feature: bump Python version to 3.14 in workflow files

.github/workflows/lint_format_checker.yaml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ "3.11" ]
+        python-version: [ "3.14" ]
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}

.github/workflows/pytest.yaml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ "3.11" ]
+        python-version: [ "3.14" ]
     steps:
       - uses: actions/checkout@v2
       - name: Set up Python ${{ matrix.python-version }}

.github/workflows/typing_checker.yaml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ "3.11" ]
+        python-version: [ "3.14" ]
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}

MOBILE_CLIENT/ANDROID/_INFO/APK_ANALYZE_JNI_ELF/meta.json

@@ -3,7 +3,7 @@
   "short_description": "List of JNI methods defined in ELF files and used by the application",
   "references": {
     "JNI Tips": "https://developer.android.com/training/articles/perf-jni.html",
-    "Best practices for using the Java Native Interface": "https://www.ibm.com/developerworks/library/j-jni/"
+    "Best practices for using the Java Native Interface": "https://docs.oracle.com/javase/8/docs/technotes/guides/jni/index.html"
   },
   "title": "List of JNI methods",
   "privacy_issue": false,

MOBILE_CLIENT/ANDROID/_INFO/APK_CLASSES/meta.json

@@ -2,7 +2,7 @@
   "risk_rating": "info",
   "short_description": "List of all application Java classes",
   "references": {
-    "Do not use deprecated or obsolete classes or methods": "https://www.securecoding.cert.org/confluence/display/java/MET02-J.+Do+not+use+deprecated+or+obsolete+classes+or+methods"
+    "Do not use deprecated or obsolete classes or methods": "https://en.wikipedia.org/wiki/Deprecation"
   },
   "title": "Classes list",
   "privacy_issue": false,

MOBILE_CLIENT/ANDROID/_INFO/APK_DYNAMIC_CRYPTO/meta.json

@@ -2,8 +2,8 @@
   "risk_rating": "info",
   "short_description": "List of crypto API calls",
   "references": {
-    "SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)": "https://www.securecoding.cert.org/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data",
-    "DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)": "https://www.securecoding.cert.org/confluence/display/android/DRD18.+Do+not+use+the+default+behavior+in+a+cryptographic+library+if+it+does+not+use+recommended+practices"
+    "SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)": "https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage",
+    "DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
   },
   "title": "Recorded calls to Crypto API",
   "privacy_issue": true,

MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_CRYPTO/meta.json

@@ -2,8 +2,8 @@
   "risk_rating": "info",
   "short_description": "List of crypto API calls",
   "references": {
-    "SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)": "https://www.securecoding.cert.org/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data",
-    "DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)": "https://www.securecoding.cert.org/confluence/display/android/DRD18.+Do+not+use+the+default+behavior+in+a+cryptographic+library+if+it+does+not+use+recommended+practices"
+    "SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)": "https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage",
+    "DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
   },
   "title": "Call to Crypto API",
   "privacy_issue": false,

MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_REFLECTION/meta.json

@@ -2,7 +2,7 @@
   "risk_rating": "info",
   "short_description": "List of reflection API calls",
   "references": {
-    "SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields": "https://www.securecoding.cert.org/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes,+methods,+or+fields"
+    "SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields": "https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection"
   },
   "title": "Call to Reflection API",
   "privacy_issue": false,

MOBILE_CLIENT/ANDROID/_LOW/INTENT_SPOOFING/meta.json

@@ -2,7 +2,7 @@
   "risk_rating": "medium",
   "short_description": "The application is vulnerable to intent spoofing which may lead to inappropriate access like data modification, information disclosure and data injection.",
   "references": {
-    "DRD06. Verify the caller of intents before acting on them": "https://wiki.sei.cmu.edu/confluence/display/android/DRD06.+Verify+the+caller+of+intents+before+acting+on+them",
+    "DRD06. Verify the caller of intents before acting on them": "https://developer.android.com/privacy-and-security/risks/implicit-intent-hijacking",
     "Improper Access Control (CWE-284)": "https://cwe.mitre.org/data/definitions/284.html",
     "Intent Spoof (CAPEC-502)": "https://capec.mitre.org/data/definitions/502.html",
     "Analyzing Inter-Application Communication in Android": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf"

MOBILE_CLIENT/ANDROID/_MEDIUM/WEBVIEW_LOADURL_INJECTION/meta.json

@@ -2,7 +2,7 @@
   "risk_rating": "medium",
   "short_description": "Insecure use of Webview.loadurl leading to insecure content loading or potential code injection.",
   "references": {
-    "DRD02-J. Do not allow WebView to access sensitive local resource through file scheme": "https://wiki.sei.cmu.edu/confluence/display/android/DRD02-J.+Do+not+allow+WebView+to+access+sensitive+local+resource+through+file+scheme",
+    "DRD02-J. Do not allow WebView to access sensitive local resource through file scheme": "https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion",
     "Webview loadurl (Android documentation)": "https://developer.android.com/reference/android/webkit/WebView#loadUrl(java.lang.String,%2520java.util.Map%253Cjava.lang.String,%2520java.lang.String%253E)",
     "Websettings (Android documentation)": "https://developer.android.com/reference/android/webkit/WebSettings"
   },

MOBILE_CLIENT/COMMON/_MEDIUM/BIOMETRIC_AUTHENTICATION_BYPASS/meta.json

@@ -6,7 +6,7 @@
     "Bypass Biometric Authentication": "https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android",
     "Using BiometricPrompt with CryptoObject: How and Why": "https://medium.com/androiddevelopers/using-biometricprompt-with-cryptoobject-how-and-why-aace500ccdb7",
     "Android Biometric API: Getting Started": "https://www.kodeco.com/18782293-android-biometric-api-getting-started",
-    "MOBILE PENTESTING 101 – BYPASSING BIOMETRIC AUTHENTICATION": "https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/"
+    "Android Biometric Authentication": "https://developer.android.com/identity/sign-in/biometric-auth"
   },
   "title": "Biometric Authentication Bypass",
   "privacy_issue": false,

WEB_SERVICE/DNS/_MEDIUM/DNS_TXT_RECORDS_MALICIOUS_CONTENT/meta.json

@@ -4,7 +4,6 @@
   "risk_rating": "medium",
   "references": {
     "Splunk Deep Learning Blog": "https://www.splunk.com/en_us/blog/security/ml-in-security-detect-suspicious-txt-records-using-deep-learning.html",
-    "AhnLab Security Blog": "https://asec.ahnlab.com/en/54916/",
     "ProSec Networks": "https://www.prosec-networks.com/en/blog/dns-tunneling-erkennen/"
   },
   "privacy_issue": false,

WEB_SERVICE/TLS/_MEDIUM/SSL_LUCKY_THIRTEEN/meta.json

@@ -5,8 +5,7 @@
   "references": {
     "Veracode Lucky Thirteen Prevention": "https://docs.veracode.com/r/prevent-ssl-lucky13",
     "Wikipedia - Lucky Thirteen Attack": "https://en.wikipedia.org/wiki/Lucky_Thirteen_attack",
-    "Beagle Security Lucky Thirteen Overview": "https://beaglesecurity.com/blog/vulnerability/lucky-thirteen-attack-against-implementations-of-the-transport-layer-security.html",
-    "BrandSek Lucky Thirteen Vulnerability": "https://brandsek.com/kb/books/ssl-vulnerability/page/lucky-13-vulnerability/revisions/21"
+    "Beagle Security Lucky Thirteen Overview": "https://beaglesecurity.com/blog/vulnerability/lucky-thirteen-attack-against-implementations-of-the-transport-layer-security.html"
   },
   "privacy_issue": true,
   "security_issue": true,

WEB_SERVICE/WEB/_LOW/GRAPHQL_ALIAS_BRUTEFORCING/meta.json

@@ -3,7 +3,7 @@
   "title": "Brute Force Login Using Alias Batching in GraphQL API",
   "short_description": "An attacker leverages GraphQL query aliases to batch multiple login attempts in a single query, potentially bypassing rate limits and overwhelming the authentication system.",
   "references": {
-    "Wallarm": "https://lab.wallarm.com/graphql-batching-attack/"
+    "Wallarm": "https://medium.com/@instatunnel/graphql-batching-attacks-how-100-queries-become-10-000-database-calls-156fb3b2da1c"
   },
   "privacy_issue": false,
   "security_issue": true,

WEB_SERVICE/WEB/_SECURE/SECURE_GRAPHQL_ALIAS_BRUTEFORCING/meta.json

@@ -3,7 +3,7 @@
   "title": "Protected Against GraphQL Alias Brute Forcing",
   "short_description": "The GraphQL API enforces alias limits, preventing credential brute-forcing via aliases.",
   "references": {
-    "Wallarm": "https://lab.wallarm.com/graphql-batching-attack/",
+    "Wallarm": "https://medium.com/@instatunnel/graphql-batching-attacks-how-100-queries-become-10-000-database-calls-156fb3b2da1c",
     "OWASP Authentication Cheat Sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
   },
   "privacy_issue": false,

WEB_SERVICE/WEB/_SECURE/SECURE_GRAPHQL_BATCH_LIMITING/meta.json

@@ -3,7 +3,7 @@
   "title": "Protected Against GraphQL Batch Query Attacks",
   "short_description": "The GraphQL API enforces batch query limits, preventing Denial of Service (DoS) via array-based query batching.",
   "references": {
-    "Wallarm": "https://lab.wallarm.com/graphql-batching-attack/"
+    "Wallarm": "https://medium.com/@instatunnel/graphql-batching-attacks-how-100-queries-become-10-000-database-calls-156fb3b2da1c"
   },
   "privacy_issue": false,
   "security_issue": true,

tests/kb_test.py

@@ -1279,14 +1279,19 @@ def testMetaFiles_always_referencesShouldHaveValidLinks() -> None:
         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
         "Accept-Language": "en-US,en;q=0.5",
     }
+    skipped_reference_domains = (
+        "medium.com",
+        "securecoding.cert.org",
+        "wiki.sei.cmu.edu",
+        "asec.ahnlab.com",
+    )
 
     for meta_file in json_files:
         with open(meta_file, "r", encoding="utf-8") as file:
             data = json.load(file)
         references = data.get("references", {})
         for url in references.values():
-            # Skip Medium articles
-            if "medium.com" in url:
+            if any(domain in url for domain in skipped_reference_domains):
                 continue
             if url in checked_urls:
                 if checked_urls[url] is False: