Skip to main content
Scanners

OWASP Category Mapping

Map security findings into OWASP Top 10 categories for triage.

The OWASP Category Mapping scanner classifies security-related findings into OWASP Top 10 (2021) categories. This enables security-first triage and compliance reporting without requiring separate security tools.


OWASP Top 10 (2021) Categories

IDCategoryVibgrate Findings
A01Broken Access ControlN/A (code analysis required)
A02Cryptographic FailuresOutdated crypto packages
A03InjectionN/A (code analysis required)
A04Insecure DesignN/A (design review required)
A05Security MisconfigurationMissing lockfiles, tracked .env files
A06Vulnerable & Outdated ComponentsDeprecated packages, old dependencies
A07Identification & Authentication FailuresOutdated auth packages
A08Software & Data Integrity FailuresMissing lockfiles, inconsistent dependencies
A09Security Logging & Monitoring FailuresMissing observability packages
A10Server-Side Request ForgeryN/A (code analysis required)

Note: Vibgrate focuses on dependency and configuration analysis. Categories marked N/A require source code analysis tools like Semgrep or SonarQube.


Primary Focus: A06 - Vulnerable & Outdated Components

Vibgrate excels at A06 detection:

Finding TypeOWASP A06 Relevance
Deprecated packagesKnown unmaintained code
Outdated dependenciesMissing security patches
EOL runtimesUnsupported platforms
Breaking change exposureKnown problematic packages

Categorization Modes

ModeSpeedAccuracyUse Case
fast⚡ InstantStandardCI pipelines, quick checks
cache-inputModerateEnhancedDetailed reports, audits

Use Cases

Security Triage

Prioritize findings by OWASP category:

vg scan --format json | jq '.owaspMapping | to_entries | sort_by(.value.severity) | reverse'

Compliance Reporting

Generate OWASP-structured reports for auditors:

vg scan --format json | jq '{
  owasp: .owaspMapping,
  summary: {
    categories_affected: (.owaspMapping | keys | length),
    total_findings: ([.owaspMapping[].count] | add)
  }
}'

CI Integration

Fail builds on specific OWASP categories:

- name: OWASP A06 Check
  run: |
    A06_COUNT=$(npx @vibgrate/cli scan --format json | jq '.owaspMapping.A06.count // 0')
    if [ "$A06_COUNT" -gt 5 ]; then
      echo "⚠️ Too many vulnerable components (A06): $A06_COUNT"
      exit 1
    fi

Example Output

{
  "owaspMapping": {
    "A06": {
      "category": "Vulnerable and Outdated Components",
      "count": 15,
      "severity": "high",
      "findings": [
        {
          "id": "outdated-lodash",
          "package": "lodash",
          "version": "4.17.15",
          "latest": "4.17.21",
          "reason": "Multiple CVEs in older versions"
        },
        {
          "id": "deprecated-request",
          "package": "request",
          "version": "2.88.2",
          "reason": "Package deprecated, no security updates"
        }
      ]
    },
    "A05": {
      "category": "Security Misconfiguration",
      "count": 3,
      "severity": "medium",
      "findings": [
        {
          "id": "missing-strict-mode",
          "file": "tsconfig.json",
          "reason": "TypeScript strict mode disabled"
        },
        {
          "id": "tracked-env-file",
          "file": ".env.local",
          "reason": "Environment file tracked in git"
        }
      ]
    },
    "A08": {
      "category": "Software and Data Integrity Failures",
      "count": 1,
      "severity": "medium",
      "findings": [
        {
          "id": "lockfile-inconsistent",
          "reason": "package-lock.json out of sync with package.json"
        }
      ]
    }
  }
}

Related Documentation