Skip to content

feat(validation): integrate OWASP API Security Top 10 2023 rules#145

Merged
hdamker merged 2 commits intocamaraproject:validation-frameworkfrom
hdamker:phase1b-owasp-rules
Apr 3, 2026
Merged

feat(validation): integrate OWASP API Security Top 10 2023 rules#145
hdamker merged 2 commits intocamaraproject:validation-frameworkfrom
hdamker:phase1b-owasp-rules

Conversation

@hdamker
Copy link
Copy Markdown
Contributor

@hdamker hdamker commented Apr 3, 2026

What type of PR is this?

enhancement/feature

What this PR does / why we need it:

Integrates the agreed OWASP API Security Top 10 2023 Spectral rules into the v1 validation framework, scoped to the r4.x ruleset (.spectral-r4.yaml) only.

  • Adds @stoplight/spectral-owasp-ruleset npm dependency
  • Enables 20 OWASP rules with CAMARA-agreed severity levels
  • Disables 12 rules not applicable to CAMARA (OpenID-only auth, gateway-level, OAS 3.1-only)
  • Creates rule metadata entries S-300..S-319 with hints for high-volume rules
  • Adds NODE_PATH bridge for npm module resolution (documented inline)

Rule configuration follows Commonalities Linting-rules.md section 5 exactly:

  • 8 rules at error (authentication, HTTPS, 401 response, numeric IDs)
  • 11 rules at warn (resource consumption, mass assignment)
  • 1 rule at info (SSRF parameter review)
  • Resource consumption rules (string-limit, array-limit, integer-format, integer-limit-legacy) at warn for 2026, with planned escalation to error in 2027 per Commonalities #551

Which issue(s) this PR fixes:

Supersedes #95 (OWASP rules — parked, v0 approach)
Related: ReleaseManagement#448 (validation framework umbrella)

Special notes for reviewers:

  • OWASP rules go into .spectral-r4.yaml only — .spectral-r3.4.yaml is unchanged (frozen Fall25 ruleset)
  • 5 enabled rules are no-ops for CAMARA OAS 3.0.3 but included for completeness and forward-compatibility (OAS 3.1 rules, oauth2-only rules, admin-path rules)
  • Smoke tested on QualityOnDemand and ReleaseTest specs — only warn-level resource consumption findings, no false positives from security rules

Changelog input

feat: integrate OWASP API Security Top 10 2023 rules into v1 validation (20 rules enabled, 12 disabled)

Additional documentation

Commonalities discussions: #539, #548, #551, #552, #596
Design Guide alignment: sections 2.2 (data definitions), 3.2 (error responses), 6.1-6.3 (security)

docs

hdamker added 2 commits April 1, 2026 21:51
@hdamker
chore(validation): add NEW-003 orphan API definition gap rule to inve…
ed8208a 
…ntory
@hdamker
feat(validation): integrate OWASP API Security Top 10 2023 rules
709445d 
Add 20 OWASP Spectral rules to .spectral-r4.yaml (r4.x scope only),
disable 12 rules not applicable to CAMARA, and create rule metadata
for all enabled rules (S-300..S-319).

Implements the agreed configuration from Commonalities Linting-rules.md
section 5 (issues #539, #548, #551, #552):
- 8 rules at error (auth, HTTPS, 401 response, numeric IDs)
- 11 rules at warn (resource consumption, mass assignment)
- 1 rule at info (SSRF parameter review)
- 12 rules disabled (OpenID-only, gateway-level, OAS 3.1-only)

Resource consumption rules (string-limit, array-limit, integer-format,
integer-limit-legacy) set to warn for 2026 with planned escalation to
error in 2027 per Commonalities #551.
@hdamker hdamker requested review from Kevsy and rartych as code owners April 3, 2026 06:50
@hdamker hdamker merged commit c937aac into camaraproject:validation-framework Apr 3, 2026
1 check passed
@hdamker hdamker deleted the phase1b-owasp-rules branch April 3, 2026 09:32
@hdamker hdamker mentioned this pull request Apr 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rartych rartych Awaiting requested review from rartych rartych is a code owner

@Kevsy Kevsy Awaiting requested review from Kevsy Kevsy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hdamker