Implement management command for detecting non-compliant project levels and flagging them in score calculation #2039
Description
👋 Thanks for contributing to OWASP Nest!
Active project leaders: @arkid15r and @kasya
Contributing guidelines: https://github.com/OWASP/Nest/blob/main/CONTRIBUTING.md
Hacktoberfest issues: https://github.com/OWASP/Nest/issues?q=is%3Aissue+is%3Aopen+label%3Ahacktoberfest
Join us on Slack: https://owasp.org/slack/invite -- #project-nest
Our LinkedIn group: https://www.linkedin.com/groups/14656108/
Description:
We need to create a periodic background job that fetches the latest project levels from the official OWASP source of truth:
🔗 project_levels.json
Instead of changing the project level locally, the job should identify non-compliant projects (i.e., projects whose locally stored level does not match the official level) and flag them so their score reflects this non-compliance.
Requirements:
-
Schedule the job to run periodically (e.g., daily right after project sync job)
-
Fetch and parse the
project_levels.jsonfile from the OWASP GitHub repository -
Compare the official level with the local level for each project
-
Mark projects as non-compliant if the levels differ (a new boolean fields needs to be introduced)
-
Update the score calculation formula to apply a penalty or other adjustment for non-compliance (a new weight needs to be introduced)
-
Add tests to ensure that:
- Data is fetched and parsed correctly
- Non-compliance detection works as expected
- Scores are adjusted correctly when non-compliance is detected
Acceptance Criteria:
- The job detects and logs any level mismatches between local data and the official OWASP file
- Non-compliant projects are clearly marked in the system
- Score calculation reflects non-compliance penalties
- Tests cover both detection and scoring adjustment logic
Are you going to work on implementing this?
- Yes
- No
Additional context