Mapping between CAPEC and ASVS 5.0

[sydseter]

I started to look at creating a mapping between CAPEC and ASVS 5.0, but then I realized that it is OpenCRE.
The challenge is that the current mapping is between CAPEC and ASVS 4.0.
Elar created a mapping between ASVS 4 and 5 https://asvs.dev/mapping_v4.0.3_to_v5.0.0.html

I went through it, requirement for requirement and it seems legit.

He has a yaml as well: https://github.com/OWASP/ASVS/blob/master/5.0/mappings/mapping_v4.0.3_to_v5.0.0.yml

Could this make a migration possible perhaps?

There is an explanation for the expressions in the file as well: https://asvs.dev/Mappings/

There is a CWE mapping as well: https://github.com/OWASP/ASVS/blob/master/5.0/mappings/v5.0.be_cwe_mapping.json but it looks a bit strange at the end there. Not sure whether it is correct.

[robvanderveer]

thank you for bringing this up. Yes we need to work on mapping to ASVS 5. Let me get back to you.

[Rohankaf]

@robvanderveer can u assign me that i surely get back to you with an update

[Rohankaf]

@northdpole Hi! I completed the ASVS v4 → v5 migration parsing and I now have a clean JSON mapping (asvs4_to_asvs5.json). Before I continue with migrating CAPEC → ASVS, could you please clarify:

Where does OpenCRE store the ASVS 4.0 requirement data?
– Is it in a separate CRE-Data repo?
– Or does the server import ASVS from an external OSIB source?

I need to know the correct ASVS 4 data source in order to apply the v5 migration properly.

Thanks!

[northdpole]

This should be part of the ASVS repo which we could/should parse to populate the upstream DB automatically. Wanna map CREs to ASVS v5 and provide the PR to the ASVS team?

…

On Wed, 19 Nov 2025, 18:16 rohankaf, ***@***.***> wrote: *Rohankaf* left a comment (OWASP/OpenCRE#637) <#637 (comment)> @northdpole <https://github.com/northdpole> Hi! I completed the ASVS v4 → v5 migration parsing and I now have a clean JSON mapping (asvs4_to_asvs5.json). Before I continue with migrating CAPEC → ASVS, could you please clarify: *Where does OpenCRE store the ASVS 4.0 requirement data?* – Is it in a separate CRE-Data repo? – Or does the server import ASVS from an external OSIB source? I need to know the correct ASVS 4 data source in order to apply the v5 migration properly. Thanks! — Reply to this email directly, view it on GitHub <#637 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMCRHTGAZPDKZXG25DHXZL35SXY5AVCNFSM6AAAAACJDSKLCSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNJUGA2TKOBSGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>