Commits

• c2778b8: Bump svelte from 5.35.4 to 5.35.6 in /cornucopia.owasp.org (dependabot[bot]) #1470

The clouds can be a scary place. All these machines that simply aren't yours. So how can you make sure you continuously keep your cloud infrastructure secure? OWASP Cumulus is the easy way to bring security into the cloud and your DevOps teams. Play it at copi.owasp.org!

As a variant of the card game Elevation of Privilege it follows the idea of threat modeling a system via gamification. This lightweight and low-barrier approach helps you to find threats in your DevOps or cloud project and teaches the developers a security oriented mindset.

Threat Modeling

The idea of threat modeling via serious games goes back to the card game Elevation of Privilege by Adam Shostack. The basic idea is to bring the developers to the table and get them to start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be a low-barrier and naturally embeddable approach within agile software development processes.

While we at OWASP Cornucopia have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of the DevOps team working in cloud environments have been missing. OWASP Cumulus seeks to fill this gap and provides a custom card deck with threats for cloud systems.

How to Play Cumulus

• Go to: https://copi.owasp.org/games/new
• Select OWASP Cumulus from the drop-down list
• Make sure you have done all the preparations
• The click: Create the Game
• Send the link to 3 players

Once 3 players have join, click start the game.

Commits

• 2990e72: Bump urllib3 from 2.4.0 to 2.5.0 in the pip group (dependabot[bot]) #1397
• 7c9c41f: Bump step-security/harden-runner from 2.12.0 to 2.12.1 (dependabot[bot]) #1398
• 51d68a6: Bump svelte from 5.34.5 to 5.34.6 in /cornucopia.owasp.org (dependabot[bot]) #1400
• a723f44: Bump hexpm/elixir in /copi.owasp.org (dependabot[bot]) #1401
• a9e4a55: Bump plug_cowboy from 2.7.3 to 2.7.4 in /copi.owasp.org (dependabot[bot]) #1402
• 37ca5ab: Bump ecto_sql from 3.12.1 to 3.13.0 in /copi.owasp.org (dependabot[bot]) #1403
• 924c749: Bump svelte-check from 4.2.1 to 4.2.2 in /cornucopia.owasp.org (dependabot[bot]) #1406
• d57556a: Bump @sveltejs/kit from 2.21.5 to 2.22.0 in /cornucopia.owasp.org (dependabot[bot]) #1407
• bbc4316: Bump swoosh from 1.19.2 to 1.19.3 in /copi.owasp.org (dependabot[bot]) #1408
• 54746fa: Bump svelte from 5.34.6 to 5.34.7 in /cornucopia.owasp.org (dependabot[bot]) #1405
• 728483b: Do no install the pyinstaller as part of the package manifest as it crashes the build (Johan Sydseter) #1410
• 8384f3d: Bump ecto_sql from 3.13.0 to 3.13.1 in /copi.owasp.org (dependabot[bot]) #1412
• a17e122: Add OWASP Cumulus as a game to Copi (sydseter) #1413
• cb41197: Add the creator of OWASP Cumulus (sydseter) #1413
• 73a1b8f: Fix test (sydseter) #1413
• 4f1669c: Adding article about OWASP Cumulus (sydseter) #1413
• 9a9d8da: Fix writing error (sydseter) #1413
• 2597633: Bump urllib3 from 2.4.0 to 2.5.0 (dependabot[bot]) #1404
• 44b80bd: Bump pathvalidate from 3.2.3 to 3.3.1 (dependabot[bot]) #1392
• a319439: Bump mypy from 1.15.0 to 1.16.1 (dependabot[bot]) #1391
• a8efcbf: Bump flake8 from 7.2.0 to 7.3.0 (dependabot[bot]) #1417
• 56fd1b7: Update post about Cumulus (Uncle Joe) #1419
• 3ad5fe3: Bump @types/node from 24.0.3 to 24.0.4 in /cornucopia.owasp.org (dependabot[bot]) #1421
• 4d856c4: Bump phoenix_ecto from 4.6.4 to 4.6.5 in /copi.owasp.org (dependabot[bot]) #1422
• 7ce45a9: Bump erlef/setup-beam from 1.19.0 to 1.20.1 (dependabot[bot]) #1424
• 6c14563: Fix css styling for the Cumulus cars (sydseter) #1425
• 413e9d6: Bump ecto_sql from 3.13.1 to 3.13.2 in /copi.owasp.org (dependabot[bot]) #1423
• 160bd14: Revert "Merge pull request #1401 from OWASP/dependabot/docker/copi.owasp.org/hexpm/elixir-1.18.4-erlang-28.0-debian-bullseye-20250610" (sydseter) #1415
• 3525720: Build the docker file always to check that it can be deployed. (sydseter) #1415
• 6bfe644: Specify working dir for building the dockerfile (sydseter) #1415
• 33d4ff3: Bump vite-plugin-static-copy in /cornucopia.owasp.org (dependabot[bot]) #1427
• 778e497: Bump svelte from 5.34.7 to 5.34.8 in /cornucopia.owasp.org (dependabot[bot]) #1429- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Bug fixes and Security updates.

