2.3.1 and 2.5.1 tags are misleading
tghosth opened this issue · comments
v4.0.3-2.5.1 is this:
# | Description | L1 | L2 | L3 | CWE | NIST § |
---|---|---|---|---|---|---|
2.5.1 | Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. (C6) | ✓ | ✓ | ✓ | 640 | 5.1.1.2 |
This requirement has gone through some stuff over the last few years but my understanding is that the tagging should reflect a change from v4.0.3 to v5.
The bleeding edge current tagging is:
# | Description | L1 | L2 | L3 | CWE | NIST § |
---|---|---|---|---|---|---|
2.3.1 | [MODIFIED, MERGED FROM 2.5.1] Verify system generated initial passwords or activation codes are securely randomly generated, at least 6 characters long, may contain letters and numbers, expire after a short period of time, and are single-use. These initial secrets must not be permitted to become the long term password. | ✓ | ✓ | ✓ | 330 | 5.1.1.2 / A.3 |
2.5.1 | [DELETED, MERGED TO 2.3.1] |
However, I think that this has gotten confused as the requirement has evolved and the actual tagging should be as follows based on this issue.
# | Description | L1 | L2 | L3 | CWE | NIST § |
---|---|---|---|---|---|---|
2.3.1 | [MODIFIED] Verify system generated initial passwords or activation codes are securely randomly generated, at least 6 characters long, may contain letters and numbers, expire after a short period of time, and are single-use. These initial secrets must not be permitted to become the long term password. | ✓ | ✓ | ✓ | 330 | 5.1.1.2 / A.3 |
2.5.1 | [DELETED, INCORRECT] |
Opinions @elarlang ?
Ok I opened a PR because I think this is clear cut, whatever happened afterwards is not relevant to the tagging :)