OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
- OWASP SCP OWASP_Secure_Coding_Practices_Checklist v2
- OWASP ASVS OWASP_Application_Security_Verification_Standard v4 (2019)
- OWASP AppSensor AppSensor_DetectionPoints
- CAPEC Mitre Common Attack Pattern Enumeration and Classification v1.7.1
- SAFECode SAFECode Practical Security Stories and Security Tasks for Agile Development Environments July 2012
Cornucopia was originally conceived and created by Darío De Filippis and has since had contributions from a worldwide team of volunteers. Please see Project Page for more details.
Merges to the main branch will generate new DOCX and IDML files to use to print off new version of the deck but if you wish to produce these locally yourself then use the ./scripts/convert.py scipt to do this:
(cornucopia) ➜ cornucopia git:(master) ✗ python ./scripts/convert.py --help
usage: convert.py [-h] [-i INPUTFILE] [-t {all,docx,pdf,idml}] [-o OUTPUTFILE] [-l {template,all,en,es,fr,nl,no-nb,pt-br}] [-d] [-s {all,static,dynamic}] [-u URL]
Tool to output OWASP Cornucopia playing cards into different file types and languages.
Example usage: $ ./cornucopia/convert.py -t docx -l es -v 1.30
Example usage: c:\cornucopia\scripts\convert.py -t idml -l fr -s static -v 1.30 -o 'my_output_folder/owasp_cornucopia_edition_language_version.idml'
options:
-h, --help show this help message and exit
-i INPUTFILE, --inputfile INPUTFILE
Input (template) file to use.
Default=resources/templates/owasp_cornucopia_edition_lang_ver_template.(docx|idml)
Template type is dependent on output type (-t) or file (-o) specified.
-v {1.20,1.21,1.30}, --version {1.20,1.21,1.30}
Output version to produce. [`1.20`, `1.21`, `1.30`]
Version 1.20 and 1.2x will deliver cards mapped to ASVS 3.0.1
Version 1.30 and 1.3x will deliver cards mapped to ASVS 4.0
-t {all,docx,pdf,idml}, --outputfiletype {all,docx,pdf,idml}
Type of file to output. Default = docx. If specified, this overwrites the output file extension
-o OUTPUTFILE, --outputfile OUTPUTFILE
Specify a path and name of output file to generate. (caution: existing file will be overwritten).
default = output/owasp_cornucopia_edition_component_lang_ver.(docx|pdf|idml)
-l {template,all,en,es,fr,nl,no-nb,pt-br}, --language {template,all,en,es,fr,nl,no-nb,pt-br}
Output language to produce. [`en`, `es`, `fr`, `nl`, `no-nb`, `pt-br`, `template`]
Template will attempt to create a template from the english input file and
replacing strings with the template lookup codes
-d, --debug Output additional information to debug script
-s {all,static,dynamic}, --style {all,static,dynamic}
Output style to produce. [`static` or `dynamic`]
Static cards have the mappings printed on them, dynamic ones a QRCode that points to an maintained list.
-u URL, --url URL Specify a URL to use in generating dynamic cards. (caution: URL will be suffixed with / and the card ID). The latest printable files are added to the output folder in this repository.
The docx/pdf files can be easily printed by any desktop printer, but for the best quality use the idml InDesign files. When sending the files to a printing facility you may have to supply the fonts that has been used in order to create the work.
In case the printing facility doesn't have the fonts at hand you'll find the installable fonts under resources/fonts in this repository. They are both open source and free for commercial use.
The fonts can also be downloaded from the web.
Fivo Sans: https://www.fontsc.com/font/fivo-sans
Atkinson Hyperlegible: https://brailleinstitute.org/freefont
Please install git-lfs to ensure you can download the output files.
Install from https://git-lfs.com/
Then pull the binaries from git lfs.
git lfs pull
Before you push your changes please format files with
make fmtrun static analysis checks
make static-checkrun all available smoke, unit and integration tests
make testcheck that your code have sufficient test coverage
make coverage-checkAll python unit tests with fixtures in testdata folder support updating golden files from real output of tests
make python-test-update-golden-filesthis is useful if you have made changes in code and you do not want to update all fixtures manually or when you have updated inputs and therefore fixtures needs to be updated.
Instead of manually running those commands, you may wish to add them to the Git pre-commit hook. This will mean that the commands will run automatically whenever you commit your changes. If the command fails, then the commit will not be completed.
-
In the project root, open your
.gitdirectory -
Create a file called
pre-commit(no suffix) -
Add the following code:
#!/bin/sh make fmt make static-check make test make coverage-check
-
Save the file.
-
All done. Now whenever you commit changes, Git will run the commands in that file.
This repository follows semver approach. Release a new
version means to tag commit in master branch. Please do not use same tag
twice.
To avoid common mistakes there is a script which will guide you through process and push correct tag from your machine.
make releaseDocker images are build in [Jenkins][4] and published to [Artifactory][5] keeping 3 tags:
latestmirrors state ofmasterbranch.currentmirrors state of the most recent Git tag.previousmirrors state of the previous Git tag.
Images are also pushed with git describe version.