Commits

• c1eedbc: Various fixes: (sydseter) #1359
• 37b7ec6: Add missing translation object (sydseter) #1359
• 36bc7ca: Adding missing translation objec (sydseter) #1359
• 0c74505: Declare the type (sydseter) #1359
• e40e23c: Fix build (sydseter) #1364
• 1103df0: Bump pytest-cov from 6.1.1 to 6.2.0 (dependabot[bot]) #1366
• 9070aa0: Bump types-requests from 2.32.0.20250602 to 2.32.4.20250611 (dependabot[bot]) #1368
• ff67923: Bump github/codeql-action from 3.28.19 to 3.29.0 (dependabot[bot]) #1371
• 5971381: Bump step-security/harden-runner from 2.12.0 to 2.12.1 (dependabot[bot]) #1372
• 5b117ae: Bump coverage from 7.8.2 to 7.9.0 (dependabot[bot]) #1367
• c9fa45d: Adding the environment variables to the task to see if it improves the issues with the missing api token (Uncle Joe) #1372
• 361722e: Bump hexpm/elixir in /copi.owasp.org (dependabot[bot]) #1354
• d5ebde9: Update the production deploy as well to ensure it doesn't fail (Uncle Joe) #1372
• cf47c6d: Bump coverage from 7.8.2 to 7.9.0 (dependabot[bot]) #1374
• e68bdcb: Bump pytest-cov from 6.1.1 to 6.2.1 (dependabot[bot]) #1375
• 5d984cf: Bump certifi from 2025.4.26 to 2025.6.15 (dependabot[bot]) #1376
• 4e85897: Bump pytest-cov from 6.1.1 to 6.2.1 (dependabot[bot]) #1377
• fa275c5: Bump coverage from 7.9.0 to 7.9.1 (dependabot[bot]) #1379
• 19caa51: Bump mvdan/shfmt from 4943278 to 2b526f1 (dependabot[bot]) #1380
• 138a457: Bump pathvalidate from 3.2.3 to 3.3.1 (dependabot[bot]) #1378
• c0bf489: Bump pathvalidate from 3.2.3 to 3.3.1 (dependabot[bot]) #1386
• 2340697: Bump mypy from 1.15.0 to 1.16.1 (dependabot[bot]) #1387
• a5869a7: Bump coverage from 7.9.0 to 7.9.1 (dependabot[bot]) #1385
• bdc81f1: Update install_cornucopia_deps.txt (Uncle Joe) #1385
• 2e71fca: Update install_cornucopia_deps.txt (Uncle Joe) #1385
• 65d65ae: Update install_cornucopia_deps.txt (Uncle Joe) #1385
• 44b9920: Update install_cornucopia_deps.txt (Uncle Joe) #1385
• cc82c75: Bump floki from 0.37.1 to 0.38.0 in /copi.owasp.org (dependabot[bot]) #1383
• 0510f11: Bump vite-plugin-static-copy in /cornucopia.owasp.org (dependabot[bot]) #1382
• d2826b8: Bump svelte from 5.33.14 to 5.34.3 in /cornucopia.owasp.org (dependabot[bot]) #1381
• a59f633: Bump brace-expansion in /cornucopia.owasp.org in the npm_and_yarn group (dependabot[bot]) #1365
• 9e116fa: Bump @sveltejs/kit from 2.21.2 to 2.21.5 in /cornucopia.owasp.org (dependabot[bot]) #1373
• 9852663: Bump @types/node from 22.15.29 to 24.0.3 in /cornucopia.owasp.org (dependabot[bot]) #1388
• ef33d4a: Improve pipelines (sydseter) #1389
• fe18375: Upload and display artifacts for 5 days. (sydseter) #1389
• b462cac: Correct line feed char. (sydseter) #1389
• 9eea8c6: Force build this (sydseter) #1389
• 60a11bc: Ensure run tests are run against the pull-request code (sydseter) #1389
• f896037: Give write access to the pull-request (sydseter) #1389
• 224c549: Adding permissions to comment on the pr (sydseter) #1389
• 6438adb: Fix permission issue for job (sydseter) #1389
• a628c0a: Add content read permission (sydseter) #1389
• 421addb: Build and test the website and copi for each pull-request (sydseter) #1389
• becf0d5: Eease permissions (sydseter) #1389
• 1d1a447: Fix permissions (sydseter) #1389
• 59de4ff: Set missing permissions (sydseter) #1389
• a1377ec: Limit permissions for the hardening (sydseter) #1389
• bd052d5: Set permissions for the hardening (sydseter) #1389
• 87d97c2: Try scripting to comment (sydseter) #1389
• a5c7ef1: remove commenting workflow (sydseter) #1389
• c7d4906: move commenting to separate job (sydseter) #1389
• 846e503: Update run-tests-generate-output.yaml (Uncle Joe) #1389
• e841c1d: Update Dockerfile (Uncle Joe) #1389
• 99699d0: Update workflows to be run on master (sydseter) #1389
• d6788d1: Bump pytest from 8.3.5 to 8.4.1 (dependabot[bot]) #1390
• be381e6: Bump svelte from 5.34.3 to 5.34.5 in /cornucopia.owasp.org (dependabot[bot]) #1393
• 921e0a5: Bump svelte-sitemap from 2.7.0 to 2.7.1 in /cornucopia.owasp.org (dependabot[bot]) #1394
• 6263528: Make the secret available to the reusable workflow from the caller (sydseter) #1395
• 4fccd06: Ensure workflow is triggered on configuration change. (sydseter) #1395

OWASP Cornucopia v2.3.0 Release

Threat modeling your AI models using AI?

Are you letting the AI do the threat modeling for you? There is no need to let the machines take over the world! Threat model using Elevation of MLSec on copi.owasp.org instead. Our survival depends on it! At copi.owasp.org you can now play Elevation of MLSec to threat model your AI models.

Elevation of MLsec is an unofficial Machine Learning Security (MLsec) extension of Microsoft's Elevation of Privilege threat modeling card game. These playing cards portray risks associated with machine learning (ML) that have been identified by research groups. It is suitable to play this game with or without the original Elevation of Privilege deck depending on the nature of what you're threat modeling. The intention of these cards is primarily to improve the security of ML systems themselves, as opposed to using ML for security.

The work is based mainly on Berryville Institute for Machine Learnings (BIML)’s architectural risk analysis for machine learning systems (BIML-78) and their LLM analysis (BIML-LLM24), found on berryvilleiml.com. The game also adds a few somewhat supplementary LLM specific threats from OWASP’s TOP 10 list for Large Language Model Applications found on owasp.org.

The game was created by Elias Brattli Sørensen and designed by Jorun Kristin Bremseth while working at Kantega. You can download the design files from their repository if you would like to print a physical version of the game.

Version 2.3 of OWASP Cornucopia brings with it "Elevation of MLSec" as an option when you select a new game at copi.owasp.org. If you like, it's also possible to install Copi yourself. Read more about this here: https://cornucopia.owasp.org/copi

Personally, I am very happy about their game and have used it myself to threat model our new AI features that we are delivering at Admincontrol, and you should do it too. Don't leave the threat modeling up to the AI or it may take over the world!

How to play Elevation of MLSec

• Go to: https://copi.owasp.org/games/new
• Select Elevation of MLSec from the drop-down list
• Make sure you have done all the preparations
• The click: Create the Game
• Send the link to 3 players
• Once 3 players have join, click start the game.

OWASP Foundation is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

Commits

• 34ebf18: Add new article about the 2.2 (sydseter) #1271
• 892cbb2: Add external link indication (sydseter) #1271
• 49d9ed1: Fix url (sydseter) #1271
• 9fc54f7: Add a sentance about the new release (sydseter) #1271
• bdad256: Update title (Uncle Joe) #1272
• 3638fa8: Update index.md (Uncle Joe) #1272
• e9744e6: Make a note. About EoP (Uncle Joe) #1272
• c349f8b: Update index.md (Uncle Joe) #1272
• 2791412: Bump heroicons from v2.1.1 to v2.2.0 in /copi.owasp.org (dependabot[bot]) #1274
• 9e40219: Bump phoenix_live_dashboard from 0.8.6 to 0.8.7 in /copi.owasp.org (dependabot[bot]) #1275
• 2d16370: Bump ecto_sql from 3.11.3 to 3.12.1 in /copi.owasp.org (dependabot[bot]) #1276
• 22d0754: Bump svelte from 5.30.2 to 5.31.1 in /cornucopia.owasp.org (dependabot[bot]) #1279
• ec9b58d: Update index.md (Uncle Joe) #1272
• 4c8d531: Bump @vitest/coverage-v8 from 2.1.8 to 3.1.4 in /cornucopia.owasp.org (dependabot[bot]) #1280
• c37fac5: Bump vitest from 3.1.3 to 3.1.4 in /cornucopia.owasp.org (dependabot[bot]) #1277
• d40bab1: Bump dotenv from 16.4.7 to 16.5.0 in /cornucopia.owasp.org (dependabot[bot]) #1278
• 3d1f7d9: Bump yaml_elixir from 2.9.0 to 2.11.0 in /copi.owasp.org (dependabot[bot]) #1273
• 81a8d0c: Bump phoenix_live_view from 1.0.11 to 1.0.12 in /copi.owasp.org (dependabot[bot]) #1281
• ab686ae: Bump click from 8.2.0 to 8.2.1 (dependabot[bot]) #1282
• 8f02f84: Bump setuptools from 80.7.1 to 80.8.0 (dependabot[bot]) #1283
• 3a29e77: Bump svelte from 5.31.1 to 5.32.1 in /cornucopia.owasp.org (dependabot[bot]) #1284
• 2e712d9: Bump coverage from 7.8.0 to 7.8.1 (dependabot[bot]) #1286
• 2ff13f0: Update deploy-staging.yml (Uncle Joe) #1287
• 418fe63: Remove job to resolve https://github.com/OWASP/cornucopia/security/code-scanning/69 (sydseter) #1288
• bba8a0f: pin the docker image (sydseter) #1288
• f4d589c: Update README.md (Uncle Joe) #1290
• b3ae334: Bump mvdan/shfmt from bb41327 to 1d00607 (dependabot[bot]) #1291
• 253f1c9: Bump hexpm/elixir in /copi.owasp.org (dependabot[bot]) #1292
• a0cf2df: Bump coverage from 7.8.0 to 7.8.1 (dependabot[bot]) #1294
• 4c4431a: Bump debian in /copi.owasp.org (dependabot[bot]) #1293
• deaca3f: Bump coverage from 7.8.1 to 7.8.2 (dependabot[bot]) #1296
• 320d83c: Bump erlef/setup-beam from 1.18.2 to 1.19.0 (dependabot[bot]) #1299
• 999b6d7: Bump mvdan/shfmt from 1d00607 to 15494ec (dependabot[bot]) #1301
• 59d26b1: Bump setuptools from 80.8.0 to 80.9.0 (dependabot[bot]) #1303
• 88526e1: Bump freezegun from 1.5.1 to 1.5.2 (dependabot[bot]) #1297
• 56f8258: Bump hackney from 1.23.0 to 1.24.1 in /copi.owasp.org (dependabot[bot]) #1304
• 0f2e817: Bump freezegun from 1.5.1 to 1.5.2 (dependabot[bot]) #1307
• 50a0fb1: Bump coverage from 7.8.1 to 7.8.2 (dependabot[bot]) #1308
• 00b806b: Bump mypy from 1.15.0 to 1.16.0 (dependabot[bot]) #1316
• 4035a2c: Bump pipenv from 2025.0.2 to 2025.0.3 (dependabot[bot]) #1317
• 2d61d61: Bump mvdan/shfmt from 15494ec to 4943278 (dependabot[bot]) #1325
• 97d0fc1: Bump mypy from 1.15.0 to 1.16.0 (dependabot[bot]) #1328
• 0481c21: Bump types-requests from 2.32.0.20250515 to 2.32.0.20250602 (dependabot[bot]) #1329
• aa09d27: Bump ossf/scorecard-action from 2.4.1 to 2.4.2 (dependabot[bot]) #1330
• c63802e: Update install_cornucopia_deps.txt (Uncle Joe) #1328
• 5451351: Bump svelte from 5.32.1 to 5.33.14 in /cornucopia.owasp.org (dependabot[bot]) #1333
• 3bd3c31: Bump pytest from 8.3.5 to 8.4.0 (dependabot[bot]) #1332
• 5dd76ac: Update install_cornucopia_deps.txt (Uncle Joe) #1328
• 852b974: Update wrangler to 4.18.0 (Uncle Joe) #1334
• f7f50d2: Bump bandit from 1.6.11 to 1.7.0 in /copi.owasp.org (dependabot[bot]) #1319
• 9a6ba9d: Bump phoenix_live_view from 1.0.12 to 1.0.14 in /copi.owasp.org (dependabot[bot]) [#1331](https://github.com/OWAS...

A new release and new server

There is now a new release of OWASP Cornucopia 2.2 to celebrate a new milestone in the project's history.
We have been able to push the application onto OWASP® Foundation’s Fly.io account so that you can enjoy the game. We have also updated the Elevation of Privilege game, which we also host, to include the cards that were missing from the original release of EoP, thanks to Adam Shostack, who made sure his game was open-sourced: https://github.com/adamshostack/eop

Finally, if you have stringent security policies that don't allow you to use public online services, no worries, you can run copi.owasp.org yourself in your own account and make sure nobody can access the service. We encourage you to install "Copi - The Cornucopia Game engine" and contribute to the project. Doing this is pretty straightforward. You can choose from installing it on Heroku.com or Fly.io. We Recommend Fly.io as they support BEAM Clustering.

This is how you do it…

You'll need to install Elixir in order to launch the app. See: https://github.com/OWASP/cornucopia/tree/master/copi.owasp.org#get-elixir. Log in to fly and create a PostgreSQL cluster. See: https://fly.io/dashboard/ (Click managed postgres in the menu). 1 GB of memory and 10GB of storage for the database are enough.

git clone https://github.com/OWASP/cornucopia.git
cd cornucopia/copi.owasp.org
cd copi.owasp.org
fly auth login
fly launch --no-deploy

Make a note of the host, the app's name, and the PostgreSQL cluster's name. Then deploy the app from ./copi.owasp.org

fly mpg attach <cluster name> --app <app name>
fly deploy --app <app name> --env PHX_HOST=<app hostname without 'https://'>
fly scale count 2 --app <app name>

The app will be deployed with a PostgreSQL database and two instances. The monthly cost is no more than 14$.

Adding new card games with the same game rules as EoP or OWASP® Cornucopia is also easy. If you have any ideas and suggestions for security related card games then submit a request on https://github.com/OWASP/cornucopia and please don't forget to give us a star.

dotNET lab OWASP Cornucopia decks

Thanks to dotNET lab and Jef Meijvis, all prior decks sold on their website now have QR codes that are redirected towards our new website. This means that if you have an old dotNET lab OWASP Cornucopia deck, then you don’t need to be afraid that your deck will become outdated when there is a new release of OWASP Cornucopia Website Edition. The QR code on the card will take you to the latest version on cornucopia.owasp.org with the newest requirement mapping.

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

Commits

• 470f966: Bump oss-fuzz-base/base-builder-python in /.clusterfuzzlite (dependabot[bot]) #1185
• d4dc26a: Bump oss-fuzz-base/base-builder-python in /.clusterfuzzlite (dependabot[bot]) #1186
• 8de2835: Bump packaging from 24.2 to 25.0 (dependabot[bot]) #1187
• 5b394da: Bump setuptools from 78.1.0 to 79.0.0 (dependabot[bot]) #1188
• 38c034b: Bump oss-fuzz-base/base-builder-python in /.clusterfuzzlite (dependabot[bot]) #1189
• b378066: Bump step-security/harden-runner from 2.11.1 to 2.12.0 (dependabot[bot]) #1190
• 9815602: Merge remote-tracking branch 'copi/main' (Sydseter) #1191
• 03324a3: Bump oss-fuzz-base/base-builder-python in /.clusterfuzzlite (dependabot[bot]) #1192
• ce7a426: Bump mvdan/shfmt (dependabot[bot]) #1193
• 3ff8a2f: Bump mypy-extensions from 1.0.0 to 1.1.0 (dependabot[bot]) #1194
• 596db3f: Bump lxml from 5.3.2 to 5.4.0 (dependabot[bot]) #1195
• e43e76f: Bump the npm_and_yarn group across 1 directory with 2 updates (dependabot[bot]) #1196
• f2d248d: Bump github/codeql-action from 3.28.15 to 3.28.16 (dependabot[bot]) #1197
• 4b16f95: Bump actions/setup-python from 5.5.0 to 5.6.0 (dependabot[bot]) #1198
• 60d6886: Bump oss-fuzz-base/base-builder-python in /.clusterfuzzlite (dependabot[bot]) #1199
• 2cdfe0b: Bump setuptools from 79.0.0 to 79.0.1 (dependabot[bot]) #1200
• 3df9781: Bump lxml from 5.3.2 to 5.4.0 (dependabot[bot]) #1201
• f324df5: Bump pipenv from 2024.4.1 to 2025.0.1 (dependabot[bot]) #1203
• d9ad223: Bump mvdan/shfmt from 8f8185e to bb41327 (dependabot[bot]) #1204
• 336bf12: Bump setuptools from 79.0.1 to 80.0.0 (dependabot[bot]) #1206
• 6eaff0a: Bump certifi from 2025.1.31 to 2025.4.26 (dependabot[bot]) #1205
• 6563019: Fixing all tests for copi. Adding CI job for running tests. Adding documentation. Adding missing EoP cards. (sydseter) #1207
• 14f21b2: Force the build to start (sydseter) #1207
• 6684015: Use latest system (sydseter) #1207
• a2d8420: correct working dir (sydseter) #1207
• f957059: Add secrets (sydseter) #1207
• 8b04901: Run for pull-requests (sydseter) #1207
• b230609: Run for all branches (sydseter) #1207
• e209e01: pin git actions (sydseter) #1207
• 47616d6: Remove local secret (sydseter) #1207
• f944841: Fix error view (sydseter) #1207
• 077408e: Run for all pull-requests (sydseter) #1207
• bd6d197: Update README.md (Uncle Joe) #1208
• f53d7e7: Bump actions/cache from 3.4.3 to 4.2.3 (dependabot[bot]) #1209
• 382b663: Bump setuptools from 80.0.0 to 80.0.1 (dependabot[bot]) #1210
• 2d93560: Bump setuptools from 80.0.1 to 80.1.0 (dependabot[bot]) #1211
• 645888f: Bump vite (dependabot[bot]) #1212
• 722a1ec: Bump qrcode from 8.1 to 8.2 (dependabot[bot]) #1213
• e1893b1: Bump github/codeql-action from 3.28.16 to 3.28.17 (dependabot[bot]) #1214
• fc1320b: Bump charset-normalizer from 3.4.1 to 3.4.2 (dependabot[bot]) #1215
• 230c348: Bump setuptools from 80.1.0 to 80.3.1 (dependabot[bot]) #1216
• 4afa289: Bump pipenv from 2025.0.1 to 2025.0.2 (dependabot[bot]) #1218
• c2a1b28: Bump qrcode from 8.1 to 8.2 (dependabot[bot]) #1217
• 5435fa7: update link to Agilestationary to promote their new site (Uncle Joe) #1219
• 9e7b5b3: promote AgileStationary's "cybersecgames.com" (Uncle Joe) #1219
• 167edd6: Update README.md (Uncle Joe) #1220
• 68079fe: Revert "Bump @sveltejs/kit" (sydseter) #1221
• ca0f5d5: Mute CVE for now (sydseter) #1221
• 243417b: Merge branch 'master' into revert-sveltekit (sydseter) #1221
• 12c785f: fix lock file (sydseter) #1221
• 76590bb: patch cve (sydseter) #1222
• 6f4f10c: Configure the project for heroku (sydseter) #1228
• 8369cdd: Bump charset-normalizer f...

