and configuration analysis. Categories marked N/A require source code analysis tools like Semgrep or SonarQube.
Primary Focus: A06 - Vulnerable & Outdated Components
Vibgrate excels at A06 detection:
| Finding Type | OWASP A06 Relevance |
|---|---|
| Deprecated packages | Known unmaintained code |
| Outdated dependencies | Missing security patches |
| EOL runtimes | Unsupported platforms |
| Breaking change exposure | Known problematic packages |
Categorization Modes
| Mode | Speed | Accuracy | Use Case |
|---|---|---|---|
fast | ⚡ Instant | Standard | CI pipelines, quick checks |
cache-input | Moderate | Enhanced | Detailed reports, audits |
Use Cases
Security Triage
Prioritize findings by OWASP category:
vg scan --format json | jq '.owaspMapping | to_entries | sort_by(.value.severity) | reverse'
Compliance Reporting
Generate OWASP-structured reports for auditors:
vg scan --format json | jq '{
owasp: .owaspMapping,
summary: {
categories_affected: (.owaspMapping | keys | length),
total_findings: ([.owaspMapping[].count] | add)
}
}'
CI Integration
Fail builds on specific OWASP categories:
- name: OWASP A06 Check
run: |
A06_COUNT=$(npx @vibgrate/cli scan --format json | jq '.owaspMapping.A06.count // 0')
if [ "$A06_COUNT" -gt 5 ]; then
echo "⚠️ Too many vulnerable components (A06): $A06_COUNT"
exit 1
fi
Example Output
{
"owaspMapping": {
"A06": {
"category": "Vulnerable and Outdated Components",
"count": 15,
"severity": "high",
"findings": [
{
"id": "outdated-lodash",
"package": "lodash",
"version": "4.17.15",
"latest": "4.17.21",
"reason": "Multiple CVEs in older versions"
},
{
"id": "deprecated-request",
"package": "request",
"version": "2.88.2",
"reason": "Package deprecated, no security updates"
}
]
},
"A05": {
"category": "Security Misconfiguration",
"count": 3,
"severity": "medium",
"findings": [
{
"id": "missing-strict-mode",
"file": "tsconfig.json",
"reason": "TypeScript strict mode disabled"
},
{
"id": "tracked-env-file",
"file": ".env.local",
"reason": "Environment file tracked in git"
}
]
},
"A08": {
"category": "Software and Data Integrity Failures",
"count": 1,
"severity": "medium",
"findings": [
{
"id": "lockfile-inconsistent",
"reason": "package-lock.json out of sync with package.json"
}
]
}
}
}