Add ReqView format as generated output about asvs HOT 5 CLOSED

I understand the potential maintenance issues, we can keep it separate. However, the CycloneDX format is very specific and it is included.

Thanks for your consideration and for pointing to the ASVS Users page, I’ll add a PR to it.

from asvs.

Hi.
however useful the tool is, personally I don't think that the ASVS as a free and open-source project should add an output format for the commercial tool. This can be used on the tool side as an adapter.

My opinion applies to any tool, I think the standard should only handle the content for the standard and provide general (static) output formats.

I leave the issue open to get feedback from other leads, ping @tghosth @vanderaj @jmanico @danielcuthbert

from asvs.

We tried to just adapt first, but markdown source is not very adaptable into an app and the generated JSON is too stripped-down. Modifying the JSON generator was the only way to keep all the important information and structure. The output is also static, general and easily processable by any tool or script. I think it makes ASVS more accessible and useful.

Could you please explain the reasons why it shouldn’t be added? What are the downsides?

from asvs.

Could you please explain the reasons why it shouldn’t be added? What are the downsides?

I feel I already said everything I had to say. So I'll leave it for others to have some opinions on it.

I agree that the markdown is not a friend for apps, as it is not strongly structured data. This is also a problem for the development or export of the chapter texts - it expects a certain format, but there is no guarantee that the markdown is or will be written that way. This is also one of the reasons, why #821 is stuck.

Personally, I think that we should not develop it in markdown as it causes so many problems and bottlenecks, but till there are no resources to build or adapt any technical solution for that, we keep using what we have.

from asvs.

Hi @rfricz, I appreciate the interest in ASVS but I don't think we will be able to accept this PR and I am going to close it for now. I appreciate this may be disappointing but there are a couple of issues here and at the end of this comment I have another idea that might be helpful for you.

However useful the tool is, personally I don't think that the ASVS as a free and open-source project should add an output format for the commercial tool.

I am inclined to agree with this perspective. Whilst the ReqView data format may be open, it does seem to be designed specifically to fit with the way that ReqView works and seems less likely to be useful for other purposes.

Could you please explain the reasons why it shouldn’t be added? What are the downsides?

Anything that is committed into this repo becomes our responsibility to own and maintain and the current mechanisms are already not ideal. This would be a quite complex addition to an already not ideal situation and if we make a change to the MD files tomorrow and suddenly the output export script stops working because of this format, that is now our immediate problem to debug and fix.

I think the best option would be to keep this for yourselves in a fork or a separate repo and just reference back to the parent repository.

If you are interested, we maintain a list of ASVS users here: https://owasp.org/www-project-application-security-verification-standard/#div-asvsusers

You could add an entry for ReqView saying something like:

• ReqView - "We use the ASVS as part of the Example project included in the ReqView webapp"

If you are interested, you can PR that in here: https://github.com/OWASP/www-project-application-security-verification-standard/blob/master/tab_asvsusers.md

from asvs.