Merge branch 'master' into corgea

Author: asadeddin

_data/api-tools.yml

@@ -476,6 +476,15 @@
   runtime: "https://img.shields.io/badge/API_Runtime-No-red.svg"
   testing: "https://img.shields.io/badge/API_Testing-Yes-brightgreen.svg"
   notes: "<br/><em>Note: General http/web fuzzer which can also fuzz http-based APIs</em>"
+- name: "WuppieFuzz"
+  link: "https://github.com/TNO-S3/WuppieFuzz"
+  from: "TNO"
+  license: "https://img.shields.io/badge/license-Apache%202-4EB1BA.svg"
+  platforms: "https://img.shields.io/badge/Platform-Cross_Platform-inactive.svg"
+  posture: "https://img.shields.io/badge/API_Posture-No-red.svg"
+  runtime: "https://img.shields.io/badge/API_Runtime-No-red.svg"
+  testing: "https://img.shields.io/badge/API_Testing-Yes-brightgreen.svg"
+  notes: "<br/><em>Note: REST API fuzzing tool, Swagger/OpenAPI specification required</em>"
 - name: "Zed Attack Proxy (ZAP)"
   link: "https://www.zaproxy.org/"
   from: "Open Source supported by Checkmarx"
@@ -521,11 +530,11 @@
   testing: "https://img.shields.io/badge/API_Testing-Yes-brightgreen.svg"
   notes: "<br/><em>Note: Use Curl-like command or OpenAPI contract to perform API scan. An existing Github Action can perform a scan automatically before deployment.</em>"
 - name: "ZeroThreat"
-  link: "https://zerothreat.ai/solutions/api-security-testing"
+  link: "https://zerothreat.ai/api-security-testing"
   from: "ZeroThreat"
   license: "https://img.shields.io/badge/license-Commercial-9cf.svg"
   platforms: "https://img.shields.io/badge/Platform-SaaS%2C On--Prem-inactive.svg"
   posture: "https://img.shields.io/badge/API_Posture-Yes-brightgreen.svg"
-  runtime: "https://img.shields.io/badge/API_Runtime-Yes-brightgreen.svg"
+  runtime: "https://img.shields.io/badge/API_Runtime-No-red.svg"
   testing: "https://img.shields.io/badge/API_Testing-Yes-brightgreen.svg"
   notes: ""

_data/community_events.json

@@ -8,3 +8,10 @@
       email: [email protected]
     - name: Harold Blankenship
       email: [email protected]
+- year: 2025
+  admins:
+    - name: Fabio Cerullo
+      email: [email protected]
+    - name: Starr Brown
+      email: [email protected]      
+

