We need to create some details about how to contribute to the project and to setup the development part.

I would like to use skf with my existing web server (lighttpd). There shouldn't be a need to run an additional Python-based server when one is already available on the system. Instructions for lighttpd and apache httpd would be ideal.

It says, "Is al your software up to date?"
That should read, "Is all your software up to date?"

Currently all items are set to yes, this should not be the case as they have not been checked yet.

When you don't have a active internet connection the SKF cannot start and gives an error.
Need to fix this

http://cwe.mitre.org/top25/

Good one, contains items asvs has not!

When deleting a function the button is labeled "Delete project"
Bit scary.

It does delete the function and not the project.

As the name suggests, the screen where the project processing functions gets assembled could really benefit from a tag cloud where functions could easilly be clicked, and added to the list. With the addition to add new tags (functions) manually (without a popup overlay).

This will greatly enhance the usability of this vital part of the SKF process, as a sign of what the user should be doing and as a clear timesaver for the user.

Windows does not install CFFI module needed for SSL.

Check comments in PHP code examples.
Some comments need more information or less ^^

It's just a nice to have feature, but is there anything like a version control possible as hardcoded in the design on the dashboard. Make a call to the repo to check if there is a possible new release version?

Add a filter option for OWASP level 1, 2 or 3 to display the corresponding items in the knowledge base.

Create a custom dynamic checklist in the post-development phase.
This custom checklist can be used by companies that have their own checklist, but also want to use the ASVS items.

This checklist will default load the level 3 ASVS items
Items can be modified , deleted or added to a category
Items can be hooked to knowledge base item

Hi.

On debian, I faced multiple issue with the installation

a) to installation the wsgi version, it is required to do the default installation then follow the guide. it seems not 100% clear to me on documentation

b) then, I get now two issue

• password does not change and sticks to test-skf even if I specify one in PASSWORD='mypass' on skf.py
• sessions do not work but only for the wsgi as other pure php solutions works.
  any reason for that?

I even added the following code at the end of skf.py but without success

  #  session = web.session.Session(app, web.session.DiskStore(os.path.join(curdir,'sessions')),)
sess = web.session.Session(app, web.session.DiskStore('sessions'), initializer=INIT)
web.config.session_parameters['cookie_path'] = '/'

As the title sais, hide the entire table when no functions have been added yet.

Need to add documentation on how to add your own checklists.

Write code examples for Perl

PHP code example is depricated from PHP 7.0
Make new exemple for new release!

Please have the checklists on a dedicated page instead of in popups as they are now.

Enforce secure passwords needs to be rewritten, we need to tell and impelment about password phrases instead of passwords.

New version only!

Running Ubuntu 14.04

Ran:
sudo apt-get install python-pip sqlite3
sudo pip install https://github.com/mitsuhiko/flask/tarball/master
sudo pip install owasp-skf

installing owasp-skf fails with error:

creating build/temp.linux-x86_64-2.7/src/lxml

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/tmp/pip_build_root/lxml/src/lxml/includes -I/usr/include/python2.7 -c src/lxml/lxml.etree.c -o build/temp.linux-x86_64-2.7/src/lxml/lxml.etree.o -w

src/lxml/lxml.etree.c:8:22: fatal error: pyconfig.h: No such file or directory

#include "pyconfig.h"

                  ^

compilation terminated.

error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

Cleaning up...
Command /usr/bin/python -c "import setuptools, tokenize;file='/tmp/pip_build_root/lxml/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-SZKpc9-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /tmp/pip_build_root/lxml
Storing debug log for failure in /home/user/.pip/pip.log

The question reads, "Directory listing is enabled on your server?" but if you mark your answer "Yes" then is shades it green as if that is a good response. Isn't "No" the passing response, since you do not generally want directory listings enabled?

When using the search function in the knowledge base, parse the search term and display this in the "Keyword" part in the header.

Should return back to the login page. Perhaps with a notification "You are now logged out" or something similar. Is this a common error or just on my end?

Write in more detail how to proper use SKF.
We already have the place: http://www.readme.io/

Write unit testing script

Write code examples Python

Good morning.

When trying to check pre-development, everything is fine.
But when trying to check post-developement, I immedialtly reach 500 for any project I created or already existing.

File "/var/www/asvs/skf/skf.py", in project_checklists
  owasp_id = get_num(owasp_path[1])
 File "/var/www/asvs/skf/skf.py" ,  in get_num
   return int(''.join(ele for ele in x if ele.isdigit()))
ValueError: invalid literal for int() with base 10: ''

I tried to review why but I fail to really get the owasp_path concept so hard to then do better than submitting the issue :)

On Debian 8, I've been unable to pull in the BeautifulSoup package when I go to install owasp-skf as per instruction.

`Collecting BeautifulSoup (from -r requirements.txt (line 5))
Using cached BeautifulSoup-3.2.1.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 20, in
File "/tmp/pip-build-d48vmbx1/BeautifulSoup/setup.py", line 22
print "Unit tests have failed!"
^
SyntaxError: Missing parentheses in call to 'print'

----------------------------------------

Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-d48vmbx1/BeautifulSoup`

Set the hardcoded 2015 to "get current year". Nobody wants to manually update this every year.

Add support for multiple users
user management model
LDAP integration as part of this enhancement.

The IP is now hard coded to only run on localhost. If we want to run in docker it need to change to the global IP.

We should be able to pass the listen IP along as a configuration option.

Standard OWASP, XSS section, says:

"Are JSON response referencing resources in other domains?"

Which is unclear to me what is means. It is related to:

https://github.com/blabla1337/skf-flask/blob/master/skf/markdown/knowledge_base/94-knowledge_base--Input_rejection--.md

Which is more clear. So the label needs an update, or perhaps an INFO icon hover.

Create more pre-development items with the current knowledge base items we have.
Also we should cover the ASVS with the pre-development items.

Write code examples for .NET

The code examples are all based on the knowledge-base items. So when we have multiple languages we can add these also to the reporting functionality. You will get: Item with Description, Solution and code example.

Write code examples for PHP