Add mapping to Secure Code Warrior trial

[Matth--]

The links redirect to the trial page for Secure Code Warrior security training.

Checklist:

• I have added entries to CHANGELOG.md and marked it Added/Changed/Removed
• I have made corresponding changes to the documentation (if needed)

[barnett]

Sorry on the build issue here, got an issue having to do with forks we're working out.

[adamrdavid]

👋 github seems to not want to send anything to buildkite for forks. until I can figure that out, we can use this:
https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/scw-mapping

I merged it into our fork. Unfortunately access to our CI tool is not public, but you can run the tests locally by running the Dockerfile.

Currently CI is reporting a schema error in the scw mapping:

ERROR: test_mapping_schemas (test_vrt.TestVrt)
--
  | ----------------------------------------------------------------------
  | Traceback (most recent call last):
  | File "/tmp/vrt/tests/test_vrt.py", line 43, in test_mapping_schemas
  | self.validate_schema(schema_file, mapping['filename'])
  | File "/tmp/vrt/tests/test_vrt.py", line 31, in validate_schema
  | raise error
  | jsonschema.exceptions.ValidationError: 'https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:missing_caa_record&redirect=true' does not match '^https:\\/\\/integration-api\\.securecodewarrior\\.com\\/api\\/v1\\/trial\\?id=bugcrowd&mappingList=vrt&mappingKey=[a-z_:]*$'
  |  
  | Failed validating 'pattern' in schema[0]['properties']['scw']:
  | {'pattern': '^https:\\/\\/integration-api\\.securecodewarrior\\.com\\/api\\/v1\\/trial\\?id=bugcrowd&mappingList=vrt&mappingKey=[a-z_:]*$',
  | 'type': 'string'}
  |  
  | On instance['scw']:
  | 'https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:missing_caa_record&redirect=true'

[Matth--]

Hi @adamrdavid

I did some changes so the schema validation works. Also changed the "scw" property to "secure_code_warrior" because of failing tests (Test checks if the mapping folder name has the same key as the identifier used by SCW).

[adamrdavid]

@Matth-- I setup github actions with this repo so if you push a commit you should be able to see the CI build.

[plr0man]

Well done :)

[plr0man]

Can we replace Secure Code Warrior with Secure Code Warrior Mapping and add a colon at the end of the line

[plr0man]

Are the links working correctly? For instance this one here takes me to https://portal.securecodewarrior.com/?utm_source=partner-integration:bugcrowd#/website-trial

[Matth--]

hi @plr0man

We do not have a mapping for every VRT item. That's why some links will redirect to a trial page where the user can select his own category.

If this is unwanted behavior we could provide a list where only links where mappings exist.

[barnett]

Ah, what would be best here is to not set those values to the default but instead set the metadata default to such value. That will then automatically fallback to such value when one doesn’t exist in the mapping.

[plr0man]

ah, I thought this one was available at https://portal.securecodewarrior.com/?utm_source=partner-integration:bugcrowd#/website-trial/web/misconfig], @barnett has a good point though. To add to that, and @barnett correct me here if I'm wrong in this case, any undeclared children nodes would inherit secure_code_warrior values from their parents. So for example if you had a subcategory with 5 variants and they all had the same mapping values then it's ok to not list the children. That of course is not an error, just a suggestion if you guys find it useful.

[barnett]

That's what I thought as well, but @adamrdavid would be able to confirm.

[adamrdavid]

Yes parent mappings will be used if the children don't have 👍

[Matth--]

From our point of view it is easier to leave all the urls unique. If we plan on supporting a category that has not been mapped yet, the user will get redirected to a more specific challenge without the need to change this mapping file.

In other words: with this setup modifications to the mapping on existing vrt ids will not require any change on this mapping file. We only need to update this file when a new version of VRT gets released.

[barnett]

Suggested change

	#### [Secure Code Warrior](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/secure_code_warrior/secure_code_warrior.json)
	#### [Secure Code Warrior Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/secure_code_warrior/secure_code_warrior.json):

[barnett]

Suggested change

	"default": null
	"default": "https://portal.securecodewarrior.com/?utm_source=partner-integration:bugcrowd#/website-trial"

[barnett]

Now seeing that it isn't as much a 1:1 mapping but a formula to construct the URL, would be interesting to see how we can better support this down the road. @Matth--, when we add/change categories what is the change-management process for your side. Thinking if we just auto-create the dynamic URL how'd that work?

[barnett]

Hey @Matth--,

Emailed Alex as well, but we'll be auto-generating this mapping via our build process going forward, removing the need to maintain the mapping in this repository. You can see an example of the output of this auto-generated mapping here with a list of the builds (current and future ones) here. Will be sure to keep your team updated before we cut new versions so that you can keep the mapping on your side up to date 👍

With the above process done, we can close this PR. Appreciate all your help and assistance in creating the mapping 🎉

[adamrdavid]

Just a side note @Matth-- the file will be updated every time there is a master build or a new release and it checks which urls resolve, so it will update if you add/change categories.

[Matth--]

Okay, sound like the best solution here!