fix(security): correct OWASP Top 10 mapping to published 2021 edition

[guillemfigols-maker]

Summary

The security baseline extension referenced OWASP Top 10 (2025), which does not exist. The latest published edition is OWASP Top 10 (2021). This updates the appendix mapping table to use the correct edition with accurate category IDs and names.

Changes

• Removed a hidden TODO: CRITICAL comment flagging this as unverified
• Updated the appendix title from OWASP Top 10 (2025) to OWASP Top 10 (2021)
• Corrected all 8 category mappings to match the published 2021 standard:
  • SECURITY-09: A02 → A05 (Security Misconfiguration)
  • SECURITY-10: A03 → A06 (Vulnerable and Outdated Components)
  • SECURITY-11: A06 → A04 (Insecure Design)
  • SECURITY-12: A07 – Identification and Authentication Failures (name corrected)
  • SECURITY-13: A08 – Software and Data Integrity Failures (name corrected)
  • SECURITY-14: A09 – Security Logging and Monitoring Failures (name corrected)
  • SECURITY-15: A10 → A04 (Insecure Design; A10:2021 is SSRF, unrelated)

User experience

Before: The OWASP appendix referenced non-existent "2025" category IDs. Users following the mapping to the OWASP standard would not find them.

After: The appendix references the published OWASP Top 10 (2021) with correct category IDs and names.

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• I have reviewed the contributing guidelines
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Test Plan

• Verify category IDs and names against the published OWASP Top 10 2021
• Run npx markdownlint-cli2 "**/*.md" — 0 errors on the modified file

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

[ai-ram-ramani]

it does exist 👍

https://owasp.org/Top10/2025/0x00_2025-Introduction/