Skip to content

fix: use exact equality for ASVS shortcode matching in convert_capec.py#2551

Open
immortal71 wants to merge 3 commits intoOWASP:masterfrom
immortal71:fix/2547-capec-shortcode-match
Open

fix: use exact equality for ASVS shortcode matching in convert_capec.py#2551
immortal71 wants to merge 3 commits intoOWASP:masterfrom
immortal71:fix/2547-capec-shortcode-match

Conversation

@immortal71
Copy link
Contributor

@immortal71 immortal71 commented Mar 7, 2026

Fixes #2547.

Problem

createlink() in scripts/convert_capec.py used Python's in operator to compare ASVS shortcodes:

if shortcode in subitem["Shortcode"]:

in checks substring containment, not equality. So "V1.1.1" in "V1.1.10" is True. When ASVS data contains V1.1.10 before V1.1.1 in iteration order, looking up V1.1.1 returns a link anchored to V1.1.10 — silently wrong output with no error.

Fix

Change to exact equality:

if shortcode == subitem["Shortcode"]:

Tests added

  • test_createlink_no_prefix_collision — V1.1.1 must not match V1.1.10/V1.1.11 when they appear first
  • test_createlink_exact_match_multi_digit — V1.1.10 must match exactly, not V1.1.1
  • test_createlink_empty_shortcode — empty shortcode returns empty string

All 53 tests in convert_capec_utest.py pass.

Copilot AI review requested due to automatic review settings March 7, 2026 07:20
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes incorrect ASVS requirement link generation in the CAPEC conversion script by ensuring shortcode matching is done via exact equality (preventing prefix/substring collisions like V1.1.1 matching V1.1.10).

Changes:

  • Update createlink() to compare ASVS shortcodes with == instead of substring containment (in).
  • Add regression tests covering prefix-collision scenarios, multi-digit exact matching, and empty shortcode handling.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
scripts/convert_capec.py Fix shortcode matching logic to avoid generating links to the wrong ASVS anchor.
tests/scripts/convert_capec_utest.py Add targeted unit tests to prevent regressions for prefix collisions and empty shortcode behavior.

@immortal71
Copy link
Contributor Author

immortal71 commented Mar 7, 2026

@sydseter is this good to go ??? is commentpr issues solved >>

@Suresh-Krishna-P
Copy link
Contributor

Suresh-Krishna-P commented Mar 8, 2026

Hello @immortal71, The issue was that using Python's 'in' operator for shortcode matching caused prefix collisions - for example, looking up V1.1.1 would incorrectly match V1.1.10 if it appeared first in the iteration order. The fix is simple but effective: changing to exact equality comparison with ==. The addition of comprehensive regression tests demonstrates good defensive programming practices and ensures this type of bug won't reoccur. The PR is clean, targeted, and addresses the specific issue without unnecessary changes. Keep Going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: shortcode in subitem[\"Shortcode\"] substring match in convert_capec.py generates wrong ASVS links

3 participants

@immortal71 @Suresh-Krishna-P