This release contains various font fixes to ease the printing and allow for more translations. The Website App edition has been translated into Russian (see: owasp_cornucopia_webapp_2.1_ru.zip) Thanks to Andrey Danin (@Stuw ).

Commits

• 122b5c2: New post (Johan Sydseter) #1052
• d59da45: Post about the release (Johan Sydseter) #1053
• 033e067: Add em (Johan Sydseter) #1053
• 230817b: Fix em (Johan Sydseter) #1053
• 07d2aca: Update release post to also mention the new translations (Uncle Joe) #1054
• d4f86e3: Update CODEOWNERS (Uncle Joe) #1055
• a6dc7a3: Update README.md (Uncle Joe) #1056
• 873faf4: Bump mvdan/shfmt from 0eb8266 to 5593a35 (dependabot[bot]) #1057
• caf48ae: Bump python from 816feb2 to e885b40 (dependabot[bot]) #1058
• 1365e33: Bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot[bot]) #1059
• 67d12ef: Bump flake8 from 7.1.1 to 7.1.2 (dependabot[bot]) #1060
• f3accec: Update index.md (Uncle Joe) #1061
• 1916b88: dev server is not used when publishing static projects. (Uncle Joe) #1061
• 6005869: Bump flake8 from 7.1.1 to 7.1.2 (dependabot[bot]) #1062
• 4026cf8: Support the test decks with the old QR code and fix a issue with the low case redirect. (Johan Sydseter) #1063
• 996673d: cleanup. (Johan Sydseter) #1063
• 1ae8159: Response can be const. (Johan Sydseter) #1063
• 1e90bb7: Add the also the first article here. (Johan Sydseter) #1064
• 65264fb: Rename article to match name (Johan Sydseter) #1065
• 77b0da7: Ensure text on front page has correct styling (Johan Sydseter) #1066
• 4ff1159: Fix title metadata (Johan Sydseter) #1067
• 78cd9e4: Update README.md (Uncle Joe) #1068
• f819249: Add the site to bing search (Johan Sydseter) #1069
• a976087: Bump hypothesis from 6.125.3 to 6.126.0 (dependabot[bot]) #1071
• 62a7c45: Improve seo by adding descriptions, titles and alt tags. (Johan Sydseter) #1072
• 49a0852: Add bing xml for crawling and robot.txt (Johan Sydseter) #1072
• dd491c3: Adding security.txt (Johan Sydseter) #1072
• af5d496: fix duplicate alt (Johan Sydseter) #1072
• 31ff8eb: Update +page.svelte (Uncle Joe) #1072
• b18c2d4: Add canonical links to reduce the number of pages in search results. Correct name of robots.txt and cleanup non-used csp (Johan Sydseter) #1073
• 3c783d5: Add ru files identical to en (Andrey Danin) #999
• 263e890: Add ru language to mappings (Andrey Danin) #999
• 3f7fea7: Add ru utranslation (Andrey Danin) #999
• 48e765e: Bump hypothesis from 6.126.0 to 6.127.1 (dependabot[bot]) #1074
• ba4f967: Bump mvdan/shfmt from 5593a35 to 6ec7674 (dependabot[bot]) #1075
• e6f622a: Bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot[bot]) #1076
• 8553630: Bump github/codeql-action from 3.28.9 to 3.28.10 (dependabot[bot]) #1077
• 64f2432: Bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot[bot]) #1078
• 92d019b: Bump hypothesis from 6.127.1 to 6.127.2 (dependabot[bot]) #1079
• 5595694: Add cre mapping for website app (Johan Sydseter) #1080
• 0929c60: Add quotes around id's prefixed with 0 (Johan Sydseter) #1080
• 0a5bf74: Removing Fivo and Adkinson font to use Noto instead to support Russian. Updating the website with the new release. (Johan Sydseter) #1081
• 0e4fbb4: Bump setuptools from 75.8.0 to 75.8.1 (dependabot[bot]) #1082
• de085fd: Adding missing fonts. Correcting README and print instructions. (Johan Sydseter) #1083
• 3693441: Adding complete whitelist for western and non-western characters. Do not use Russian word for Joker for now. (Johan Sydseter) #1084
• 205765b: Correct style (Johan Sydseter) #1084

Description

This release includes the new versions of the OWASP Cornucopia Website and Mobile App Editions with QR codes on each card that takes the player to https://cornucopia.owasp.org/ where they can read more about each card in the decks. This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

We would like to thank dotNET lab for donating their website code for this development. Volunteer @jefmeijvis were instrumental in making the website with the help from the rest of the project team. All the source code is located in our repository, providing a way to maintain consistency by using some of the same data sources. The website's repo is at:

https://github.com/OWASP/cornucopia/tree/master/cornucopia.owasp.org

This has allowed us to add a news section, and reinstate an extended version of the Wiki Deck, originally created by former co-leader Darío De Filippis, combining information from that and new content and code kindly donated by dotNET lab. There are now fully browsable cards for both editions (Website app and Mobile app) and which can also be examined by mapping taxonomy (e.g. OWASP ASVS, OWASP MASTG, OWASP Top Ten):

https://cornucopia.owasp.org/cards

https://cornucopia.owasp.org/taxonomy

The card URLs will be the unique end points linked from QR codes on printed cards, and which include guidance, tips and all the taxonomy lookups, making it easier to alter and extend these whenever we want. Recent new additional volunteer names have now been added in the acknowledgements.

In due course, the current site at owasp.org/www-project-cornucopia will be simplified and linked to the new custom website.

New translations

In addition to the new versions of the editions and the OWASP Cornucopia website, the new release also comes with two new translations "PT-PT" (Portuguese-Portugal) and "IT" (Italian) thanks to André Ferreira ( @AndreFerreiraMsc ) and Ruggero DallAglio ( @rdallaglio ), respectively. As with previous translations, these are also delivered in 2 sizes, bridge and tarot, both with and without QR codes in addition to also being delivered as legacy guide documents. The new translations will be available in digital formats for download and print-on-demand.

Printing of the new decks

Additionally, dotNET lab is going to sell the OWASP Cornucopia decks on their web shop (see: https://cornucopia.owap.org/webshop). Both the Website App & Mobile App editions will come with QR codes printed on them.
The new versions of the decks are currently in the process of being printed, but we will keep you informed when these are ready, in the mean time, it's possible to buy the 1.0 Mobile App Edition and 2.0 Website App edition from AgileStationary.

OWASP Cornucopia Ecosystem

Commits

• ec08623: simplify layout and remove unused styles. Fixup mobile layout. (Johan Sydseter) #992
• 93fe96e: minor fixes. (Johan Sydseter) #992
• 5dac3c4: Remove the suit from the url. (Johan Sydseter) #992
• 6e8fe9b: Ensure the mobile menu works without javascript. (Johan Sydseter) #992
• CSS adjustments, manual hero card selection, changed list indentation, external link styling, #992 (Jef Meijvis)
• Fixed external link CSS typo #992 (Jef Meijvis)
• Updated link after pseudo element method so it can match text color #992 (Jef Meijvis)
• Added message and direct youtube link for when javascript is disabled #992 (Jef Meijvis)
• c79f66a: Ensure the site works without javascript (Johan Sydseter) #992
• 3b9c646: Apply revision (Johan Sydseter) #992
• c80b849: Ensure first word is capitalized. (Johan Sydseter) #992
• Removed unused old components #992 (Jef Meijvis)
• e8b5c55: Fix conflict (Johan Sydseter) #992
• a459c28: Fix mapping (Johan Sydseter) #992
• b964c8f: fix case (Johan Sydseter) #992
• 544c532: fix case (Johan Sydseter) #992
• 5f94cfe: fix case (Johan Sydseter) #992
• 445e83c: Fix case issues (Johan Sydseter) #992
• e3f8005: Fix case (Johan Sydseter) #992
• 241ad17: Fix logo (Johan Sydseter) #992
• 16b52a9: remove disc from un ordered markup list. (Johan Sydseter) #992
• 5c87a72: fix spelling (Johan Sydseter) #992
• e344994: remove br (Johan Sydseter) #992
• e352143: use p instead of list (Johan Sydseter) #992
• Updated external link indicator #992 (Jef Meijvis)
• d960fce: correct headers. (Johan Sydseter) #992
• fc83bf3: correct test. (Johan Sydseter) #992
• 4cb686f: Fix styles in markup. (Johan Sydseter) #992
• f02ff34: Remove logging. (Johan Sydseter) #992
• 07a9c8b: Remove commenting from everywhere but the news (Johan Sydseter) #992
• 1015a78: remove sanitization (Johan Sydseter) #992
• 3933bb1: add p instead of list (Johan Sydseter) #992
• Updated opengraph from logo to dedicated image so it fits on services such as Teams, Discord, Facebook, LinkedIn, etc.. #992 (Jef Meijvis)
• adbf6aa: remove duplicate line (Johan Sydseter) #992
• 669f6d4: add csp policy (Johan Sydseter) #992
• 812d132: Ensure a strict csp policy is enforced. (Johan Sydseter) #992
• 5c83aca: fixup (Johan Sydseter) #992
• 6bea73d: fixup (Johan Sydseter) #992
• a910991: fixup (Johan Sydseter) #992
• 35e87a0: Fix revisions. (Johan Sydseter) #992
• cd54339: Add vercel to the policy (Johan Sydseter) #992
• 4652462: Add vercel to the policy (Johan Sydseter) #992
• 5f0d400: Add cso for vite preview (Johan Sydseter) #992
• 95698c6: adding vercel preview config (Johan Sydseter) #992
• 3b50013: Fix url issues. (Johan Sydseter) #992
• cf96a41: ignore missing id when card (Johan Sydseter) #992
• dac3abe: Ensure the id's for the nonscript version of the card browser card isn't navigated to (Johan Sydseter) #992
• 1e05101: Use hooks to add headers. (Johan Sydseter) #992
• b3c9eeb: Add various options for writing the headers file (Johan Sydseter) #992
• a8427ad: Add various options for writing the headers file (Johan Sydseter) #992
• 7a1d032: Fix conflict (Johan Sydseter) #992
• f966bba: Fix conflict ...

Description

This release includes the Cornucopia Mobile App edition 1.0 with mapping to MASVS 2.0 and MASTG 1.7. The Ecommerce edition has been renamed Cornucopia Website App Edition 2.0 and the ASVS mapping for this edition has been updated from ASVS 3.0 to 4.0.
The card decks and leaflets now have two templates: bridge and tarot. For more information regarding the dimensions and printing possibilities see: https://github.com/OWASP/cornucopia?tab=readme-ov-file#printing
Finally the filetype and style option has been removed from the converter. Instead layout and template has been included as options. For more information regarding the converter options please read: https://github.com/OWASP/cornucopia?tab=readme-ov-file#building-the-deck.
The new Tarot version of the Website App and Mobile App editions has been printed in time for the OWASP Global AppSec 2024 in Lisbon and the final proofs that were used for printing these decks can be found in this release with "global_appsec_lisbon" included in their name.

Finally we want to thank all contributors, supporters and backers especially OWASPs hardworking employees.

Changelog

• Adding fuzzing
• Adding layouts
• Adding the tarot template
• Renaming static to bridge template
• Adding the mobile app edition.
• Remove styles as an option, use templates and layouts instead.
• Remove filetypes and introduce templates instead.
• Removing old versions prior to 1.22
• Update the ASVS mapping version to ASVS 4.0.3.

What's Changed

• Adding logo by @sydseter in #504
• Add font. by @sydseter in #506
• Update leaflet with new logo by @sydseter in #505
• Fixup attribution on the case by @sydseter in #507
• Pin version. by @sydseter in #494
• update logos and logos on leaflets. by @sydseter in #508
• Update logo on case. Fix minor issue with gradient and ensure all gra… by @sydseter in #513
• Minor fixes on the paths of the logos. Minor fixes for the case. by @sydseter in #519
• Add font listing for the leaflet by @sydseter in #520
• Add cross-references note in the readme about mobile references. by @sydseter in #521
• Update name of Mobile App Edition. by @sydseter in #526
• Adding IDs to the Mappings files by @rewtd in #531
• Corrected JokerB to Bob and updated the acknowledgements to exclude A… by @rewtd in #527
• Prepare for 2.0 release and mobile app release and shorten the build time. by @sydseter in #528
• update logos. Fix alignment issues. by @sydseter in #541
• Replace unsafe pyyaml loader with SafeLoader by @pixeebot in #548
• Use defusedxml for Parsing XML by @pixeebot in #554
• Add credits to secure delivery for copi by @sydseter in #558
• Add 3mm blead and slug to each template and add temp 80mm x 120 mm template by @sydseter in #565
• Adjusted the bottom flap. by @sydseter in #568
• Dash out where folded, solid where cut. by @sydseter in #572
• Adding leaflet for the 80mm x 120mm version by @sydseter in #573
• Increased the font size for the mobile and 80x120mm versions to make the description readable. by @sydseter in #575
• Adapt the decks to the decks to 2.25 x 3.5 (bridge) (0.300mm paper) and 2.75 x 4.75 (tarrot) (0.350mm paper) by @sydseter in #579
• Add timeout to requests calls by @pixeebot in #580
• Sandbox URL Creation by @pixeebot in #581
• Adjustments to the small box, to make sure all sides are equal. New tuck-in box case by @sydseter in #582
• Cornucopia 2.0 by @sydseter in #560
• Hardening suggestions for cornucopia / release-fix by @pixeebot in #590
• Adding tarot as a template for the leaflet. by @sydseter in #589

Full Changelog: v1.22...v2.0.0

This release adds the ability to build multiple editions, leaflets, guids and languages. The docx guides have been updated to reflect the latest status of OWASP and the OWASP Cornucopia project. Together with numerous language corrections and additions, the v1.22 deck is now built in 6 languages (English, Spanish, French, Dutch, Portuguese, Norwegian). In addition, the project has also got a robust build and release pipeline