_data/gsoc_admins.yml

@@ -9,12 +9,39 @@
       "type": "SAST"
        },
        {
+       "title": "CVE Scanner",
+       "url": "https://www.cvescanner.co.uk",
+       "owner": "CVE Scanner",
+       "license": "Commercial",
+       "platforms": "SaaS",
+       "note": "Real-time scanning of your domain for known CVEs is free. If any are found, a detailed breakdown of the identified CVEs is available for just £10, which includes two free rescans. We use a live black-box HTTP probing approach.",
+       "type": "DAST"
+       },
+       {
+       "title": "Astrée",
+       "url": "https://www.absint.com/astree/index.htm",
+       "owner": "AbsInt Angewandte Informatik GmbH",
+       "license": "Commercial",
+       "platforms": "Windows and Linux",
+       "note": "Astrée is a static analyzer designed to prove the absence of runtime errors and further critical program defects, including code-level cybersecurity vulnerabilities like buffer overflows, data races, etc. It is based on abstract interpretation, a provably correct formal method. Astrée supports C and C++.",
+       "type": "SAST"
+       },
+       {
+       "title": "Panoptic Scans",
+       "url": "https://panopticscans.com",
+       "owner": "Panoptic Scans",
+       "license": "Commercial",
+       "platforms": "SaaS",
+       "note": "Panoptic Scans enables automated network and application scans using tools like OpenVAS, ZAP, and Nmap. Users can schedule scans to meet compliance requirements for SOC 2, HIPAA, ISO 27001, NIST 800-53, and CMMC while detecting issues such as unpatched software, vulnerabilities, misconfigurations, and open ports.",
+       "type": "DAST"
+       },
+       {
       "title": "ZeroPath",
       "url": "https://zeropath.com/",
       "owner": "ZeroPath",
       "license": "Commercial or Free",
       "platforms": "SaaS, On-Premises",
-      "note": "Scans over 10 languages to identify and fix conventional technical vulnerabilities (e.g., XSS, SQL injection, SSRF) as well as business logic flaws and auth bugs.",
+      "note": "ZeroPath is an AI Native SAST that scans over 15 languages to identify and fix conventional technical vulnerabilities (e.g., XSS, SQL injection, SSRF) as well as business logic flaws and auth bugs.",
       "type": "SAST"
        },
        {
@@ -23,7 +50,7 @@
       "owner": "joernio",
       "license": "Open Source or Free",
       "platforms": null,
-      "note": "Scans C/C++/Java/Binary/Javascript/Python/Kotlin.",
+      "note": "Scans C/C++/Java/Binary/Javascript/Python/Kotlin/JVM Bytecode/PHP/Go/Ruby/Swift/C#.",
       "type": "SAST"
        },
        {
@@ -110,10 +137,10 @@
       {
       "title": "ZeroThreat",
       "url": "https://zerothreat.ai",
-      "owner": "ZeroThreat",
-      "license": "Free",
-      "platforms": "SaaS",
-      "note": "ZeroThreat is a fast web app and API security scanner providing DAST capabilities with modern solutions for modern web applications, and it is free to use.",
+      "owner": "ZeroThreat INC",
+      "license": "Commercial or Free",
+      "platforms": "SaaS or On-Premise",
+      "note": "ZeroThreat is an AI-powered modern DAST tool built for today’s web applications and APIs.",
       "type": "DAST"
    },
       {
@@ -167,7 +194,7 @@
       "owner": "Escape",
       "license": "Commercial",
       "platforms": "SaaS",
-      "note": "Run thousands of GraphQL security scans",
+      "note": "Escape is a modern DAST with a native business logic security testing algorithm. It supports modern web frameworks, integrates easily into CI/CD pipelines, and provides framework-specific, developer-friendly code snippets.",
       "type": "DAST"
    },
  {
@@ -953,6 +980,15 @@
       "note": "20% off with OWASP20",
       "type": "DAST"
    },
+   {
+      "title": "WuppieFuzz",
+      "url": "https://github.com/TNO-S3/WuppieFuzz",
+      "owner": "TNO",
+      "license": "Open Source",
+      "platforms": "Windows, Linux, Macintosh",
+      "note": "WuppieFuzz is a coverage-guided REST API fuzzer developed on top of LibAFL, targeting a wide audience of end-users, with a strong focus on ease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz supports all three settings of testing (black box, grey box and white box).",
+      "type": "DAST"
+   },
    {
       "title": "Barrion",
       "url": "https://barrion.io/",
@@ -1388,10 +1424,10 @@
    {
       "title": "DerScanner",
       "url": "https://derscanner.com/",
-      "owner": "DerScanner Ltd.",
+      "owner": "DerSecur Ltd.",
       "license": "Commercial",
-      "platforms": null,
-      "note": "Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info.",
+      "platforms": "SaaS or On-Premises",
+      "note": "DerScanner is an AI-powered application security testing platform suitable for air-gapped environments. It combines SAST, DAST, IAST, MAST, SCA, and binary analysis into a unified solution, securing modern and legacy applications with support for 43 programming languages.",
       "type": "SAST"
    },
    {
@@ -1857,9 +1893,9 @@
       "title": "AppSweep",
       "url": "https://www.guardsquare.com/appsweep-mobile-application-security-testing",
       "owner": "Guardsquare",
-      "license": "Open Source or Free",
+      "license": "Commercial",
       "platforms": "SaaS",
-      "note": "Mobile application security testing tool for compiled Android apps with support of CI/CD integration",
+      "note": "Mobile application security testing tool for compiled Android and iOS apps with support of CI/CD integration",
       "type": "SAST"
    },
    {
@@ -2132,5 +2168,23 @@
       "platforms": "SaaS",
       "note": "ResilientX UEM provides an All-in-One Continuous Testing and Monitoring solution, by integrating ASM, DAST, CSPM",
       "type": "DAST"
+   },
+   {
+      "title": "Agentic Radar",
+      "url": "https://github.com/splx-ai/agentic-radar",
+      "owner": "SplxAI",
+      "license": "Free",
+      "platforms": "Windows, Linux, MacOS",
+      "note": "Open-source CLI security scanner for agentic AI workflows. Scans your workflow’s source code, detects vulnerabilities, and generates an interactive visualization along with a detailed security report. Supports popular agentic frameworks like LangGraph, CrewAI, n8n, OpenAI Agents, and more.",
+      "type": "SAST"
+   },
+   {
+      "title": "Kusari Inspector",
+      "url": "https://kusari.dev",
+      "owner": "Kusari",
+      "license": "Commercial or Free",
+      "platforms": "SaaS",
+      "note": "Kusari Inspector seamlessly integrates software supply chain security analysis into your pull requests.",
+      "type": "SAST"
    }
 ]

