Skip to content

Research correct CRE mapping for K09 (Misconfigured Cluster Components) in OWASP Kubernetes Top Ten 2022 #917

Description

@coderabbitai

Context

This issue tracks follow-up research to find the correct, distinct CRE identifiers for K09: Misconfigured Cluster Components in the OWASP Kubernetes Top Ten 2022 dataset.

Background

In PR #877, the owasp_kubernetes_top10_2022.json mapping for K09 was intentionally left unchanged because it currently shares the same cre_ids as K01 (["233-748", "486-813"]). After reviewing the upstream OWASP source, a clearly correct distinct replacement could not be identified, so a speculative change was avoided to prevent introducing incorrect data.

K09 is focused on hardening and misconfiguration of core cluster components (e.g., kubelet, etcd, kube-apiserver), with prevention guidance centred on secure configuration, CIS benchmark scans, and reducing unsafe defaults.

Open question

Is there a more specific CRE mapping for cluster-component hardening/misconfiguration that should replace or augment the current ["233-748", "486-813"] entries for K09?

Guidance for review

  • Compare K09's prevention/mitigation content on the OWASP Kubernetes Top Ten 2022 page against the CRE database.
  • Note that the OWASP Kubernetes Top Ten 2025 appears to consolidate this area under K07: Misconfigured And Vulnerable Cluster Components — the 2025 mapping (PR Add refresh scripts for OWASP resources for issue 471 #877, owasp_kubernetes_top10_2025.json) may provide useful pointers for the correct CRE IDs.
  • If no better mapping exists, the duplication with K01 should be explicitly documented in the data file (e.g., via a comment or a companion note) so future maintainers understand it is intentional.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions