feat(mapping): auto-link attacks to CREs via CWE references (Phase 2)

[PRAteek-singHWY]

Overview

This PR implements Phase 2 of the OWASP Attacks integration plan (Issue 471).
It introduces automated linking logic that parses CWE references from Attack descriptions and creates Related links to the corresponding CREs.

This allows OpenCRE to leverage existing CWE mappings to automatically organize OWASP Attack content without manual curation.

Depends on Phase 1 (PR 718)

---

Files Changed

• application/utils/attack_mapper.py (New Feature)
• application/database/db.py (Bug Fix)
• application/manual_seed_attacks.py (Verification Script)

---

Changes

1. Automated Linking Utility (application/utils/attack_mapper.py)

• New feature: link_attack_to_cre_by_cwe
• Logic:
  • Extracts CWE identifiers (e.g. CWE-89) from Attack descriptions
  • Locates the corresponding CWE node in the database
  • Finds all CREs already linked to that CWE
  • Creates Related links between the Attack and those CREs
• Data integrity: Explicitly resolves database UUIDs before linking to handle the distinction between OpenCRE logical IDs and DB primary keys.

2. Database Safety (application/database/db.py)

• Fix: Updated add_link logging to safely handle nodes without a section attribute (e.g. Attack nodes).
• Impact: Prevents runtime AttributeError during ingestion and improves robustness for non-standard node types.

3. Verification Script (application/manual_seed_attacks.py)

• Extended to verify end-to-end linking logic:
  • Mocks a CWE -> CRE relationship (CWE-22 -> Input Validation)
  • Seeds an Attack containing a CWE reference
  • Programmatically verifies that the expected CRE link is created

---

Verification

Executed locally:

• Path Traversal -> Input Validation (via CWE-22)

  • Confirmed Path Traversal node created.
  • Confirmed link created via CWE-22 reference.
  • Verified database persistence of the Related link.

• Graceful handling of missing CWEs (e.g. CWE-89)

  • Seeded SQL Injection with CWE-89.
  • Confirmed no crash when CWE-89 is missing.
  • Logged appropriate warning.

• No runtime errors when processing Attack nodes

  • Verified db.py logging fix prevented crashes.

Partially fixes #471

[PRAteek-singHWY]

Hi @northdpole ,

I’ve been proceeding cautiously with a small, incremental PR (Phase 2) based on the phased approach I outlined on issue #471, keeping everything reviewable and reversible.

This PR focuses only on automated CWE-based linking for OWASP Attacks and intentionally avoids parsers, syncing, or any long-running jobs at this stage. I’m very happy to adjust the direction, scope, or implementation based on your feedback.

Please feel free to suggest any changes (or if you’d prefer a different approach entirely). I’m continuing the work in phases mainly to respect reviewer time and keep each step easy to reason about.

Thanks for taking a look whenever you get a chance — no rush at all. I’ll continue contributing incrementally and iterating based on maintainer guidance.