_data/tools.json

@@ -317,6 +317,7 @@ and legal teams an opportunity to create solutions for healthy open source usage
 | [Grafeas] | Grafeas | Open Source | Cross Platform |
 | [Greenkeeper] | Greenkeeper | Open Source | SaaS |
 | [Ion Channel SA] | Ion Channel | Commercial | SaaS |
+| [Kusari] | Kusari | Freemium | SaaS |
 | [Libraries.io] | Tidelift | Open Source | SaaS |
 | [MergeBase] | MergeBase | Commercial | SaaS |
 | [Nexus IQ] | Sonatype | Commercial | Cross Platform |
@@ -373,6 +374,7 @@ and legal teams an opportunity to create solutions for healthy open source usage
 [Greenkeeper]: https://greenkeeper.io/
 [OSS Review Toolkit]: https://github.com/heremaps/oss-review-toolkit
 [Ion Channel SA]: https://ionchannel.io/
+[Kusari]: https://kusari.dev
 [Libraries.io]: https://libraries.io/
 [MergeBase]: http://mergebase.com/
 [Nexus IQ]: https://www.sonatype.com/

pages/Component_Analysis.md

@@ -9,6 +9,7 @@ contributors:
   - kingthorin
   - Niclas Gustafsson
   - Jason Hills
+  - Thomas Rooijakkers
 tags: application security tools, tools
 permalink: /Free_for_Open_Source_Application_Security_Tools
 
