Add CWE Top 25 (2025) mapping and new resource limits rule (CWE-770)

[nik-kale]

Summary

• Maps all 25 entries from the 2025 MITRE CWE Top 25 to existing CodeGuard core and OWASP rules with coverage ratings and rationale.
• Identifies CWE-770 (Allocation of Resources Without Limits or Throttling) as the only Top 25 entry with no existing rule coverage.
• Adds a new core rule codeguard-0-resource-limits-dos-prevention.md to fill that gap, covering rate limiting, payload size bounds, connection pool limits, compute timeouts, queue depth caps, disk quotas, and Kubernetes resource constraints.
• Updates skills/software-security/SKILL.md language mappings via the converter to include the new rule.

Addresses project-codeguard/rules#77.

Coverage Breakdown

Of the 25 CWEs:

• 16 fully covered by existing rules
• 8 partially covered (mostly memory safety CWEs funneling through safe-c-functions, which is C/C++ specific)
• 1 gap (CWE-770) -- now addressed by the new rule

Six CWEs are new to the 2025 list (CWE-120, 121, 122, 284, 639, 770). Five of those were already covered by existing rules. The sixth (CWE-770) is the new rule in this PR.

Validation

• Rule validator: 24/24 passed (python src/validate_unified_rules.py sources/core/)
• IDE converter: 24/24 succeeded across all 5 formats (Cursor, Windsurf, Copilot, Agent Skills, Antigravity)

Sanity check: true positive / true negative validation against sample code

Tested the new CWE-770 rule against 5 code patterns to verify it correctly flags insecure code and passes secure code.

Test 1: Rate Limiting (Python/Flask)

Insecure -- no rate limit on login endpoint:

@app.route("/login", methods=["POST"])
def login():
    user = authenticate(request.form["username"], request.form["password"])
    if user:
        return jsonify({"token": create_token(user)})
    return jsonify({"error": "Invalid credentials"}), 401

Rule flags: "Enforce stricter limits on authentication endpoints." True positive.

Secure -- rate limit applied:

@app.route("/login", methods=["POST"])
@limiter.limit("5/minute")
def login():
    ...

True negative.

Test 2: Request Size (Node.js/Express)

Insecure -- default body parser, no explicit limit:

app.use(express.json());

Rule flags: "Set maximum request body sizes at the web server, reverse proxy, and application layers." True positive.

Secure -- explicit limit:

app.use(express.json({ limit: "1mb", strict: true }));

True negative.

Test 3: Database Query (Python/SQLAlchemy)

Insecure -- unbounded query:

users = db.session.query(User).all()

Rule flags: "Never return unbounded result sets." True positive.

Secure -- paginated:

users = db.session.query(User).limit(per_page).offset((page - 1) * per_page).all()

True negative.

Test 4: Outbound Calls (Python/requests)

Insecure -- no timeout:

response = requests.get("https://api.external-service.com/data")

Rule flags: "Set timeouts on all outbound HTTP calls." True positive.

Secure -- timeout set:

response = requests.get("https://api.external-service.com/data", timeout=(3.05, 27))

True negative.

Test 5: Kubernetes (YAML)

Insecure -- no resource limits:

containers:
  - name: api-server
    image: myapp:latest

Rule flags: "Set CPU and memory requests and limits on all containers." True positive.

Secure -- limits set:

containers:
  - name: api-server
    image: myapp:latest
    resources:
      requests:
        memory: "256Mi"
        cpu: "250m"
      limits:
        memory: "512Mi"
        cpu: "500m"

True negative.

Result: 5/5 true positives, 5/5 true negatives. No false positives identified.

[nik-kale]

hey @santosomar - hope you're doing well. I saw your note on project-codeguard/rules#77 about moving the CWE mapping work to the CoSAI repo, so I put together a first pass.

This PR maps all 25 entries from the 2025 MITRE CWE Top 25 against the existing core and OWASP rules. The main finding is that coverage is already strong -- 16 of 25 are fully covered, 8 are partially covered (mostly the memory safety CWEs that go through the C/C++ safe functions rule), and only one had no coverage at all: CWE-770 (resource allocation without limits). That one is new to the 2025 list and didn't have a rule, so I wrote one to fill the gap. It covers rate limiting, payload bounds, connection pools, compute timeouts, queue depths, and K8s resource constraints.

I also ran the rule through the validator and converter to make sure it works across all five IDE formats, and did a quick sanity check against real code patterns (details in the collapsible section at the bottom of the PR).

Let me know if this is headed in the right direction or if you want me to adjust anything.

[santosomar]

Please always open a GitHub issue before the PR. We are already working on this mapping.

CWE-770 (Allocation of Resources Without Limits or Throttling) is the only uncovered CWE.

A new core rule does not make sense since this is very application dependent. I had bad results with this type of rule, as the models will pick random values for rate limiting.

[nik-kale]

Hi @santosomar - Fair points on both counts. I should have opened an issue first - will do that going forward.

On CWE-770, that makes sense. The difference between "use parameterized queries" (binary) and "set a rate limit" (application-dependent) is real, and I can see how models would just pick arbitrary values. I'll drop the rule from this PR.

On the mapping itself - since you're already working on it, happy to contribute to that effort instead of duplicating. Let me know if there's a specific area where I can help, or I can close this and pick up a different issue.