@@ -76,10 +77,9 @@ In addition, we are aware of the following commercial SAST tools that are free f
     - [CodeSweep - JetBrains Plugin](https://hclsw.co/codesweep-jetbrains) -  Scans files upon saving them. The results show the location of a finding, type, and remediation advice. Auto-fix available with free trial or subscription.
     - [CodeSweep - GitHub Action](https://hclsw.co/codesweepgithub) - Scan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account.
   - [Aikido](https://www.aikido.dev/product) - Combines open source software with custom rules & features into a single dashboard with all your security findings. Includes both SAST and Library Analysis tools. [Free for small teams](https://www.aikido.dev/pricing).
-  - [AppSweep](https://www.guardsquare.com/appsweep-mobile-application-security-testing) - a free for everyone mobile application security testing tool for Android and iOS. It analyzes the compiled application and does not require access to the source code. The tool performs security assessment not only of the executable code but also of application resources and configuration file. Integration into CI/CD is supported.
   - [Arnica](https://www.arnica.io/solution/code-security) - Scans all source code repositories for code risks (SAST, SCA, IaC, license violations, and low 3rd party reputation) and hardcoded secrets. The platform comes with a [freemium plan](https://www.arnica.io/pricing) for unlimited time and users count. The [pipelineless security approach](https://www.arnica.io/blog/ci-cd-pipeline-security-vs-ide-plugins-vs-pipelineless-security) is the value the company charges for, so the visibility remains always free.
-  - [Corgea](https://corgea.com/) - An AI-powered SAST scanner that helps developers find and fix insecure code. It detects business logic flaws, broken authentication, API vulnerabilities and more with minimal false positives. Corgea automatically generates security fixes for developers to review and approve. Integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. [Free to use](https://corgea.com/pricing).
-
+  - [Corgea](https://corgea.com/) - An AI-native SAST scanner that helps developers find and fix insecure code. It detects business logic flaws, broken authentication, API vulnerabilities and more with minimal false positives. Corgea automatically generates security fixes for developers to review and approve. Integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. [Free to use](https://corgea.com/pricing).
+  - [Kusari](https://kusari.dev/inspector) - Kusari Inspector seamlessly integrates software supply chain security analysis into your pull requests. This checks for bad dependencies, licenses, quality data. [Free for individual use](https://www.kusari.dev/pricing).
 
 ### DAST Tools
 
@@ -113,6 +113,7 @@ capabilities. Our primary recommendation is to use one of these:
   - [VWT Digital's sec-helpers](https://github.com/vwt-digital/sec-helpers/tree/master) -
     Collection of dynamic security related helpers.
     Sec-helpers is a bundle of useful tests and validators to ensure the security of a given domain.
+  - [WuppieFuzz](https://github.com/TNO-S3/WuppieFuzz) is a coverage-guided REST API fuzzer developed on top of LibAFL, targeting a wide audience of end-users, with a strong focus on ease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz supports all three settings of testing (black box, grey box and white box).
 
 We are not aware of any other commercial grade tools that offer their
 full featured DAST product free for open source projects.

pages/Free_for_Open_Source_Application_Security_Tools.md

@@ -153,6 +153,7 @@ Some fuzzing initiatives:
 - [APIFuzzer - fuzz test without coding](https://pypi.org/project/APIFuzzer/)
 - [Jazzer - fuzzing for the JVM](https://github.com/CodeIntelligenceTesting/jazzer)
 - [ForAllSecure Mayhem for API](https://forallsecure.com/mayhem-for-api)
+- [WuppieFuzz - coverage-guided for REST API](https://github.com/TNO-S3/WuppieFuzz)
 
 #### Fuzzing Frameworks
 

pages/Fuzzing.md

@@ -65,7 +65,7 @@ Usage example:
 ```console
 user@spin ~/inzynieria $ ./bo-simple // program start
 1234 // we enter "1234" string from the keyboard
-1234 // program prints out the conent of the buffer
+1234 // program prints out the content of the buffer
 user@spin ~/inzynieria $ ./bo-simple // start
 123456789012 // we enter "123456789012"
 123456789012 // content of the buffer "buf" ?!?!

pages/attacks/Buffer_overflow_attack.md

@@ -33,6 +33,7 @@ begin with any of the following characters:
 - At (`@`)
 - Tab (`0x09`)
 - Carriage return (`0x0D`)
+- Line feed (`0x0A`)
 
 Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., '`,`', or '`;`') and quotes (e.g., `'`, or `"`), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.
 

pages/attacks/CSV_Injection.md

@@ -21,7 +21,7 @@ applied that makes cryptanalysis successful. An attacker may have other
 goals as well, such as:
 
 - Total Break - Finding the secret key.
-- Gobal Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key.
+- Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key.
 - Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known.
 - Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits.