{
  "meta": {
    "slug": "cwe-owasp-asvs-5.0",
    "frameworks": [
      "CWE",
      "OWASP_ASVS_5.0"
    ],
    "labels": [
      "CWE",
      "OWASP ASVS 5.0"
    ],
    "authoritative": null,
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "CWE",
      "b": "OWASP_ASVS_5.0"
    },
    "counts": {
      "pairs": 672,
      "rows": 1344,
      "present_a_to_b": 337,
      "present_b_to_a": 480
    },
    "reliability": {
      "reverse_presence_pct": 99.7,
      "extent_rank_correlation": 0.826,
      "completeness_a_to_b_pct": 21.4,
      "completeness_b_to_a_pct": 55.6,
      "none_rate_a_to_b_pct": 49.9,
      "none_rate_b_to_a_pct": 28.6,
      "counterpart_coverage_a": {
        "mapped": 275,
        "universe": null,
        "pct": null
      },
      "counterpart_coverage_b": {
        "mapped": 273,
        "universe": 345,
        "pct": 79.1
      }
    },
    "abstraction": {
      "breadth_a_to_b": 1.71,
      "breadth_b_to_a": 2.19,
      "depth_a_to_b": 1.27,
      "depth_b_to_a": 1.75,
      "verdict": "OWASP_ASVS_5.0 sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "cwe_abstraction",
        "distribution": {
          "Variant": 65,
          "Class": 38,
          "Base": 164,
          "Pillar": 5,
          "Compound": 3
        }
      },
      "intrinsic_b": null
    },
    "diff": null,
    "ppt": null
  },
  "diff": null,
  "edges": [
    {
      "source_framework": "CWE",
      "source_id": "CWE-1022",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "COOP header directly blocks window.opener sharing for cross-origin loads, eliminating most of the described abuse, yet the weakness also spans link markup, popup handling, and other opener protections outside this single header."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires adding the missing 'iss' factor to OAuth server comparisons, eliminating most instances of this weakness in that context; B remains only partially addressed because the broad class of multi-factor comparison defects spans many other domains and factors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consent management enforces explicit user approval for authorization requests but does not address or constrain any multi-factor comparison logic, so neither direction has any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A ensures consistent factor documentation across auth paths only, partially blocking one narrow slice of CWE-1023 while leaving the broad weakness untouched elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses undocumented auth pathways and consistent strength enforcement; B is a general comparison-logic flaw unrelated to pathway documentation or consistency checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Notification of suspicious attempts is unrelated to whether comparison logic itself includes all required factors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.7",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces multi-factor use (preventing single-factor biometric comparisons) but only addresses one narrow slice of the broad CWE-1023 comparison defect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Backend session-token verification neither mandates nor addresses completeness of multi-factor entity comparisons, so the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session termination UI has no bearing on whether comparison logic includes all required factors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1023",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 directly mandates multiple identity/device/context factors for admin authorization comparisons, largely eliminating missing-factor defects in that scope, yet CWE-1023 spans arbitrary comparisons system-wide so one control leaves most of the weakness unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1024",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.5 directly mandates strict typing and equality checks that eliminate CWE-1024 comparisons, yet the weakness can still arise from language-level or design issues outside this single defensive-coding outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1048",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Safe-concurrency locking rules have no bearing on the number or scope of outward references from a callable, and high fan-out is a coupling issue outside the scope of any single concurrency control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1049",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Cost/depth controls in A directly block exploitable expensive joins/subqueries (mostly), yet B can still be written in any data layer outside GraphQL controls (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-105",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact validation practice whose absence defines B, eliminating the Struts-specific defect; yet B represents only one narrow framework manifestation of missing validation, so A removes most but not necessarily every related risk vector."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-105",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation design directly removes the root cause of an unvalidated Struts form field, yet the narrow Struts configuration gap can still exist if the general control is not mapped to the exact validator wiring."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1050",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses endless retry/deadlock cases involving locks and thereby mitigates one facet of resource-consuming loops, yet B spans many other resources and loop patterns that A does not touch."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1050",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates starvation effects of resource-hogging loops via fair allocation/thread pools but does not stop the loops themselves; B's broad consumption risk is only narrowly addressed by A's concurrency focus."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1050",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation limits invocation frequency and thereby reduces exploitability of a resource-consuming loop, but does not address or remove the underlying coding defect itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1050",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session-consent rules address authentication flow and have no effect on unbounded resource consumption inside loops."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1052",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates static secrets/keys for sessions (mostly preventing that facet of B), yet B spans all initialization literals so one control removes only partial overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1053",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secret rotation/expiry requirements neither create design documentation nor are blocked by its absence."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1053",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A forces narrow documentation of dangerous functionality (partial prevention of total design-doc absence) while B's broad missing-design weakness is untouched by that single narrow requirement."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1053",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Business-logic limit verification neither produces design documentation nor is itself prevented by its absence."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1057",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session-token verification has no bearing on whether data-access code bypasses a central data-manager component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1058",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates thread-safe access and synchronization for shared objects, eliminating most exploitability of the exact unsafe static/member pattern in B, while B's narrow scope means A alone removes most but not necessarily all design-related risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires and verifies documentation only for narrow backend-connection settings, so it partially prevents the broad documentation weakness while the weakness itself is only fractionally addressed by this single narrow control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V13.3.4 only consumes existing secret-rotation documentation and does nothing to create or enforce any of the broader technical documentation whose absence defines CWE-1059, so neither direction removes risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates one narrow slice of documentation, thereby partially ensuring some docs exist, while B's broad absence of technical/engineering documentation is virtually untouched by this single requirement."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A supplies only a narrow SBOM-style inventory for third-party components, addressing one limited facet of the broad documentation weakness while leaving product architecture, design, and usage undescribed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only one narrow documentation facet (risky libs) so prevents the broad CWE only partially; that single facet removes essentially none of CWE-1059's total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation only for dangerous functionality (one narrow facet of B's broad scope), so it addresses part but not most of the weakness in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.2.1 only checks component freshness against remediation timelines and does not address or require comprehensive technical documentation of architecture, interfaces or design, so neither direction removes any measurable portion of CWE-1059 risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Logging security events has no bearing on the presence or completeness of technical documentation, and vice versa."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation of one narrow topic (input validation rules), which only partially mitigates general insufficient technical documentation while the single narrow rule removes essentially none of B's overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires one narrow slice of technical documentation, so it addresses only a single facet of the broad insufficiency described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V2.3.2 verifies runtime business-logic limits while CWE-1059 concerns missing engineering documentation; neither activity produces or requires the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires one narrow slice of security documentation, so it only partially eliminates the general insufficiency described by B while B's broad scope means A removes only a fraction of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A supplies documentation for one narrow domain (auth controls), thereby partially eliminating the general insufficiency described by B, while B's broad scope across all product elements means this single control removes only a fraction of the total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Authentication brute-force controls have no bearing on existence or completeness of technical documentation, and vice versa."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A supplies one narrow slice of required documentation and therefore only partially eliminates the broad absence of technical docs (B), while B's wide scope means this single control removes only a fraction of the overall weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1060",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation on availability defenses may indirectly flag resource-heavy data patterns (partial forward) but supplies no implementation controls that actually eliminate inefficient query volume (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.10",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitizing format strings is an input-handling control unrelated to hiding internal data or method representations, so neither direction removes any of the other's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.2.5 addresses only crypto-module error handling while CWE-1061 is a broad design-level encapsulation flaw; the two share no overlap in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes mitigates a symptom of leakage but neither eliminates nor meaningfully addresses the underlying design flaw of insufficient encapsulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only one narrow symptom (version strings) of the broad design flaw in B, so it mitigates one facet without eliminating the weakness or removing most of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.2.5 partially prevents CWE-1061 by listing encapsulation among several isolation techniques for risky components only, while the broad weakness spans all internal representation exposure that this single narrow control leaves mostly unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling JSONP eliminates one specific cross-origin exposure vector but neither stops nor meaningfully mitigates the broad design flaw of insufficient encapsulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1061",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Method allow-listing blocks one narrow vector for invoking unexpected functionality but does nothing to hide internal representations or close the broader design-level encapsulation gap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1067",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates availability impact of resource-heavy queries (one facet) but does not address query indexing or prevent CWE-1067's introduction; B's root cause remains untouched by the architecture-level control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1067",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GraphQL cost controls can partially limit exploitability of expensive queries but do not address or prevent missing SQL indexes at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1068",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documenting session timeouts reduces mismatch likelihood only for that narrow topic (partial prevention); the broad CWE is untouched by one specific documentation requirement (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1077",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.5 targets type safety and strict equality to block juggling, while CWE-1077 is a numeric-precision issue unrelated to operand types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1083",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege controls on secret assets neither address nor constrain code that bypasses an application's designated data-manager component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1083",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "HSM/vault key isolation addresses only cryptographic secret handling and has no effect on whether code bypasses a designated data-manager component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1083",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Log-protection controls address integrity of audit records and have no bearing on whether application code bypasses an intended data-manager component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1083",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session-token verification on a backend service has no bearing on whether data-access code bypasses an intended data-manager component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-109",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates validation so the Struts validator cannot remain disabled (full); B is a narrow Struts-specific misconfiguration whose risk A removes except for framework-specific configuration details (mostly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1096",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires consistent protected locking for resources and thereby eliminates most unsynchronized singleton creation, yet B remains only partially covered because A is a broad concurrency outcome that does not by itself address every singleton design nuance."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V13.4.2 directly mandates disabling debug modes in production, which fully eliminates the exact ASP.NET debug-binary misconfiguration defined by CWE-11."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-110",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Business-logic limit verification has no bearing on Struts form-field/validator synchronization."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1102",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Time-source synchronization for logs has no bearing on low-level data-representation choices that vary by machine or OS."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1103",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of risky (security) libraries neither targets nor mitigates platform-dependency of third-party components."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1103",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.2.5 adds runtime containment around already-chosen risky libraries but never addresses or avoids selection of platform-dependent third-party components, so neither direction removes any part of CWE-1103."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1104",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's SBOM + trusted-repo verification directly blocks introduction of unmaintained components (mostly), yet the weakness can still arise from post-inventory decay or incomplete coverage that one control does not fully close (mostly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1106",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly discourages static literal secrets for one narrow purpose, giving partial prevention of that CWE manifestation, while the CWE spans all magic values so A removes none of its overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1108",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.6's narrow Map/Set recommendation mitigates one prototype/global-object vector but leaves the broader structural reliance on globals untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1108",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A recommends avoiding globals on the document object (plus namespaces) as one DOM-clobbering mitigation, so it partially curbs global-variable reliance, yet remains a narrow control that leaves most of the broad structural weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1109",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly forbids reuse of specific crypto values (nonces/IVs), blocking that narrow facet of variable reuse, while B's general risk across arbitrary code remains almost entirely unaddressed by this single encryption rule."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-111",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A restricts deprecated browser plug-ins while B concerns unsafe native calls from Java; the two domains share no overlap so neither direction yields any prevention."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Cryptographic key/algorithm inventory has no bearing on documentation of program execution mechanisms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.1.3 only mandates discovery of crypto operations and has no bearing on documenting general program execution mechanisms, so neither direction shows any preventive relationship."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires complete documentation of one execution-control mechanism (connection limits), preventing incompleteness for that facet only; B's broad scope over all program-execution mechanisms means a single narrow control removes only part of the risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 verifies data-protection controls against their own documentation; it neither addresses nor constrains documentation of program-execution mechanisms, so the two items have no preventive relationship in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A ensures documentation of dangerous functionality (a subset of execution mechanisms), preventing only part of B while B's broader scope means A alone leaves most risk unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A verifies implementation against existing docs but never creates or completes documentation, while B is solely a documentation-gap weakness unrelated to business-logic verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation only for a narrow set of browser security mechanisms, thereby partially addressing incompleteness for those items while leaving the broad class of program-execution mechanisms untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires narrow documentation of auth-rate-limiting controls while B concerns missing documentation of general program-execution mechanisms, so the two have no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A covers only the authorization facet of execution-control documentation, so it prevents one slice of CWE-1112 while leaving other mechanisms unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation of a narrow slice of security-decision attributes that can influence execution, so it only partially closes the broader gap described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1112",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation of contextual authz decisions (one narrow facet of execution control) so prevents B only partially, while B's broad program-execution scope is not addressed by A at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1118",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation of one narrow fallback scenario (connection-limit exhaustion) that touches error-handling docs, but leaves the broad weakness of insufficient error-handling technique documentation almost untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1118",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation only of dangerous functionality while B concerns missing error-handling documentation, so the two have no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1118",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation only for authentication defenses while B concerns error-handling documentation, so the two topics share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's allowlist-based SSRF sanitization for service calls has no bearing on CRLF neutralization in HTTP headers, and vice versa."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only verifies safe ACAO values/allow-listing and never touches CRLF neutralization, so it prevents none of CWE-113 and CWE-113 is prevented by A to none degree."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates user override of specific proxy headers (one facet of header injection) but does not address CRLF neutralization at all, so it leaves the general weakness fully intact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets response splitting via HTTP/2-3 header rules, eliminating most such defects, yet B's broad CRLF-neutralization gap spans additional vectors and protocols that this single control leaves open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly rejects CRLF sequences in incoming headers, eliminating the described injection vector; B's broader neutralization flaw across outgoing header construction is only partly addressed by this single input check."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.1.2 directly mandates the exact practice whose absence defines CWE-116, so the control fully eliminates the weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.1 directly mandates context-appropriate output encoding, eliminating CWE-116 by design, yet the weakness spans additional message types and edge cases beyond the listed HTTP/HTML/XML contexts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires the output encoding that eliminates B for JS/JSON contexts, yet B spans many other structured formats that A does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1164",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies and removes irrelevant code from production, fully eliminating the weakness in the deployed product, while a single verification step leaves some upstream development vectors partially open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization via a dedicated HTML library neither enforces nor depends on correct use of any validation framework, so the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires manual sign/range checks for overflows but never mandates or references any validation framework, so it neither blocks misuse of such a framework nor is itself prevented by framework adoption."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's narrow pollution defenses may incidentally rely on validation but do not require or enforce correct use of any validation framework, while B's broad weakness spans many validation scenarios that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Trusted-layer validation enforcement largely eliminates incorrect framework usage by requiring correct behavior, yet addresses only one facet of framework misuse risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1177",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SBOM inventory from trusted repos enables detection of some third-party components but does not enforce explicit prohibition lists or cover internal functions, so A only partially blocks introduction while B's full scope remains unaddressed by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1177",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation that flags risky libraries can raise awareness and thereby partially deter introduction of prohibited components, but the single control of documentation removes essentially none of the weakness without accompanying policy enforcement or tooling."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Encryption-mode verification has no bearing on resource-default initialization, so neither direction removes any of the other's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks default credentials for one narrow backend-auth case, preventing that facet of CWE-1188 but leaving all other insecure-default initializations untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Anti-caching headers address browser storage of responses and have no bearing on whether a resource is initialized with an insecure default value."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates the specific insecure-default case of default accounts, but CWE-1188 covers many other resource types that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly calls for preventing buffer overflows via input validation on malformed messages, blocking most CWE-119 instances in the signaling path, yet the weakness is far broader than one server control can fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1193",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secret-management least-privilege rules address credential access and have no bearing on hardware power-on sequencing or fabric-control initialization timing."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.2.1 limits uploaded file sizes to avoid resource-exhaustion DoS and has no bearing on whether buffer-copy code performs size checks, so neither direction prevents the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1204",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.6.1 addresses only public-key algorithm selection and key generation, while CWE-1204 concerns IV unpredictability for symmetric primitives that use IVs; the two domains share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1209",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes directly blocks the covert debug use of reserved bits (mostly), yet the hardware-specific design flaw in CWE-1209 is only one facet addressed by the broader software-oriented control (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-122",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.4.1 directly mandates the exact safe-memory practices that eliminate heap overflows, fully preventing CWE-122 when implemented, yet one verification outcome still leaves residual risk from design or allocation errors outside its scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.7.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Memory encryption neither implements nor refines access-control granularity, so it neither prevents the CWE nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Allowlist for backend comms directly enforces granular outbound access control, preventing CWE-1220 in that scope, yet the weakness spans all access-control domains so one control leaves residual risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A supplies one narrow allow-listing control for backend outbound access, which can mitigate insufficient granularity only in that specific scenario (partial prevention); the broad CWE weakness spans all access-control policies and cannot be removed by this single backend configuration alone (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces least privilege only for secrets so it blocks insufficient granularity solely for that asset class (partial forward); the same narrow scope removes only a fraction of the broad CWE risk surface (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A touches access controls only narrowly for sensitive data in logs, so it can partially block one facet of insufficient granularity but leaves the broad weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Log protection is a narrow integrity control on one asset type and neither eliminates nor is hindered by overly-broad access-control policies elsewhere in the system."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 adds contextual/multi-layer checks for admin interfaces that can partially mitigate overly broad policies, but does not address or prevent the general design flaw of insufficient access-control granularity across assets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1229",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.4 restricts OAuth grant types for a client while CWE-1229 concerns any indirect creation of attacker-usable resources; the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1229",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V13.2.3 addresses only default credential usage in service auth and has no bearing on unintended resource creation or policy-violating emergent resources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1229",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Locking directly stops logic-driven double-booking (mostly prevents this CWE manifestation) yet only covers one narrow resource scenario out of the weakness's many possible emergent-resource vectors (partial coverage overall)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1229",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation limits excessive calls that could create or abuse emergent resources, mitigating one exploitation path but not preventing the underlying design flaw that produces such resources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1230",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V12.1.5 directly eliminates SNI metadata exposure in TLS handshakes (one narrow facet of CWE-1230) but leaves all other metadata vectors untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1230",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege controls on secret assets address direct access but have no bearing on metadata-derived exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1230",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's privacy/access controls for sensitive data can touch metadata exposure in logs or defined protection levels (partial forward) but do not specifically mandate metadata-limiting measures, leaving the core CWE-1230 risk untouched (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1230",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly removes sensitive metadata from the exact file-upload scenario CWE-1230 describes, yet only covers one source of metadata exposure and therefore leaves the broader weakness only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1230",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "CORS header rules can block one vector of direct sensitive-data leakage in cross-origin responses but do not address metadata exposure at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1236",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.10 directly mandates the exact escaping rules that eliminate CWE-1236, so the control fully prevents this narrowly-scoped weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-124",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets safe string/memory ops to eliminate buffer under/over-flow defects so prevents CWE-124 mostly; the single control still leaves other root causes (index math, third-party libs, design) so only partially mitigates the full weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1 directly mandates CSPRNG usage (eliminating predictable algorithms) while CWE-1241 describes exactly that single defect, so the control both fully prevents and fully covers the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires the RNG to remain secure under load (touching predictability only indirectly) while B is a fundamental algorithm-design flaw that load testing alone does not eliminate."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG use for MFA secrets and thus eliminates predictable RNG in that scope, while B is a broad RNG weakness whose total risk is only partly addressed by one narrow control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG+entropy for session tokens, eliminating predictable RNG in that scope, but B is a device-wide weakness that A only partially constrains."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1242",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets undocumented auth pathways (preventing that slice of B) but leaves all non-auth undocumented features untouched, so each direction rates only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Time-sync logging addresses only timestamp consistency for event records and does not prevent general shared-state or cache divergence across distributed components."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Transactional atomicity at business-logic level directly eliminates most opportunities for divergent shared-state copies, yet the weakness also encompasses replication timing, cache invalidation and non-transactional sync paths that one control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces consistency for one narrow class of shared resource counts via locking, preventing that specific manifestation of B, while B's broad distributed-state consistency risk is untouched by this single business-logic control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "HTTP message-boundary validation targets request smuggling via header parsing and has no mechanism that touches distributed state/cache consistency."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session-management documentation in federated SSO systems has no bearing on consistency of independent shared-state replicas across distributed components."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A touches only auth-session lifetime consistency between IdP/RP while B is a broad distributed-state consistency flaw across any data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1254",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates exact string comparison for one narrow case, eliminating stepwise timing flaws there but leaving the general CWE-1254 weakness untouched elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.2.5 addresses only crypto-module error handling while CWE-1256 concerns hardware interface exposure for power/clock/memory/side-channels; the two domains do not intersect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Validated crypto libraries/accelerators reduce exposure risk for crypto material but do not address hardware debug-clearing behavior; the CWE is a low-level hardware design flaw outside the scope of a single app-level crypto requirement."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires HSM isolation to keep keys from leaving the module, indirectly reducing exploitability of uncleared debug values, while B is an unaddressed hardware debug-clearing flaw outside the scope of the secret-management control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "DTLS key-management policy has no bearing on hardware debug-register clearing, so neither direction prevents the other at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 specifies logging/access/privacy controls for sensitive data but never addresses clearing during debug/power transitions, leaving CWE-1272 untouched in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1275",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is the exact verification step that enforces the SameSite attribute setting whose absence defines B, so the control directly eliminates the weakness with no remaining facets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1279",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates use of validated crypto libraries/hardware but says nothing about readiness/sequencing checks, so it neither prevents CWE-1279 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements range/sign validation on quantity inputs to block overflows, eliminating most of that defect, yet B spans additional quantity properties (e.g., semantic correctness, units) that A does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of quantity-validation rules guides correct implementation (partial forward) but does not itself perform validation or guarantee the code follows the rules (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Fully implementing the broad input-validation control directly eliminates the narrow quantity-validation defect for all inputs (L2+), and conversely that single control removes the entire risk of CWE-1284."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "General trusted-layer input validation directly eliminates quantity-validation defects (full prevention) yet still leaves open the possibility of incomplete property checks or edge-case gaps for this narrow weakness (mostly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Locking mitigates exploitation of quantity manipulation in limited-resource flows but does not address or eliminate the input-validation defect itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of size limits addresses one facet of quantity validation for uploads (partial prevention of the weakness being introduced) but removes essentially none of the broad coding flaw's risk by itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Enforcing password length requires validating one specific quantity, so A only partially addresses B's general validation flaw while leaving all other quantity inputs untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.7.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates one narrow length check for nonces while B is a general failure to validate any quantity field; the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's overflow-focused sign/range checks catch one narrow failure mode that can produce bad indices, while B's broader requirement for validating index/offset properties is not addressed by that single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Caching rules for content-type and non-existent files have no bearing on index/offset validation in buffers or files."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of validation rules can guide correct index handling and thus reduce likelihood (partial), but supplies none of the actual runtime checks required to close CWE-1285."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Broad input-validation rules directly cover index/offset checks and therefore eliminate most instances of CWE-1285, yet a single general control still leaves some risk if the specific index properties are not explicitly enumerated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation directly eliminates the specific index/offset validation defect; the weakness's total risk is only mostly removed because correct validation rules for indices must still be explicitly authored."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1285",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces path validation for one narrow file-decompression scenario that falls under CWE-1285, eliminating that facet but leaving the broad class of index/offset validation defects untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Canonical decode-before-validation architecture eliminates one encoding bypass vector for syntactic checks but does not itself perform or guarantee syntactic validation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A implements range/sign checks solely to block integer overflows while B is a distinct syntactic-format validation failure, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A performs one narrow, protocol-specific validation and neither stops the general class of syntactic-input flaws from appearing elsewhere nor removes more than a negligible slice of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documented syntax rules guide developers but do not implement runtime checks, so the control only partially reduces the chance of the weakness while removing none of its actual implementation risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Control directly requires server-side input validation, blocking the core omission in CWE-1286, yet leaves open the possibility of incorrect syntactic rules and addresses only one facet of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires syntax validation for postMessage (eliminating B in that interface) while B is a broad input-syntax weakness that one narrow browser control only partially covers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces syntactic validation only for filenames in downloads (one narrow facet of B), while B spans all input syntaxes so a single control removes only limited risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Canonical decoding before validation can make subsequent type checks effective but does not implement or require any type validation itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's overflow-focused range/sign checks incorporate limited input validation that can incidentally address numeric type issues, but A does not target or broadly mitigate the general type-validation weakness described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of validation rules reduces likelihood of type-validation defects by defining expected checks but does not implement or enforce them in code, addressing only one narrow facet of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Enforcing input validation at the trusted layer directly targets and removes most type-validation defects, yet the single general control only partially closes the weakness because it does not guarantee every type-specific check or edge case."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact type/content validation that B describes for file inputs, fully eliminating the weakness in that scope, while B spans all input types so one file-specific control removes only part of its overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "TLS certificate validation is transport-layer crypto hygiene and has zero overlap with consistency checks on multi-field application inputs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Enforcing trusted-layer input validation directly eliminates most consistency-validation defects, yet the single broad control still leaves risk from incomplete or narrowly-scoped checks that do not cover every consistency requirement."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces HTTP header consistency to block splitting/injection, eliminating most instances of that CWE facet, yet B spans arbitrary multi-field inputs far beyond HTTP/2-3 headers so one narrow control leaves the general weakness only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.6 mandates a narrow OAuth/PKCE check for code_challenge/verifier that neither implements nor broadly addresses general unsafe-equivalence validation of arbitrary resource identifiers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates one correct equality check for the OIDC aud claim, blocking that narrow instance of improper equivalence validation, while B spans arbitrary inputs and identifier contexts that A never touches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation directly requires proper equivalence/canonicalization checks, eliminating most of this narrow validation defect while the control itself is not CWE-specific."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires allow-list validation of Origin values and therefore removes the CWE in the CORS path, yet only addresses one narrow instance of unsafe-equivalence checking."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SRI-based external-resource integrity has no bearing on input-equivalence validation for resource identifiers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's content/magic-byte checks mitigate some file-type equivalence bypasses during uploads, but B is a broad input-canonicalization weakness that one narrow upload control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A implements allow-list validation for one narrow class of token metadata inputs, blocking that specific attack vector but leaving the broad equivalence-validation weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V9.2.2 implements one narrow token-type check that can block a subset of token-related equivalence failures, but CWE-1289 is a broad input-equivalence weakness across all identifiers and this single control removes none of its overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1295",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes in production directly eliminates exposure from this exact weakness (full), yet the underlying coding defect can still exist in source or non-prod environments and may require message sanitization as well (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege access rules for secrets have no bearing on hardware-level alternate interface protections or bypass paths."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "HSM-based key isolation addresses only cryptographic secret exposure and shares no overlap with alternate hardware-interface bypasses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-130",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PostMessage origin/syntax checks address cross-origin trust, while CWE-130 concerns length-field parsing mismatches; the two share no technical overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-130",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct Content-Length vs. actual length handling for HTTP, eliminating most instances of the weakness in that domain, yet B spans arbitrary message formats beyond HTTP so one protocol-specific control removes only part of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-130",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates inconsistent lengths only in generated messages (addressing one facet of smuggling risk) while B describes a parser-side flaw that A does not modify or correct at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1321",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.6 directly mandates code-level verification that eliminates prototype-pollution vectors, while CWE-1321 encompasses broader input-handling and attribute-control issues beyond any single coding pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1322",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's connection-timeout/retry rules can mitigate blocking on service calls but do not stop developers from inserting blocking calls elsewhere in a single-threaded event loop."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1325",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only documents connection-pool limits for DoS avoidance and has no bearing on per-object memory-allocation code that lacks aggregate caps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1325",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Connection-configuration controls address external service limits and retries but have no bearing on arbitrary per-object memory allocations or their aggregate bounds."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1325",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation rate-limits calls and can therefore blunt memory-exhaustion exploits, yet leaves the underlying allocation flaw untouched; the coding defect itself is unaffected by call-rate controls."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1336",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.10",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.10 targets only format-string sanitization while CWE-1336 concerns template-engine syntax, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1336",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires avoidance or sanitization of template expressions like SpEL, eliminating the weakness when fully applied, yet B's broader template-engine surface leaves a small residual risk unaddressed by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1336",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.7",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets template injection via avoidance or sanitization so prevents the weakness mostly; the weakness spans all neutralization edge cases and engine-specific syntax that this single control only partially closes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Publicly-trusted TLS certs directly eliminate one narrow trust failure (impersonation of external endpoints) but do nothing to prevent the broad range of supply-chain, updateability, or maintainability defects covered by CWE-1357."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of update timeframes addresses one narrow facet (updateability planning) and therefore only partially prevents the weakness from remaining exploitable, while removing essentially none of the weakness's broader risk around component selection and trustworthiness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks untrusted sources via SBOM/repo verification, preventing most introductions of the weakness, yet B spans additional trustworthiness facets (vetting, maintenance, reliability) that one control does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses one narrow trust issue (IP provenance from proxies) so only partially prevents introduction of the broad reliance weakness; the weakness spans many component types and properties that this single control does not touch."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Log-encoding control addresses only injection in logs and neither prevents nor mitigates reliance on untrusted components."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Log protection transmits logs off-system but has no bearing on component selection or trustworthiness, so neither direction prevents the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "HSTS preload list membership addresses only transport-layer enforcement and has no relation to component trustworthiness or supply-chain risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 directly discourages sole reliance on network/endpoint trust for admin access and therefore partially prevents that narrow facet of CWE-1357, yet the single control removes essentially none of the weakness's broad architectural risk around any untrustworthy component."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-138",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.12",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only regex backtracking performance while B is a broad neutralization flaw for control/syntactic elements; the two share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1385",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.4.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Control A directly implements the exact Origin-header check whose absence defines CWE-1385, eliminating the weakness when fully applied, yet the weakness description still admits other validation gaps (e.g., post-handshake or non-Origin checks) that one control does not close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1386",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates generic path traversal during decompression and can incidentally block some junction-based escapes, yet leaves the core Windows junction/mount-point resolution flaw untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.3.4 mostly prevents weak auth from remaining exploitable by enforcing verification of acr/amr/auth_time claims on tokens, yet only partially addresses the broad CWE-1390 because many other weak-auth vectors exist outside OAuth resource-server token checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates untrusted mTLS cert use (preventing that facet of weak auth), yet B spans many other auth mechanisms this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates strong per-service auth for backend channels and thereby eliminates weak-auth defects in that scope, yet CWE-1390 spans all authentication surfaces so one backend-only control removes only a fraction of the weakness's total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates one narrow weak factor (email) so only partially blocks the general weakness; B's broad risk surface is untouched by this single rule."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates only the narrow KBA/secret-question facet of weak authentication, so it addresses one contributor to CWE-1390 without covering the weakness's broader scope of insufficient identity proofing."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly strengthens identity proofing only for MFA recovery flows, eliminating that narrow slice of CWE-1390 but leaving enrollment, factor strength, and other auth paths untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.8.4 directly enforces verification of IdP-provided strength claims (or safe fallback), eliminating most weak-auth defects in that usage pattern, yet leaves the broad CWE-1390 surface (non-IdP mechanisms, broken protocols, missing multi-factor, etc.) only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V7.6.1 only governs session lifetime/re-auth timing in federated flows and does not strengthen or validate the underlying identity-proofing mechanism that CWE-1390 concerns."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct token-type usage for authentication decisions and therefore blocks one narrow class of token-related authentication failures, but leaves the broader weakness (any insufficient proof of identity) largely untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-change capability lets users replace defaults (partial prevention of one facet) but does nothing to stop hard-coded or initially weak credentials from existing."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates exploitation of guessable creds via rate limiting but does not stop their introduction, while B is a design/implementation flaw unaffected by runtime brute-force controls."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Control A directly removes default accounts (core CWE-1391 example) so prevents most instances, yet the weakness also covers hard-coded/derived/guessed creds beyond defaults so one control addresses it only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates one narrow class of guessable KBA secrets but leaves defaults, hard-coded values and other weak-credential vectors untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1392",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly bans unchanging/default credentials for backend components and therefore removes most instances of CWE-1392 in that scope, yet the weakness also covers defaults in user accounts, admin interfaces and other surfaces that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1395",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of remediation timelines addresses one management facet (forward partial) but alone removes none of the actual dependency risk (reverse none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1395",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only tests one narrow DTLS race condition and therefore catches at most one instance of a vulnerable component, while B spans any third-party dependency and is not addressed by this single verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-142",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements delimiter/special-char neutralization for CSV exports, thereby preventing CWE-142 in that context, yet B spans arbitrary downstream components beyond spreadsheets so one control covers only part of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1429",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Cryptographic library validation has no bearing on hardware-interface feedback omissions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1429",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Application-level error logging has no bearing on hardware-interface silent-discard behavior, so neither direction prevents the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1431",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Validated crypto implementations largely avoid flawed hardware modules that leak intermediate state, yet the single control does not encompass hardware design verification or all leakage vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1431",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V13.3.3 mandates use of an HSM/vault solely to protect key material, while CWE-1431 describes a hardware-level output-leak flaw inside the module itself; the control neither eliminates nor meaningfully mitigates that specific leakage vector."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.10 directly requires neutralization of the exact escape/meta sequences for CSV/spreadsheet output and therefore prevents CWE-150 in that narrow case mostly, yet the weakness is broader and this one control removes only a fraction of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.12",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.12 narrowly targets ReDoS-safe regex patterns and input length limits, while CWE-150 concerns failure to neutralize escape/meta sequences for downstream interpreters; the two address unrelated attack surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-153",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates neutralization of the exact substitution characters that trigger CWE-153 in CSV exports, but B spans many other substitution contexts outside spreadsheet output."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-153",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A supplies regex-specific escaping that neutralizes one narrow class of substitution metacharacters, so it only partially blocks introduction of CWE-153 while the broad weakness spans many other substitution contexts that A leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-158",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates null-byte escaping for CSV/spreadsheet output and thereby blocks CWE-158 in that narrow channel, yet the weakness spans arbitrary downstream components that A never addresses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-164",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of input-validation rules can indirectly reduce incidence by guiding format checks that may incidentally reject dangerous internal elements, yet supplies no implementation of neutralization and therefore removes essentially none of the weakness's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Output encoding as a final step can reduce exploitability of some alternate-encoding bypasses but does not address or prevent the input-handling defect itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces context-specific output encoding for URLs (one narrow facet of encoding hygiene) so it only partially blocks exploitation of CWE-173; the weakness itself is an input canonicalization problem whose broad risk is untouched by this single output control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.10",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitizing format strings addresses a narrow class of interpretation risks unrelated to alternate-encoding handling, so the control neither prevents CWE-173 nor removes any meaningful portion of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Whitelisting safe characters after input can block many encoded payloads but does not guarantee prior normalization/decoding, leaving both the control's preventive power and the weakness's residual risk only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.2.5 configures cache behavior and error responses for content-type safety; CWE-173 is an input-encoding validation defect unrelated to caching."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-177",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces correct output encoding when emitting URLs while B concerns failure to interpret URL-encoded input, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces decode-before-validate order and therefore mostly blocks CWE-179, yet the weakness also covers other pre-validation transforms that this single control does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.11",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization (A) supplies one needed protection step and therefore only partially blocks the early-validation ordering defect, while the broad order weakness (B) is not addressed at all by this narrow mail-specific control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization supplies the missing protection step but does not enforce correct ordering relative to validation, so it only partially blocks the weakness while the weakness itself is an ordering defect that sanitization alone does not prevent."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A specifies allow-list validation plus sanitization for SSRF and therefore touches the validation-before-modification problem only in one narrow case, while B describes a broad class of ordering defects that this single control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces correct-order sanitization for one narrow injection class (JNDI), thereby partially blocking the early-validation pattern in that setting, yet A is too specific to address the general validation-before-modification weakness at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces trusted-certificate checks before mTLS identity use, while B concerns premature validation before canonicalization/modification; the two address unrelated ordering problems."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.2.5 addresses cache-configuration rules for content-type and non-existent paths; CWE-179 concerns validation-before-sanitization ordering, so the two share no causal link in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Full input validation (A) requires effective checks after any modifications, eliminating most early-validation bypasses, yet the narrow ordering flaw (B) is only one facet of validation risk so a single control removes it only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Business-logic step-order enforcement has no bearing on whether validation occurs before or after input-modification routines."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow redirect-allowlist requirement unrelated to validation ordering, so it neither prevents CWE-179 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates canonicalization before any validation/processing, eliminating CWE-180's exact ordering flaw; yet one narrow control cannot remove every possible facet of incorrect canonicalization/validation sequencing risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.8 addresses JNDI-specific sanitization and configuration; CWE-180 is a generic validation-order flaw unrelated to JNDI handling or injection defenses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 addresses mTLS certificate trust validation before authz use; CWE-180 is a generic validate-before-canonicalize ordering flaw in input handling\u2014neither control nor weakness touches the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-181",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 enforces trusted-certificate validation before mTLS identity use, while CWE-181 concerns validation occurring before (rather than after) a filtering step; the two address unrelated ordering problems."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-181",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "TLS client certificate validation and validate-before-filter are unrelated concerns in separate domains with no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-182",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.4 addresses trusted IP propagation for logging/rate-limiting and has no bearing on data-collapse filtering defects described by CWE-182."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Full safe-deserialization enforcement requires a correctly-scoped object-type allowlist, thereby eliminating most instances of CWE-183 within deserialization, yet the same weakness can still exist in any other allow-list feature outside that single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "The control mandates an allow-list for origins but neither eliminates the possibility of that list being too permissive nor addresses the general CWE of permissive allow-lists."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Logging rules for sensitive data have no bearing on the completeness of input-disallow lists or the input-validation weakness they leave open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces proper CORS preflight triggering via header checks and is unrelated to maintaining complete denylists of disallowed inputs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A implements an allowed-origin whitelist for WebSocket, directly avoiding any reliance on an incomplete disallowed-input blacklist, yet addresses only this narrow case and leaves the general CWE-184 risk elsewhere untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-187",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Exact-match allowlist validation directly eliminates partial-string redirect-URI flaws (full), yet CWE-187 spans many other comparison contexts that this single control leaves untouched (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-190",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A bounds image dimensions before size calculations, eliminating one narrow overflow path in uploads, while CWE-190 spans arbitrary arithmetic throughout an application."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-193",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-length rules address authentication policy and have no relation to off-by-one calculation defects in code."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.9",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Token revocation mitigates one narrow post-compromise exposure path but neither stops CWE-200 from being introduced nor addresses the weakness's many other causes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.7.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Memory encryption addresses only the in-use memory facet of the broad CWE-200 exposure weakness, so the control prevents one slice of the weakness (partial) while the weakness itself is only fractionally mitigated by this single narrow control (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of requirements can indirectly reduce exposure likelihood via better planning but removes none of CWE-200's actual risk, which stems from implementation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 mostly prevents CWE-200 via its explicit access-control and protection requirements for sensitive data, yet only partially addresses the weakness because many exposure vectors (error messages, side channels, etc.) lie outside this single documented-data control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies and blocks the exact transmission behavior described by CWE-201, but a single verification control cannot cover every possible data-flow path or actor classification that contributes to the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow source of leakage (docs/monitoring endpoints) that could produce observable discrepancies, but leaves the general CWE-204 weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-205",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only context-specific content rendering controls while B concerns any observable behavioral differences that leak state, so the two share no overlap in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-207",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "TLS cipher standardization can reduce one observable handshake discrepancy vector but leaves the broad behavioral-fingerprinting weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-207",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling introspection removes one observable GraphQL-specific behavior (partial prevention of that discrepancy vector) but addresses only a narrow slice of the broad CWE-207 class of product-identifying differences."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-208",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates timing leaks by mandating constant-time crypto operations, but B covers observable timing discrepancies in any code path beyond cryptography."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-209",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V16.5.1 directly mandates the exact behavior (generic error messages with no sensitive data) that eliminates CWE-209, so the control both fully prevents the weakness and accounts for essentially all of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-210",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V16.5.1 directly mandates the exact behavior (generic messages with no sensitive data) that eliminates CWE-210, so the control both fully prevents the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-211",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly suppresses exposure of external error content via generic responses, preventing exploitability of CWE-211 in most cases, yet the weakness spans interpreter-level messages outside product control so one error-handling outcome removes only part of the total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-212",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates removal of sensitive metadata from user files, eliminating the weakness for that vector, while CWE-212 spans many other storage/transfer scenarios that one control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-212",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V14.3.3 directly verifies removal of sensitive data from browser storage and therefore mostly prevents CWE-212 in that setting, yet only partially covers the weakness's full scope across arbitrary storage/transfer surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-213",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Classification forces explicit consideration of stakeholder/regulatory sensitivity views (mostly preventing policy mismatch), yet leaves enforcement, design decisions, and runtime exposure vectors unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-213",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mitigates one exposure vector (improper logging of sensitive data) but does not address policy mismatches in other functionality, so it prevents only part of CWE-213 while CWE-213's breadth means a single logging control removes only part of the risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-213",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A stops one narrow exposure vector (error messages) but does not address policy incompatibility, so B's root cause remains untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-213",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses one narrow transport-leakage scenario that can result from policy mismatch, but does not define or reconcile stakeholder policies so cannot prevent CWE-213 itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-214",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Parameterized OS calls directly avoid visible command-line args (mostly preventing B) but leave env vars and other visibility vectors unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-215",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes in production fully eliminates exploitability of any sensitive data left in debug code, yet the control does nothing to stop the insertion itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-219",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Allow-listing external comms/file targets neither stops developers from placing sensitive files under the web root nor removes the exposure that placement creates."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly mandates the exact pathname neutralization that eliminates CWE-22, so the control fully prevents the weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-226",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces metadata sanitization for one narrow file-upload scenario and therefore only partially blocks the general 'resource not cleared before reuse' weakness, which spans memory, files, and many other reuse paths."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-226",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires clearing of client storage resources on termination, eliminating most instances of CWE-226 in that scope, yet the weakness spans many other resource types (memory, files, etc.) that this single client-side control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-23",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact avoidance or sanitization of untrusted path components that CWE-23 describes, fully eliminating the weakness when implemented, yet the single control still leaves a residual facet of risk around edge-case pathname canonicalization outside its file-storage scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-237",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's combination-reasonableness checks can catch some structural-input problems but do not address parsing, nesting, or element-order handling that defines CWE-237."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates unnecessary OAuth scopes so prevents that facet of CWE-250 mostly; the weakness spans many other execution contexts that one narrow OAuth rule cannot address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces least-privilege accounts for backend communications and therefore removes most instances of CWE-250 in that scope, yet the weakness can still arise in any other code path or component outside backend comms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-257",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 mandates irreversible KDF hashing, which directly eliminates any recoverable password storage and thereby removes the entire risk described by CWE-257."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-257",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.4.4 governs KDF usage only when deriving crypto keys from passwords, while CWE-257 addresses recoverable (encrypted) password storage for authentication; the two share no technical overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only mandates short-lived initial secrets and never touches the product's general password-aging interval, so it neither prevents CWE-263 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege assignment for backend accounts directly reduces unsafe privilege scope in that narrow domain but leaves the general CWE-267 risk (unsafe actions granted by any privilege) only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is a browser redirect-warning control unrelated to privilege design, so it neither prevents CWE-267 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Token-type/purpose validation neither defines nor constrains the actions permitted by a privilege, so the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Audience validation in tokens enforces intended service scope but has no bearing on how privileges are defined or whether they permit unsafe actions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-270",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege accounts for backend links can reduce blast radius of a switching flaw but do not address the switching logic itself, so the control only partially mitigates introduction while removing essentially none of the weakness's core risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-280",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-change verification is unrelated to privilege-insufficiency handling and neither prevents nor mitigates CWE-280."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-280",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces correct subject permissions for authorization decisions but does not address error handling or state transitions when those permissions are insufficient, leaving CWE-280 fully possible."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.3.5 directly eliminates token-theft/replay vectors via sender-constrained tokens, preventing that facet of improper access control, yet CWE-284 spans many unrelated access-control failures this single OAuth control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.5.1 directly eliminates replay via nonce for OIDC (one narrow facet of improper auth) so prevents CWE-287 only partially; the broad CWE spans many auth failures this single protocol-specific check cannot close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct identity proofing via unique non-reassignable OIDC claims, blocking most improper-authentication defects in that context, yet leaves the remainder of CWE-287's many other authentication vectors untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.5.5 directly enforces correct validation of OIDC logout tokens, blocking one narrow slice of authentication failures, yet leaves the broad CWE-287 surface (login, session, API, etc.) untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.4.3 specifies only collision-resistant hash lengths for signatures/integrity and does not address identity verification or proof mechanisms at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces trusted mTLS certificate validation and therefore blocks one common vector of improper authentication, yet addresses only a narrow facet of the broad CWE-287 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.4.4 directly enforces proper identity proofing only during MFA-factor recovery (one narrow facet of authentication), so it partially blocks CWE-287 in that scenario while removing only a small slice of the weakness's overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "The control directly strengthens only one narrow facet of MFA (entropy of lookup/OOB secrets) and therefore only partially blocks introduction of that specific flaw, while CWE-287's broad scope across all authentication mechanisms means this single requirement removes essentially none of the weakness's overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Lifetime limits address one narrow facet of token misuse but leave the broad space of identity-proof failures untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.5.7 directly blocks one narrow biometric-primary failure mode of improper authentication (partial prevention) but leaves the vast majority of CWE-287 surfaces untouched (none of total risk removed)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates unsigned/invalid assertion attacks (one facet of CWE-287) but leaves all other improper-auth vectors untouched, so each direction rates only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces verification of IdP auth claims (or safe fallback), eliminating most improper-auth defects in IdP flows, yet CWE-287 spans many other auth surfaces this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces re-auth timing in federated sessions, mitigating only one narrow facet of improper auth; the broad CWE-287 weakness spans initial identity proof, credential handling, and many other vectors untouched by this control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 only enforces trusted mTLS certificate validation on its own channel and has no bearing on the existence or closure of any alternate unauthenticated path."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Control eliminates bypass only via the password-reset channel while CWE-288 covers any alternate unauthenticated path, so each direction addresses merely one facet."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly hardens one common class of alternate channel (SMS/PSTN OTP) via validation and deprecation rules, thereby preventing that slice of CWE-288, yet leaves other bypass paths untouched so neither direction reaches mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.3.2 enforces OAuth claim-based authorization decisions while CWE-289 is a name/alias handling flaw in authentication; the two mechanisms do not intersect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-reset MFA enforcement has no bearing on name canonicalization or alternate-identifier checks during authentication."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-289",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces propagation of the original subject's identity for authorization decisions, while CWE-289 is a name-canonicalization flaw that allows authentication bypass regardless of whose permissions are later consulted."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates replay-resistant public-key client auth that eliminates OAuth client spoofing, but CWE-290 spans many other auth schemes and vectors outside this control's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Nonce validation directly blocks ID-token replay (a spoofing vector) in OIDC flows, yet leaves other spoofing techniques and broader auth-bypass surfaces untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Strong hashes block signature forgery or integrity tampering that could enable some spoofing, yet CWE-290 covers many unrelated vectors (protocol flaws, missing identity checks) that this single crypto rule leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-reset recovery that preserves MFA neither targets spoofing vectors in auth schemes nor removes any of the root causes of CWE-290."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates replay-resistant client auth (mTLS/PK-JWT), directly eliminating capture-replay for OAuth; CWE-294 spans many other auth surfaces this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates replay of OIDC ID tokens via nonce validation, fully preventing CWE-294 for that mechanism, yet only partially addresses the broader weakness across other auth protocols and tokens."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-297",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements the missing certificate-to-identity binding check for DTLS/SDP media, thereby blocking that specific manifestation of CWE-297, yet only covers one narrow protocol scenario out of the weakness's broad scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-299",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates proper revocation checking via OCSP Stapling and therefore eliminates CWE-299 when fully implemented; the single control still leaves room for incorrect-check variants outside stapling configuration."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates endpoint verification via strong mutual auth for internal channels, eliminating most of this weakness in that scope, yet B spans any channel plus integrity failures that one service-mesh control does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V7.2.4 addresses only session-token regeneration on auth events and has no bearing on weaknesses that arise from assuming arbitrary data elements are immutable."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-304",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces one specific authentication step (session regeneration) so prevents that facet of CWE-304, yet leaves all other possible missing steps unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-305",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one recovery-specific bypass vector but leaves all other primary weaknesses untouched, so it only partially prevents the broad CWE-305 class while CWE-305's total risk is reduced only partially by this single narrow control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-305",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates session fixation (one primary weakness enabling auth bypass) but leaves all other bypass vectors untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates strong authentication for the OAuth authorization server (a critical function), eliminating most instances of CWE-306 there, yet only addresses one narrow slice of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only ensures correct trust validation when mTLS certificates are already used for auth, so it neither introduces nor covers the absence of authentication required by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Removing extraneous/dev functionality eliminates the most common source of unauthenticated critical endpoints, but leaves the broader weakness unaddressed on required production functions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A adds authentication to one specific critical function (password change) and therefore only partially blocks introduction of CWE-306, while the broad weakness spans many other functions that A does not touch at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.4.4 only governs identity-proofing during MFA-factor recovery and does not address whether authentication exists for critical functions at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks undocumented single-factor paths by mandating consistent strength across pathways, but leaves single-path or policy-decision cases of CWE-308 unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A bans only email as a factor and therefore blocks the single-factor case that uses email but leaves all other single-factor schemes untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.4.2 only disallows hints/KBA in recovery flows and has no bearing on whether the primary login uses single-factor authentication."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A protects an already-enabled MFA path during reset but never requires or enforces multi-factor authentication, so it neither prevents nor meaningfully mitigates CWE-308."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.6.4 only hardens an already-deployed MFA channel and never addresses whether single-factor authentication is used at all, so neither direction removes any of CWE-308."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces IdP claim checks (or safe fallback) so largely eliminates single-factor use when stronger auth is required; B remains only partially addressed because the weakness also arises in non-IdP flows and broader auth design."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-312",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates cleartext metadata exposure for one narrow resource type while B spans all storage locations, so each direction addresses only a single facet."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-322",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 directly enforces trusted-certificate validation for mTLS client identity, eliminating the unauthenticated key-exchange flaw in TLS contexts; CWE-322 remains broader and spans non-TLS protocols and other authentication gaps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-323",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.4",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies nonce/IV non-reuse and appropriate generation, eliminating CWE-323; the weakness's full risk also includes surrounding key-lifecycle and protocol choices outside this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-323",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses SAML assertion replay via unique IDs while B is a cryptographic encryption-nonce reuse flaw; the control neither implements nor constrains nonce/key handling in ciphers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 mandates strong password hashing (KDF) while CWE-326 concerns weak encryption algorithms; the two address entirely separate cryptographic mechanisms with no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documenting required encryption strength guides choices but does not enforce correct implementation or address algorithm selection, key management, or other root causes of CWE-326."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires verification of encryption controls matched to data protection level, eliminating most instances of inadequate strength, while also encompassing many unrelated data-protection facets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mandating 128-bit security primitives directly eliminates weak-hash algorithms, but the control is broader than hash selection alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A forces strong hashing only for low-entropy lookup secrets in MFA storage, eliminating CWE-328 in that narrow case but leaving the broad weakness untouched elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-329",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.6.1 addresses only public-key algorithms, key generation and digital signatures; it has no bearing on IV generation or CBC-mode symmetric encryption, so neither direction shows any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-331",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires appropriate generation (hence some entropy) only for nonces/IVs, preventing that narrow misuse of low-entropy values but leaving the general CWE-331 weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-331",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.5.2 only mandates salted hashing for already-low-entropy lookup secrets and never constrains entropy sources or generation, so it neither prevents CWE-331 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-332",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG usage plus 128-bit entropy, eliminating CWE-332 when fully implemented, yet the weakness can still arise from entropy-source availability or integration flaws outside this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-332",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating that specific instance of CWE-332, yet only covers one narrow usage of PRNGs so leaves the broader weakness largely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-333",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mandating CSPRNG with 128-bit entropy eliminates any TRNG usage and thus the CWE-333 defect for covered values, yet the control supplies no handling logic for TRNG entropy failure when TRNG is still employed elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-333",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces output entropy for specific auth secrets and therefore only indirectly touches RNG quality, while CWE-333 concerns general TRNG failure-handling behavior that A never addresses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-335",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Requiring CSPRNG + 128-bit entropy directly blocks predictable seeding, yet leaves other seed-management facets (source choice, reseeding, state protection) unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-335",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A forces CSPRNG + 128-bit entropy for session tokens (directly eliminating bad seeding in that scope), yet B is a general PRNG-seeding flaw that can appear in many other contexts one session control does not cover."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-336",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1's CSPRNG + 128-bit entropy mandate directly blocks reuse of a fixed seed for security-sensitive values, but leaves other seeding or PRNG misuse paths unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-336",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating same-seed predictability in that scope, yet B can still exist in any other PRNG usage outside sessions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-337",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Requiring CSPRNG + 128-bit entropy directly mandates non-predictable seeding and therefore eliminates CWE-337, yet the control still leaves open other seeding or PRNG-implementation mistakes outside its stated scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-337",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG use for TOTP/lookup seeds and thereby eliminates CWE-337 in that scope, yet the weakness exists in many other PRNG contexts outside MFA."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-337",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating predictable-seed flaws in that scope (mostly), yet leaves the broader CWE-337 risk untouched in all other PRNG uses (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-338",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1 directly mandates CSPRNG + 128-bit entropy for non-guessable values, which eliminates CWE-338 by definition in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-338",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating weak-PRNG use in that narrow scope; the CWE remains broader and can appear in any security context outside sessions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-339",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy, eliminating small-seed PRNG defects for its scope, yet B's risk can still arise from non-covered PRNG usages or flawed seeding outside this control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-339",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for tokens, eliminating small seed space in that usage; B spans all PRNG applications so one control removes only part of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-340",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates appropriate (i.e., unpredictable) generation for nonces/IVs and thereby eliminates that facet of CWE-340, yet leaves the broader weakness untouched in all other identifier contexts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-341",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Single-use enforcement for MFA tokens addresses replay/reuse but has no bearing on whether values are generated predictably from observable state."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-341",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG for auth secrets/codes/seeds, eliminating observable-state predictability for those items; CWE-341 remains broader and can still arise elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-341",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Short lifetimes reduce the exploitation window for time-based tokens but do not address or eliminate the underlying predictability from observable state."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-341",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks client-time manipulation for TOTP predictability (mostly), yet CWE-341 spans many other observable-state vectors this single control leaves untouched (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-341",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.6.1 governs when/which OOB channels may be offered and does not constrain OTP generation or observable state, so it neither prevents CWE-341 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates non-guessable transaction-specific secrets, eliminating predictable RNG for those OAuth values (mostly), yet CWE-343 is a general RNG flaw only narrowly addressed by one control (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly bars weak hashes (e.g., MD5) from random-bit generation and thereby blocks one narrow source of predictability, yet CWE-343 can still arise from non-hash PRNG algorithms, poor seeding, or state leakage that A never addresses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mandating a CSPRNG with 128-bit entropy directly eliminates the observable-sequence predictability CWE-343 describes, yet a single generation control cannot address every possible observation or integration vector that contributes to the weakness's overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's narrow focus on RNG behavior under load only partially mitigates predictability that could surface under stress, while B's fundamental algorithmic weakness is untouched by this single demand-oriented requirement."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates cryptographically secure random generation for initial secrets, directly blocking predictable-value flaws in that narrow scope, yet leaves the underlying RNG weakness untouched for all other uses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.5.2 addresses only secure hashing of stored low-entropy lookup secrets and has no bearing on RNG state or value predictability."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG for the listed auth values and thereby eliminates predictability for those generators, while B remains only partially covered because the weakness applies to any RNG in the product."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-343",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates CSPRNG + 128-bit entropy for session tokens, directly eliminating predictability (CWE-343) in that scope; the same control only partially prevents the weakness overall because the product's RNG could still be weak elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-344",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates invariant static secrets for sessions by requiring dynamic tokens, but CWE-344 spans many other contexts that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements origin/syntax checks for postMessage and therefore eliminates most instances of the weakness in that interface, yet B is a broad, cross-cutting authenticity problem that one narrow browser control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.2 addresses URL encoding and safe-protocol restrictions to block injection, while CWE-349 concerns mis-trusting extraneous data mixed with trusted data; the two address unrelated failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.7",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.7 directly forces validation of client metadata and untrusted-client warnings, eliminating most CWE-349 instances inside dynamic registration, yet leaves the broad weakness untouched in every other data-mixing context."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.4 tests robustness to malformed SRTP (availability), while CWE-349 concerns logical mixing of trusted/untrusted data sources; the two share no causal link."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow UI notification for external redirects while B is a broad data-handling flaw about mixing trusted/untrusted inputs; the two share no causal relationship."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.3.1 addresses execution of uploaded files while CWE-349 concerns mixing trusted/untrusted data during processing; the two share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly stops client-side manipulation of authorization decisions (one facet of treating untrusted data as trusted) but is too narrow to address the broader data-mixing weakness described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-351",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consistent parser behavior (A) can reduce exploitability of some type-handling flaws during deserialization, yet A never enforces type distinction itself so leaves the core weakness (B) untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.2.1 directly eliminates CSRF for OAuth code flows via PKCE/state, but only addresses one narrow facet of the general CWE-352 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SameSite cookie attributes directly block most cookie-based CSRF vectors, yet the weakness also encompasses token, referer, and non-cookie authentication gaps that one cookie control leaves open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates anti-forgery validation that eliminates CSRF, while B can also be mitigated by other mechanisms such as SameSite cookies or CORS preflight that A does not cover."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mandating TLS 1.2/1.3 directly supplies authenticated encryption and thus blocks the 'no integrity' condition for that channel, but the CWE covers any transmission protocol so one TLS-version rule cannot close the entire weakness class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces DTLS-SRTP (which supplies integrity) for media, blocking the weakness in that scope, yet only addresses one narrow protocol instance of the broad CWE-353 risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.5 addresses DoS resilience for SRTP traffic volume while CWE-353 concerns absence of any integrity mechanism in the protocol itself; the two have no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies the missing integrity/authenticity mechanism for DTLS media streams, eliminating CWE-353 in that scope, yet only one narrow protocol use-case of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-354",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.12",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.12 restricts OAuth response_mode values via allow-listing or PAR/JAR; CWE-354 concerns failure to validate message checksums or integrity tags\u2014completely unrelated mechanisms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-358",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies the exact protocol-mandated certificate check, eliminating this instance of the weakness; B remains only partially addressed because the CWE spans every standardized check across all protocols."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A blocks one OAuth-specific vector (token theft/replay) that could expose PII, but leaves all other exposure paths unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Clear consent prompts directly eliminate the consent-failure facet of exposure, yet the weakness also covers storage, transmission and access-control failures outside any consent flow."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.2 is a narrow OAuth single-use requirement unrelated to preventing or being prevented by the broad class of race conditions in CWE-362."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses OAuth-specific replay via token binding/rotation while B is a generic concurrency flaw; neither prevents the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of resource limits/parallelism may indirectly surface concurrency concerns (partial forward) but addresses neither synchronization mechanics nor the broad causes of race conditions (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact synchronization primitives that eliminate CWE-362; the weakness can still arise from design-level atomicity or ordering decisions outside this single verification outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates TOCTOU instances of the race via required atomicity, but B covers many other synchronization flaws outside that single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consistent, protected locking directly eliminates most improper-synchronization race windows, yet CWE-362 also covers non-lock timing flaws and design-level ordering issues that one concurrency control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.6 directly verifies and can eliminate one specific DTLS ClientHello race condition (mostly preventing that CWE-362 instance), yet a single narrow check removes only a fraction of the broad class of synchronization flaws covered by CWE-362."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-363",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates atomic TOCTOU checks that eliminate the exact file-status race CWE-363 describes, yet the weakness can still arise from symlink or directory-edge cases outside a single concurrency control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-366",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates TOCTOU check-act races via atomicity but only one facet of broader thread-level races; B's full risk spans unsynchronized access patterns beyond that single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-366",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consistent lock usage directly eliminates most simultaneous-access races, yet the control's emphasis on deadlock avoidance and encapsulation leaves other race vectors (e.g., atomicity, design-level ordering) unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-366",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A verifies one narrow DTLS protocol race condition (preventing that specific instance only), while B describes a broad class of intra-thread races that A neither targets nor covers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-367",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the atomic check-then-act pattern that eliminates the exact TOCTOU window described by B, so the control both fully prevents the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-367",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.6 directly eliminates only one narrow DTLS-specific race condition (one facet of TOCTOU), while CWE-367 spans many check-use patterns across the entire system that this single media-server verification leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-368",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A verifies one narrow DTLS ClientHello case and therefore only partially blocks that facet of CWE-368, while the single control removes essentially none of the weakness's broad risk across arbitrary context switches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-370",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only mandates initial revocation configuration (e.g. stapling) and does not address or constrain any subsequent checks, so it neither prevents CWE-370 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-379",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.4.2 enforces atomic TOCTOU checks but does not address directory permission choices, while CWE-379 is solely a permissions weakness unaffected by atomicity alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.4.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates session-fixation risk during HTTPS-to-WebSocket transitions by mandating authenticated-token validation, but only addresses that narrow facet of the broad CWE-384 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A partially blocks silent/pre-created sessions that enable fixation but never addresses invalidation of existing IDs, so it removes none of CWE-384's core risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-396",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates info-leakage risk that can result from broad catches but does not stop the declaration of generic exception handlers themselves."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-402",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin leakage of authenticated resources via headers/validation, preventing most instances of B in web contexts, yet B spans many non-browser spheres so one control covers it only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-407",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.9",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Escaping metacharacters stops regex injection that can trigger ReDoS-style inputs, but leaves inherent poor regex design and all non-regex complexity cases untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-410",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of resource-heavy paths and suggested mitigations can reduce the chance of an undersized pool being shipped, but supplies zero actual pool capacity or runtime controls."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-410",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.1.2 directly verifies elimination of resource-exhaustion exposure in TURN, fully preventing CWE-410 for that component, yet only partially addresses the general weakness across an entire product."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-416",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact nulling/release discipline that eliminates CWE-416, yet a single verification outcome cannot guarantee every possible code path or allocator interaction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-433",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks execution of untrusted uploads (mostly preventing CWE-433 exploitation), yet B also covers storage location and extension-handling choices that one verification does not fully eliminate."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-434",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation defines expected file-type rules and reduces likelihood of the weakness during design, but supplies no runtime enforcement so the weakness remains fully possible."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-435",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.5.5 directly eliminates the specific OIDC logout interaction defects that CWE-435 describes, yet the CWE spans countless other entity-interaction cases that one narrow control cannot cover."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-435",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's narrow connection-configuration rules can avoid a few integration misbehaviors, but CWE-435 spans arbitrary component interactions far beyond backend comms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-435",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates one narrow class of proxy-IP interaction errors but leaves the broad CWE-435 space of other multi-entity misbehaviors untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-435",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the browser/server interaction flaw it targets, but B spans many unrelated entity-interaction problems beyond content context."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-435",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Cookie __Host- prefix rule directly eliminates one narrow cookie-host interaction flaw but leaves the broad class of multi-entity behavioral mismatches untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.6.2 validates logout-request provenance solely to block forced-logout DoS; CWE-441 concerns failure to preserve upstream identity when proxying arbitrary requests, two disjoint problems."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.2.4 targets supply-chain package provenance to block dependency confusion, while CWE-441 describes runtime request-source loss in proxies; the two problems and their mitigations are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.7 addresses only HTTP parameter pollution from ambiguous input sources, while CWE-441 concerns failure to preserve request origin when forwarding to external actors; the two share no causal overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses browser rendering context via headers while B concerns request-source preservation in proxies; the two share no mechanism or scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A validates request origins to block CSRF on the receiving app; B is a distinct proxy-forwarding flaw about source preservation to external actors, so neither direction overlaps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Origin/Sec-Fetch validation directly blocks cross-origin confused-deputy flows (mostly) yet leaves non-browser, server-to-server, and same-origin proxy cases unaddressed (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin confused-deputy flows via Sec-Fetch/CORP validation, but CWE-441 also covers non-browser proxy scenarios outside A's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the header-override vector that commonly enables CWE-441 in web proxies, but the weakness also covers non-header source-preservation failures outside HTTP."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.6.2 binds OOB tokens to their originating request to block replay, while CWE-441 concerns failure to preserve request source identity when acting as a proxy; the two address unrelated problems."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses application-level data-parser consistency for JSON/XML/URL to block RFI/SSRF, while B is an HTTP-protocol smuggling weakness between intermediaries; the two share no direct prevention relationship."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.7 addresses only parameter-name collisions from mixed sources while CWE-444 concerns inconsistent framing/parsing of entire requests by intermediaries, so neither direction overlaps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Content-Type enforcement addresses only response metadata/charset correctness and has no bearing on the framing or proxy-vs-destination parsing inconsistencies that define CWE-444 smuggling."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A guards against user override of intermediary headers but does not constrain how an intermediary parses ambiguous requests, so neither direction mitigates CWE-444's inconsistent-interpretation root cause."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact boundary and header-consistency rules that eliminate inconsistent interpretation, while B can still involve response paths and downstream entity quirks outside a single validation control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets Content-Length/framing consistency to block smuggling vectors, preventing most instances of the weakness, while B's broader inconsistent-interpretation risk spans additional vectors (Transfer-Encoding, chunking, etc.) that one narrow check leaves open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the Transfer-Encoding vector that commonly enables smuggling in HTTP/2/3, but B covers any inconsistent parsing by intermediaries so one narrow validation removes only part of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A blocks newline-based header injection on HTTP/2/3 endpoints and thereby stops one smuggling vector, yet leaves the core inconsistency between intermediary and destination parsers untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Filename sanitization in download responses has no bearing on HTTP message parsing consistency between intermediaries and endpoints."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-454",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A secures one specific channel (TLS service comms) against tampering and therefore can block one narrow source of untrusted initialization data, but CWE-454 spans many other vectors (files, env vars, CLI, etc.) that A does not address at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-454",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks only the DOM-clobbering vector of untrusted variable initialization in client-side JS, leaving the broad CWE-454 unaffected by other external sources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-454",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly stops client-side tampering only for session tokens via backend verification, mitigating one narrow facet of external initialization, while B spans arbitrary trusted variables and data stores that A never touches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-454",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks external/client-driven initialization of trusted authorization variables by mandating a server-side trusted layer, but only covers the authorization facet of the broader CWE-454 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-455",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A specifies connection-parameter configuration but never requires exit or degraded-mode handling on init failure, so it neither prevents CWE-455 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-455",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Logging of errors (A) neither stops improper non-exit behavior on init failure (B) nor is that behavior prevented by logging alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-459",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces expiration/cleanup only for initial auth secrets, directly addressing one narrow slice of incomplete cleanup while leaving the broad weakness otherwise untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-466",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Safe pointer arithmetic and overflow detection directly blocks most out-of-range returns, yet the weakness can still arise from unrelated logic or range-calculation errors that the control does not cover."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-473",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Parameterized-query controls mitigate injection that external-variable tampering could trigger, but do not stop the variable-modification flaw itself from existing or being introduced."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-473",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only type-checking/strict comparison (one possible symptom of external var tampering) while leaving the root exposure described by B untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-473",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mitigates one facet (parameter-source collisions) of external-variable tampering but leaves other PHP-specific vectors untouched, while B's broad weakness is only narrowed\u2014not removed\u2014by that single defensive-coding outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-495",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly stops returning whole objects and thus blocks most instances of CWE-495, yet the weakness also covers mutable reference semantics and encapsulation design that this single field-subset rule does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-497",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of requirements (incl. access controls) can indirectly guide prevention of exposure but removes none of the actual implementation risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-515",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only consent-based removal of sensitive file metadata and has no bearing on the existence or exploitability of covert storage channels, which can use any shared storage bits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.12",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Breached-password checking directly blocks one class of weak passwords (partial forward) but leaves length/complexity rules and overall policy unenforced, so it removes only one facet of the broad CWE weakness (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.2.4 directly blocks the top 3000 weak passwords at registration/change time, eliminating most instances of CWE-521, yet the weakness also covers absent length/complexity rules that this single control does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Permitting 64-character passwords removes one common length-limit facet of weak requirements but neither enforces any strength rules nor covers the weakness's full scope of missing complexity/length policies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A only mandates secure random generation, policy adherence and short expiry for initial secrets and does not define or enforce password strength rules, so it neither prevents nor is sufficient to block CWE-521."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Proper authenticated encryption directly eliminates the most common transmission/storage flaws for credentials, yet the weakness also includes cleartext, weak hashing, and key-management failures outside this control's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-524",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates browser-cache exposure by mandating no-store headers, fully preventing that CWE-524 manifestation, yet the weakness also covers server-side, disk, and memory caches outside A\u2019s scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-525",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses non-caching of sensitive content but targets cache-deception rather than browser-cache policy, while B's broad caching weakness is only partly covered by A's narrow deception-focused control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-525",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.3.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact anti-caching headers whose absence defines CWE-525, fully eliminating the weakness when implemented, yet the weakness description also encompasses broader policy decisions beyond a single header directive."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-529",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "No directory listings directly blocks the primary exposure vector for ACL files placed in web-visible paths (mostly), yet the weakness also covers other access paths and the root storage decision that one listing control cannot fully close (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-535",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Graceful/secure error handling directly stops exception info from reaching shell messages, yet the weakness also spans unhandled paths and shell-specific exposure that one control does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-537",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure error-handling verification directly stops exception-driven leaks of sensitive data, yet the CWE can still arise from logging configuration or framework defaults outside this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-538",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of protection requirements can partially address logging/access facets of exposure but alone removes none of the implementation risk of placing sensitive data in accessible files."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-538",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly removes sensitive metadata from user files and thereby fully prevents that specific insertion case, yet CWE-538 covers many other externally-accessible files and directories outside metadata."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-549",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.6",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.2.6 directly mandates the exact masking behavior whose absence defines CWE-549, so the control fully eliminates the weakness in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-550",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A restricts sensitive data placement to bodies/headers while B concerns leakage via server error messages, so the control neither prevents nor addresses the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 addresses layered auth only for admin interfaces and has no bearing on file/directory exposure, so neither direction shows any preventive relationship."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-57",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Allowlist for backend/file resources can restrict some unauthorized file access but does not address or normalize path-equivalence bypasses such as '../' traversal."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-57",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates trusted paths or strict sanitization that eliminates this exact path-equivalence bypass; the single control removes nearly all risk of CWE-57 but leaves minor residual exposure if normalization edge cases remain."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-59",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Atomic check-and-act directly closes the TOCTOU race that enables most link-following exploits, yet CWE-59 also covers non-race cases such as unconditional symlink traversal that the control does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-597",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates exact string comparison for redirect URIs, eliminating CWE-597 in that implementation; the weakness remains possible anywhere else in the codebase."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-598",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is a direct, complete verification of the exact practice whose absence defines CWE-598, so the control both eliminates the weakness and accounts for essentially all of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-598",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Referrer-Policy mitigates only the Referer-header leakage facet of sensitive query strings while leaving logging, history, and other exposure paths untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-599",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires proper PKI-based TLS client auth for service comms and therefore largely eliminates missing certificate validation, while the narrow OpenSSL coding error can still be introduced if the control's implementation is incomplete."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-599",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's DTLS/SDP fingerprint binding is a protocol-level media check unrelated to the specific OpenSSL API omission described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-600",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A last-resort handler directly catches unhandled servlet exceptions and stops default exposure, yet the weakness also encompasses servlet-specific mapping and output sanitization that this single control does not fully address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-601",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates an allowlist check that eliminates exploitable open redirects, while B's broader risk surface (input handling, validation gaps) means one control removes most but not every facet."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces server-side redirect validation, eliminating client reliance for that OAuth facet (mostly), yet CWE-602 spans many client-enforced mechanisms beyond redirects so one control removes only part of the weakness (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side client authentication for OAuth backchannel flows, eliminating reliance on the client for those checks, yet CWE-602 spans many other client-trust scenarios beyond OAuth."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.15",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side integrity checks (PAR/JAR) so eliminates client tampering for authorization_details; B is a broad category and this control covers only one narrow OAuth vector."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.5.1 requires correct client-side nonce validation while CWE-602 is the architectural flaw of placing any such enforcement on the client; the control neither removes nor is diminished by that flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consent management on the authorization server has no bearing on whether a server incorrectly delegates security enforcement to an untrusted client."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side enforcement for input validation and thereby eliminates client reliance for that control, yet B spans any server-side security decision and is therefore only partly addressed by this single validation outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates client-side reliance for authorization (full prevention of that CWE facet), yet CWE-602 spans any server-protection logic so one authz control leaves residual risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side client authentication for OAuth backchannel flows, eliminating client-only auth in that scope, yet only addresses one narrow slice of the broader CWE-603 risk surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.15",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly forces server-side validation of OAuth request integrity (preventing client tampering of auth details), but only addresses one narrow slice of the broader client-side auth weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-enforced strong client auth for OAuth, blocking client-only auth in that scope; CWE-603 is broader and includes non-OAuth cases this control does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consent prompting on the authorization server neither addresses nor mitigates authentication logic that lives only in client code."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires server-side verification of every endpoint via strong mutual auth, eliminating client-only auth for internal services, yet only addresses that narrow intra-service slice of the broader CWE-603 risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-606",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's input-validation and error-handling requirements directly block the unchecked loop-condition vector in signaling, yet the CWE spans many other code paths outside that single server."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-606",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mitigates GraphQL query-complexity DoS via allow-lists/depth/cost analysis while B is a general coding flaw of unchecked loop bounds; the two mechanisms and scopes are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-61",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A blocks only the compressed-upload symlink vector (one narrow facet of introduction), while CWE-61 spans every file-open operation so this single control removes only a fraction of total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-611",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly disables the exact external-entity resolution mechanism that defines CWE-611, so the control both fully eliminates the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-611",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A restricts redirect following on backend URL calls while B is an XML-parser configuration flaw allowing external entity expansion; the two mechanisms do not intersect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-614",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.1",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the Secure attribute (plus related prefix rules) that B describes, so the control both eliminates the weakness and fully accounts for its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-621",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization restricts characters/length in the input used for variable names and therefore reduces exploitability of CWE-621, yet leaves the core risk of unintended but syntactically-valid names unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces transaction-specific validation that blocks one class of insecure acceptance on OAuth errors, but B is a broad design principle across all failure paths that this single narrow control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces token-constraint checks that can block one failure-open path in OAuth flows, yet addresses only a narrow slice of the broad CWE-636 design flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.2.3 directly blocks weak-crypto fallbacks (one CWE-636 example) yet leaves other failure modes untouched, while the weakness's breadth means the single control removes only one facet of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces strong AE/MAC usage and thereby blocks the encryption-algorithm example of failing-open, but does nothing to prevent the broader design flaw of insecure fallback states."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A explicitly mandates TLS with no fallback to insecure protocols, directly eliminating the failing-open behavior for service connections; the weakness is broader and also covers access-control and algorithm-selection failures outside communication security."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks fallback to unencrypted transport (mostly preventing that CWE manifestation) but only covers one narrow facet of the broad failing-open weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V16.5.2 directly enforces secure failure for external-resource errors (mostly preventing CWE-636), yet the weakness spans many other error paths the control does not address (only partial prevention)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates secure failure on errors (eliminating fail-open), while B spans multiple failure-mode facets beyond error-handling verification alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.4 tests robustness/availability on malformed SRTP input while CWE-636 concerns insecure fallback choices on any error; the two address unrelated failure dimensions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Atomic rollback enforces a prior correct state for transaction failures (partial prevention of insecure fallback) but addresses only one narrow slice of the broad failing-open weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.1.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A requires documenting secure fallback behavior for missing browser features, which can address one narrow class of fail-open cases, while CWE-636 spans arbitrary error paths that documentation alone leaves almost entirely open."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses context-isolation for rendered content while B is a broad error-handling design flaw; the two share no causal relationship in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.6.1 constrains only OTP delivery and method selection; it never touches error paths or fallback states, so neither direction has any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session termination directly enforces fail-closed behavior for one narrow case but leaves the broad failing-open weakness untouched in error handling, crypto, and access decisions elsewhere."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session termination on account disable is an account-lifecycle control unrelated to error-handling paths or secure-fallback design, so neither direction has any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Authorization documentation can indirectly guide secure failure behavior for access rules (partial prevention of introduction), but addresses only a narrow slice of the broad failing-open weakness and does not constrain error-handling implementations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces subject-based authorization on every hop but never addresses error paths or fallback behavior, while CWE-636 is exclusively about insecure failure modes unrelated to delegation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-638",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.3.4 mandates per-request token verification for auth constraints (including recentness), directly enforcing mediation for those claims and thereby mostly blocking the CWE; the control is narrow to OAuth claims so it only partially addresses the CWE's broader scope of privilege changes across all resources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-638",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces atomic check+action for permissions and thereby stops one narrow TOCTOU facet of incomplete mediation, but does nothing to ensure repeated mediation on every subsequent access when privileges may have changed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-64",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one upload vector for symlink abuse but does not address .LNK parsing or resolution at all, so it removes only a narrow slice of the broader shortcut-following weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-640",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session termination after a recovery-driven password change addresses one post-exploitation facet (reducing session hijack impact) but leaves the recovery mechanism's inherent weaknesses untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 addresses multi-factor admin authorization decisions while CWE-642 concerns externally writable storage of critical state; the two share no direct causal link in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-643",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.4 addresses only parameterized/ORM usage for listed DB query languages and therefore neither prevents nor covers XPath expression construction at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-643",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.7",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact parameterization defense that eliminates XPath injection, but a single verification control cannot address every ancillary design or runtime factor that contributes to the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-643",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Strict allow-list validation removes most XPath injection vectors by rejecting control characters and unexpected structures, yet leaves residual risk from incomplete rule coverage and the weakness's focus on query neutralization itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-643",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses GraphQL DoS via query-cost controls while B is an XPath injection flaw in XML query construction; the two share neither technology nor vulnerability class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-644",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A restricts only connection-specific headers in HTTP/2/3 to block splitting, while B concerns failure to neutralize scripting syntax inside arbitrary header values; the two controls address disjoint facets of header handling."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-647",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Exact-match allowlist validation directly eliminates non-canonical bypasses for OAuth redirect decisions, but leaves the broader class of URL-based authorization decisions unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-647",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Input validation on URL inputs used for security decisions can normalize/reject non-canonical paths and thereby block exploitation, yet the weakness ultimately stems from authorization logic assumptions that validation alone does not fully redesign."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-648",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "CORS preflight enforcement addresses cross-origin request restrictions while CWE-648 concerns conformance to privileged-API contracts; the two domains share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-648",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.4.6 constrains admin password-reset behavior while CWE-648 concerns nonconformant calls to privileged APIs, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-649",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates signature-based integrity validation for auth assertions, eliminating the described weakness in that narrow scope, yet B spans any obfuscated/encrypted input so one control cannot address the full risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-650",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin exploitation of unsafe GET state changes via tokens/headers, but leaves the underlying server-side method assumption itself only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-650",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces non-GET methods (or Sec-Fetch validation) for sensitive actions and therefore mostly eliminates CWE-650, yet the weakness's core server-side trust assumption can still be triggered through other vectors the single control does not close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-650",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Method allow-listing blocks unintended verbs but does not eliminate server-side logic that performs state changes on GET."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-652",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.4",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires protection against database injection attacks including XQuery, eliminating most of the weakness, yet leaves room for non-query neutralization gaps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-652",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.7 is narrowly scoped to template engines and does not address XQuery construction or neutralization at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-652",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Strict allow-list validation removes most XQuery payloads before they reach query construction, yet the weakness also encompasses missing escaping inside the expression builder itself so validation alone leaves residual risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 directly mandates MFA (or equivalent) for application access and thus fully eliminates single-factor reliance for that decision; CWE-654 remains only partially prevented because the weakness applies to any security decision, not just authentication entry points."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A bans one specific mechanism (email) without constraining the number or independence of factors, so it neither prevents CWE-654 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-656",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A eliminates undocumented auth pathways (one obscurity vector) but does nothing to stop reliance on hidden algorithms or keys elsewhere, so B's overall risk remains untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's documentation of resource-intensive paths and availability defenses (queues, limits) neither targets nor mitigates the concurrency synchronization defects described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the synchronization mechanisms whose absence defines CWE-662, eliminating the weakness in the multi-threaded shared-object case, yet the CWE also covers processes/components/systems outside V15.4.1's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates only the TOCTOU facet of synchronization via atomic checks, so it prevents one slice of CWE-662 (partial) while the broad weakness spans many other synchronization failures that this single control leaves untouched (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only the narrow starvation/fairness facet of concurrency via thread pools, partially reducing likelihood of some related defects but leaving the core synchronization failures of CWE-662 untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Single-use enforcement for auth secrets addresses replay but shares no mechanism or scope with improper multi-threaded synchronization of arbitrary shared resources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-670",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Implementing the token time-span check directly enforces correct control-flow logic for that validation path (mostly preventing CWE-670 there), yet one narrow token rule leaves the broad class of incorrect-control-flow defects elsewhere untouched (only partial prevention)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-671",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V13.2.3 enforces one narrow rule on credentials while CWE-671 describes absence of any administrator-configurable security surface, so the control neither prevents the weakness nor removes any meaningful portion of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-671",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disabling GraphQL introspection is a narrow, feature-specific rule that neither addresses nor is addressed by the broad lack of administrator-configurable security settings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-671",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.11",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.2.11 addresses only password guessing via wordlists and has no bearing on administrator configurability of security features."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-671",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Requiring documentation of contextual authorization factors partially surfaces environmental tailoring options but supplies no actual administrator controls or configurability, leaving the core weakness untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-682",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.2.2 mitigates availability loss from expensive operations but never constrains calculation correctness, so neither direction removes any part of CWE-682."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements one correct protection mechanism (iss validation), thereby preventing that instance of CWE-693, yet the weakness spans many unrelated mechanisms so one OAuth control removes only part of the total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 directly mandates correct use of a strong auth protection mechanism, eliminating most auth-related instances of CWE-693, yet the weakness spans every protection mechanism so one control covers only a facet."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "The control directly hardens one class of OOB protection mechanism against brute-force failure, but CWE-693 spans every possible protection mechanism so a single narrow control removes only part of the weakness's total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-694",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Origin separation via hostnames addresses cross-origin browser interactions but has no relation to duplicate resource identifiers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-694",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates composite (IdP+user) identifiers, eliminating the duplicate-ID flaw for multi-IdP auth, yet only addresses one narrow facet of the broad CWE-694 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-694",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.4.1 enforces cross-tenant permission boundaries but never addresses identifier uniqueness, while CWE-694 is a naming/namespace collision flaw outside the scope of authorization checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-694",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces unique audience identifiers for tokens (eliminating duplicate-ID reuse in that setting), yet B spans any resources so one token-specific rule removes only a fraction of its overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization control directly neutralizes the memcache vector (mostly), yet CWE-707 spans every upstream/downstream boundary so one narrow control removes only part of the total risk (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly mandates trusted names or strict validation for file paths, eliminating most instances of CWE-73 in file operations, yet the weakness spans broader path/file influences beyond this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-appropriate output encoding that eliminates CWE-74 in its stated web/HTML/XML scopes, yet the weakness spans many other downstream interpreters that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly neutralizes JS/JSON injection via encoding but addresses only one narrow facet of the broad CWE-74 weakness, so each direction rates partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates only the OS-command facet of the broad injection weakness B, leaving other downstream interpreters unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure LaTeX configuration with an allowlist directly eliminates LaTeX injection (a CWE-74 instance), but CWE-74 spans many other injection vectors this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A implements one narrow neutralization technique (regex escaping) so prevents only that facet of CWE-74; the broad weakness spans many injection contexts that this single rule leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization with a secure HTML library directly neutralizes special elements for that input class (mostly), yet CWE-74 spans many injection types beyond HTML so one control covers only a slice of the weakness (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache directly neutralizes one narrow injection vector (partial prevention of broad CWE-74); the single control leaves all other downstream components and contexts unaddressed (partial coverage of total weakness risk)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.4.2 directly neutralizes special elements in file-name output and therefore blocks that injection vector, yet CWE-74 spans many other downstream interpreters that this single control leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-749",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V8.2.1 directly enforces function-level permission checks that block exposure of dangerous methods, yet the weakness also encompasses design choices about which functions are inherently dangerous and how they are surfaced via any API."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A mandates approved/strong algorithms and parameters for key exchange but does not address negotiation logic or selection behavior, so it only partially blocks the weakness while the weakness's full scope (any protocol negotiation) is untouched by this single narrow control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks TLS-version downgrade by disabling older protocols, but B also covers cipher/auth negotiation paths outside TLS version selection."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mandating TLS with no fallback to unencrypted/insecure comms directly blocks most downgrade paths for external HTTP traffic, yet the CWE spans any protocol negotiation so one TLS-specific control removes only part of the total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks downgrade to unencrypted/insecure transport, removing most of this weakness in its scoped context, yet B spans any protocol negotiation and is only partly addressed by one service-comms control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.2 directly mandates approved/strong DTLS suites and profiles, eliminating downgrade risk for DTLS-SRTP media, yet CWE-757 spans any negotiation protocol so one media-specific control removes only part of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V17.2.3 enforces SRTP authentication checks against RTP injection; CWE-757 concerns algorithm-negotiation downgrade, two unrelated protocol-layer issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Documentation of required auth strengths across pathways can surface downgrade risks during review (partial prevention) but supplies no runtime negotiation logic or enforcement, leaving the core CWE-757 flaw untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces consistent auth strength across pathways (partially blocking weaker-path exploits) but does not address algorithm negotiation or selection logic at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V9.1.2 mostly prevents CWE-757 for tokens by mandating an allowlist that excludes weak/none algorithms, yet only partially mitigates the weakness overall since the CWE spans arbitrary protocol negotiation beyond token verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-760",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates a 32-bit random salt for the relevant secrets, eliminating predictable-salt usage; CWE-760 however spans all password/lookup hashing contexts so one MFA-specific rule only partially covers the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-761",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Safer pointer arithmetic in A can reduce some classes of offset errors that produce CWE-761, but A targets overflow prevention and does not address allocation tracking or free() correctness at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only JS/JSON output encoding while B concerns command-string neutralization, so the two have no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly and completely eliminates CWE-77 via its required parameterized/encoded OS calls, yet a single control still leaves ancillary risk facets such as upstream input handling and error paths unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow vector (LaTeX shell-escape) of command injection, so it prevents that facet of CWE-77 but leaves all other command-construction cases untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.9",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.9 only escapes regex metacharacters while CWE-77 concerns command-element neutralization, so the control neither prevents the weakness nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache directly blocks one narrow injection vector (partial prevention of CWE-77) while the broad weakness spans all command contexts so one targeted control removes only partial risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sandboxing/encapsulation can limit post-exploitation pivot damage from command injection (partial forward) but does nothing to address the missing neutralization of special elements that defines the weakness (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's thread-pool/fair-access policies impose limited throttling that only partially blocks unbounded allocation (forward), while B's broad lack-of-limits weakness spans many resources beyond concurrency fairness (reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-771",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Session termination addresses user session lifecycle while CWE-771 concerns low-level resource reference tracking; the two domains share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly encodes the exact mitigation (parameterized/contextual encoding) that eliminates CWE-78, but the weakness can still arise from non-OS command paths or incomplete verification coverage."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses only LaTeX-specific configuration while B is the general OS-command construction flaw; the two share no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sandboxing/risky-component isolation can partially limit post-exploitation impact of command injection but does nothing to prevent the underlying input-neutralization flaw itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-782",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires function-level access control that would block an unprotected IOCTL, but B's narrow kernel/driver exposure surface is only partly covered by the general application-oriented control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-784",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces transport and origin integrity via flags/prefixes but never performs value validation or user binding, so it only partially mitigates introduction of the weakness while removing almost none of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-786",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.4.1 directly mandates memory-safe pointer/string handling that eliminates underflow accesses such as CWE-786, yet remains one verification outcome among possible language/runtime mitigations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-788",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly targets buffer overflows via safe memory/string operations, eliminating most instances of CWE-788, while the weakness's risk is largely but not completely removed by this single control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.1.2 directly mandates the exact output-encoding step that eliminates CWE-79, yet a single architectural control still leaves some residual risk from context-specific or secondary neutralization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A narrowly blocks eval/SpEL injection vectors that can produce XSS, preventing only that facet of CWE-79 while leaving HTML output, attribute, and DOM sinks unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A reduces exploitability of data exposure from the misconfiguration but does not prevent the J2EE remote-interface flaw itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-aware output encoding that eliminates CWE-80 by construction, yet the weakness can still arise from non-HTML contexts, server-side sinks, or incorrect encoding choices not fully covered by this single verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization with a secure library directly eliminates CWE-80 for HTML inputs, but the weakness can also arise from non-HTML contexts or incomplete escaping strategies outside this control's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization directly implements the neutralization step that eliminates basic XSS, but the weakness can also arise from context-specific encoding choices or output paths not fully covered by a single generic control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly sanitizes one narrow vector (SVG) that can trigger CWE-80, preventing that facet of the weakness but leaving all other HTML/script contexts untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-805",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Memory-safe APIs and bounds-checked operations directly eliminate most exploitable instances of incorrect-length buffer access, yet the weakness also includes upstream length-calculation errors that this single verification outcome does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-806",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires safer memory-copy primitives that eliminate the exact source-size mistake in B, yet B remains only one narrow coding error among many buffer issues that A must still address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-81",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.1 directly requires context-appropriate output encoding on all HTML/HTTP responses (including error pages), eliminating CWE-81 when applied; the weakness is narrow enough that this single control removes most but not necessarily every edge-case risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-82",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Full output encoding for HTML attributes directly eliminates script injection in IMG tag attributes, but the control is a broad practice while the weakness is a narrow manifestation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-823",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates safer pointer arithmetic that eliminates out-of-range offsets, while B is a narrow instance of the exact class of flaw A targets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A addresses outbound sensitive-data leakage to trackers while B concerns inbound executable inclusion from untrusted sources, so neither direction has any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.3.2 restricts redirect following on outbound URL calls while CWE-829 concerns deliberate import of executable code from an untrusted sphere; the two have no overlap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "No-JSONP rule blocks one narrow browser-side inclusion vector but does not address the general practice of pulling executable code from outside the trust boundary."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow vector of untrusted key material for tokens, preventing that specific facet of B, while B's broad scope (libraries, executable code) remains untouched by this token-only control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-83",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SVG-specific sanitization directly blocks script/attribute injection vectors covered by CWE-83, yet leaves the broader class of non-SVG attribute neutralization flaws unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-833",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V15.4.3 directly targets consistent lock usage to avoid mutual waiting, eliminating most deadlock introduction, yet leaves other deadlock vectors (ordering, reentrancy, timing) unaddressed by this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-837",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Rate limiting mitigates signaling floods but neither implements nor meaningfully constrains the one-time/unique-action enforcement required by CWE-837."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-837",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 addresses only initial authentication strength and intent, while CWE-837 concerns post-auth business-logic enforcement of action uniqueness; the two are unrelated."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-837",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements single-use enforcement for specific auth tokens, eliminating that facet of CWE-837, yet B spans arbitrary actions outside authentication so one control cannot address its full scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-837",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces explicit single-action consent for session creation so largely eliminates that CWE instance, yet B spans many non-session actions that A never touches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-838",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-correct output encoding, eliminating CWE-838 when fully implemented, yet the weakness can still arise from non-HTTP contexts or encoding mismatches outside A's listed scopes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-838",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces context-correct encoding for URL output and therefore mostly blocks CWE-838 in that setting, yet only partially prevents the weakness overall because CWE-838 spans every output context."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-838",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.3 directly implements context-correct output encoding for JS/JSON and thereby eliminates most CWE-838 defects in that scope, yet the weakness spans every output context so one narrowly-scoped control can only partially prevent it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-838",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly requires contextual command-line encoding that eliminates inappropriate encoding for OS output, yet B spans every output sink so one control cannot cover the full weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-841",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Backend token verification can indirectly reduce client-side tampering that enables workflow bypasses (partial) but does not itself implement or enforce any behavioral sequence checks (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-843",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Safe deserialization restricts object types on untrusted input and therefore blocks the type-confusion facet that can arise during deserialization, but leaves all other causes of CWE-843 untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-843",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates type-correctness checks that eliminate the exact assumption errors CWE-843 describes, yet the weakness also covers pointer/object casting and memory-layout cases outside variable/equality handling."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-843",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's strict type checking provides a narrow facet that can catch some JS type mismatches, but A targets DOM clobbering while B is a broad language-level weakness unaffected by namespace or declaration rules."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the parameterization/encoding that eliminates argument delimiter flaws; B's risk is almost entirely removed by this control but could still arise in non-OS contexts outside A's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.5",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password composition policy has no connection to SQL command construction or neutralization of input."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-90",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.6",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.2.6 directly verifies LDAP-injection controls that eliminate CWE-90 by construction, so the control both fully prevents the weakness and removes its entire risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-916",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 directly mandates the exact countermeasure (approved KDF + tuned parameters) that eliminates CWE-916, and the weakness is narrowly defined as the absence of that same practice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-917",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact escaping step required for any interpreter (including EL), eliminating CWE-917 when applied to that context, yet a single general encoding control still leaves ancillary design choices such as whether user data reaches an EL expression at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-917",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "full",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates avoidance of SpEL/dynamic EL execution or mandatory sanitization of inputs, eliminating the exact construction flaw described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-917",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.5",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.5 directly neutralizes the exact EL/template injection vector described by CWE-917, fully preventing exploitation when applied, yet leaves residual risk from non-user-supplied paths or incomplete template contexts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-917",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GraphQL DoS controls (query limits/allowlists) have no relation to neutralizing expression-language injection."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.6",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V1.3.6 directly implements the exact allow-list validation and sanitization that eliminates SSRF (full prevention); the weakness is still only mostly covered because other facets such as network egress controls and URL-parser edge cases remain."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Consistent URL parsing directly eliminates the parser-difference vector that A targets, preventing most SSRF exploits of that form, yet leaves other SSRF causes (destination validation, allow-lists, etc.) unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.7",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V10.4.7's narrow OAuth client-metadata URI checks and consent prompts have no bearing on general SSRF exposure, while SSRF arises from arbitrary URL-fetch logic outside OAuth registration flows."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow OIDC-client issuer-metadata check that has no bearing on general server-side URL fetching or destination validation, so neither direction removes any SSRF risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly eliminates SSRF vectors arising from untrusted file paths/metadata, but leaves the broader weakness open via non-file inputs such as arbitrary URL parameters."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates cross-JWT confusion and wrong-token logout by enforcing explicit claim/type checks, but B is a broad channel-endpoint weakness spanning many protocols and flows that one OIDC-specific control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates endpoint identity verification via strong auth for internal service channels, eliminating most instances of CWE-923 in that scope, yet the weakness spans any privileged channel and is not fully closed by this single service-mesh-oriented control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces tenant isolation via cross-tenant authorization, eliminating most multi-tenant instances of endpoint confusion, yet CWE-923 spans many non-tenant channel-validation failures that A leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-93",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates CRLF sequences in HTTP headers (full prevention for that vector), yet CWE-93 spans many other input contexts so one HTTP-specific control leaves substantial residual risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "HTML sanitization directly neutralizes the tainted input vector for web code injection but leaves other code-generation contexts (eval, SQL, templates) unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.6.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A implements source validation only for a narrow OpenID logout flow, directly eliminating improper verification in that single case (partial) while leaving the broad CWE-940 weakness untouched across all other channels and protocols (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly implements source verification for one narrow channel (dependency fetches) so it blocks that specific CWE-940 instance, yet the weakness spans all runtime communication origins and is not addressed by a dependency-only control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies Sec-Fetch-* validation that eliminates most browser-origin cases of CWE-940, yet the weakness spans non-browser channels and design flaws that one control cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-942",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces a strict CSP (with allowlist/nonces and the listed directives) that eliminates permissive untrusted-domain CSP configurations, but B also encompasses cross-domain policy files and other permissive variants outside A's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-942",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.6",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces a restrictive frame-ancestors directive that blocks the exact permissive-embedding case in B, yet B also covers other CSP directives and cross-domain files that A leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-942",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A enforces that CORS preflight cannot be bypassed for sensitive calls but does not constrain which domains appear in the policy, while B is exactly the defect of listing untrusted domains."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-95",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates avoidance or correct sanitization of dynamic evaluation, eliminating CWE-95 when fully implemented; the weakness is narrowly defined yet still includes ancillary design/scope factors a single control cannot wholly close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A's sanitization requirement for dynamic execution directly neutralizes the input insertion flaw in B for most executable contexts, yet B's broader scope across static templates and configs means one control cannot eliminate the full weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.11",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Mail-specific sanitization blocks one narrow instance of identifier misuse but leaves the broad resource-injection weakness untouched in all other contexts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates JNDI-specific resource injection via sanitization but leaves all other resource-identifier vectors untouched, so it only partially blocks the general weakness while the weakness itself is not prevented by this single narrow control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache addresses only one narrow injection vector and therefore prevents general resource-identifier weaknesses only partially while removing almost none of CWE-99's total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "A directly validates one token audience identifier and thereby blocks that narrow misuse case, but the broad CWE-99 spans arbitrary resource identifiers (paths, URLs, etc.) that this single OIDC check leaves untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Token-type/purpose validation addresses only JWT misuse and has no relation to restricting untrusted input used as resource identifiers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Canonical decode-before-validation architecture eliminates one encoding bypass vector for syntactic checks but does not itself perform or guarantee syntactic validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Canonical decoding before validation can make subsequent type checks effective but does not implement or require any type validation itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces decode-before-validate order and therefore mostly blocks CWE-179, yet the weakness also covers other pre-validation transforms that this single control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates canonicalization before any validation/processing, eliminating CWE-180's exact ordering flaw; yet one narrow control cannot remove every possible facet of incorrect canonicalization/validation sequencing risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.1.2 directly mandates the exact practice whose absence defines CWE-116, so the control fully eliminates the weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Output encoding as a final step can reduce exploitability of some alternate-encoding bypasses but does not address or prevent the input-handling defect itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.1.2 directly mandates the exact output-encoding step that eliminates CWE-79, yet a single architectural control still leaves some residual risk from context-specific or secondary neutralization failures."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-917",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact escaping step required for any interpreter (including EL), eliminating CWE-917 when applied to that context, yet a single general encoding control still leaves ancillary design choices such as whether user data reaches an EL expression at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.1 directly mandates context-appropriate output encoding, eliminating CWE-116 by design, yet the weakness spans additional message types and edge cases beyond the listed HTTP/HTML/XML contexts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-appropriate output encoding that eliminates CWE-74 in its stated web/HTML/XML scopes, yet the weakness spans many other downstream interpreters that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-aware output encoding that eliminates CWE-80 by construction, yet the weakness can still arise from non-HTML contexts, server-side sinks, or incorrect encoding choices not fully covered by this single verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-81",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.1 directly requires context-appropriate output encoding on all HTML/HTTP responses (including error pages), eliminating CWE-81 when applied; the weakness is narrow enough that this single control removes most but not necessarily every edge-case risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-82",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Full output encoding for HTML attributes directly eliminates script injection in IMG tag attributes, but the control is a broad practice while the weakness is a narrow manifestation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-838",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates context-correct output encoding, eliminating CWE-838 when fully implemented, yet the weakness can still arise from non-HTTP contexts or encoding mismatches outside A's listed scopes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "CWE",
      "target_id": "CWE-1236",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.10 directly mandates the exact escaping rules that eliminate CWE-1236, so the control fully prevents this narrowly-scoped weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "CWE",
      "target_id": "CWE-142",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements delimiter/special-char neutralization for CSV exports, thereby preventing CWE-142 in that context, yet B spans arbitrary downstream components beyond spreadsheets so one control covers only part of the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.10 directly requires neutralization of the exact escape/meta sequences for CSV/spreadsheet output and therefore prevents CWE-150 in that narrow case mostly, yet the weakness is broader and this one control removes only a fraction of its total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "CWE",
      "target_id": "CWE-153",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates neutralization of the exact substitution characters that trigger CWE-153 in CSV exports, but B spans many other substitution contexts outside spreadsheet output."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "CWE",
      "target_id": "CWE-158",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates null-byte escaping for CSV/spreadsheet output and thereby blocks CWE-158 in that narrow channel, yet the weakness spans arbitrary downstream components that A never addresses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces context-specific output encoding for URLs (one narrow facet of encoding hygiene) so it only partially blocks exploitation of CWE-173; the weakness itself is an input canonicalization problem whose broad risk is untouched by this single output control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-177",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces correct output encoding when emitting URLs while B concerns failure to interpret URL-encoded input, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.2 addresses URL encoding and safe-protocol restrictions to block injection, while CWE-349 concerns mis-trusting extraneous data mixed with trusted data; the two address unrelated failure modes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-838",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces context-correct encoding for URL output and therefore mostly blocks CWE-838 in that setting, yet only partially prevents the weakness overall because CWE-838 spans every output context."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires the output encoding that eliminates B for JS/JSON contexts, yet B spans many other structured formats that A does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly neutralizes JS/JSON injection via encoding but addresses only one narrow facet of the broad CWE-74 weakness, so each direction rates partial."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only JS/JSON output encoding while B concerns command-string neutralization, so the two have no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-838",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.3 directly implements context-correct output encoding for JS/JSON and thereby eliminates most CWE-838 defects in that scope, yet the weakness spans every output context so one narrowly-scoped control can only partially prevent it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-473",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Parameterized-query controls mitigate injection that external-variable tampering could trigger, but do not stop the variable-modification flaw itself from existing or being introduced."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-643",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.4 addresses only parameterized/ORM usage for listed DB query languages and therefore neither prevents nor covers XPath expression construction at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-652",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires protection against database injection attacks including XQuery, eliminating most of the weakness, yet leaves room for non-query neutralization gaps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-214",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Parameterized OS calls directly avoid visible command-line args (mostly preventing B) but leave env vars and other visibility vectors unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates only the OS-command facet of the broad injection weakness B, leaving other downstream interpreters unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly and completely eliminates CWE-77 via its required parameterized/encoded OS calls, yet a single control still leaves ancillary risk facets such as upstream input handling and error paths unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly encodes the exact mitigation (parameterized/contextual encoding) that eliminates CWE-78, but the weakness can still arise from non-OS command paths or incomplete verification coverage."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-838",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires contextual command-line encoding that eliminates inappropriate encoding for OS output, yet B spans every output sink so one control cannot cover the full weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the parameterization/encoding that eliminates argument delimiter flaws; B's risk is almost entirely removed by this control but could still arise in non-OS contexts outside A's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-90",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.6 directly verifies LDAP-injection controls that eliminate CWE-90 by construction, so the control both fully prevents the weakness and removes its entire risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.7",
      "target_framework": "CWE",
      "target_id": "CWE-643",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact parameterization defense that eliminates XPath injection, but a single verification control cannot address every ancillary design or runtime factor that contributes to the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure LaTeX configuration with an allowlist directly eliminates LaTeX injection (a CWE-74 instance), but CWE-74 spans many other injection vectors this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow vector (LaTeX shell-escape) of command injection, so it prevents that facet of CWE-77 but leaves all other command-construction cases untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only LaTeX-specific configuration while B is the general OS-command construction flaw; the two share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.9",
      "target_framework": "CWE",
      "target_id": "CWE-153",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A supplies regex-specific escaping that neutralizes one narrow class of substitution metacharacters, so it only partially blocks introduction of CWE-153 while the broad weakness spans many other substitution contexts that A leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.9",
      "target_framework": "CWE",
      "target_id": "CWE-407",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Escaping metacharacters stops regex injection that can trigger ReDoS-style inputs, but leaves inherent poor regex design and all non-regex complexity cases untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.9",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A implements one narrow neutralization technique (regex escaping) so prevents only that facet of CWE-74; the broad weakness spans many injection contexts that this single rule leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.9",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.2.9 only escapes regex metacharacters while CWE-77 concerns command-element neutralization, so the control neither prevents the weakness nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1173",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization via a dedicated HTML library neither enforces nor depends on correct use of any validation framework, so the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization with a secure HTML library directly neutralizes special elements for that input class (mostly), yet CWE-74 spans many injection types beyond HTML so one control covers only a slice of the weakness (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization with a secure library directly eliminates CWE-80 for HTML inputs, but the weakness can also arise from non-HTML contexts or incomplete escaping strategies outside this control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "HTML sanitization directly neutralizes the tainted input vector for web code injection but leaves other code-generation contexts (eval, SQL, templates) unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.10",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitizing format strings is an input-handling control unrelated to hiding internal data or method representations, so neither direction removes any of the other's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.10",
      "target_framework": "CWE",
      "target_id": "CWE-1336",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.10 targets only format-string sanitization while CWE-1336 concerns template-engine syntax, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.10",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitizing format strings addresses a narrow class of interpretation risks unrelated to alternate-encoding handling, so the control neither prevents CWE-173 nor removes any meaningful portion of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.11",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization (A) supplies one needed protection step and therefore only partially blocks the early-validation ordering defect, while the broad order weakness (B) is not addressed at all by this narrow mail-specific control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.11",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mail-specific sanitization blocks one narrow instance of identifier misuse but leaves the broad resource-injection weakness untouched in all other contexts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.12",
      "target_framework": "CWE",
      "target_id": "CWE-138",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only regex backtracking performance while B is a broad neutralization flaw for control/syntactic elements; the two share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.12",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.12 narrowly targets ReDoS-safe regex patterns and input length limits, while CWE-150 concerns failure to neutralize escape/meta sequences for downstream interpreters; the two address unrelated attack surfaces."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1336",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires avoidance or sanitization of template expressions like SpEL, eliminating the weakness when fully applied, yet B's broader template-engine surface leaves a small residual risk unaddressed by this control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A narrowly blocks eval/SpEL injection vectors that can produce XSS, preventing only that facet of CWE-79 while leaving HTML output, attribute, and DOM sinks unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-917",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates avoidance of SpEL/dynamic EL execution or mandatory sanitization of inputs, eliminating the exact construction flaw described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-95",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates avoidance or correct sanitization of dynamic evaluation, eliminating CWE-95 when fully implemented; the weakness is narrowly defined yet still includes ancillary design/scope factors a single control cannot wholly close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's sanitization requirement for dynamic execution directly neutralizes the input insertion flaw in B for most executable contexts, yet B's broader scope across static templates and configs means one control cannot eliminate the full weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Whitelisting safe characters after input can block many encoded payloads but does not guarantee prior normalization/decoding, leaving both the control's preventive power and the weakness's residual risk only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization supplies the missing protection step but does not enforce correct ordering relative to validation, so it only partially blocks the weakness while the weakness itself is an ordering defect that sanitization alone does not prevent."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-621",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization restricts characters/length in the input used for variable names and therefore reduces exploitability of CWE-621, yet leaves the core risk of unintended but syntactically-valid names unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization directly implements the neutralization step that eliminates basic XSS, but the weakness can also arise from context-specific encoding choices or output paths not fully covered by a single generic control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly sanitizes one narrow vector (SVG) that can trigger CWE-80, preventing that facet of the weakness but leaving all other HTML/script contexts untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-83",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SVG-specific sanitization directly blocks script/attribute injection vectors covered by CWE-83, yet leaves the broader class of non-SVG attribute neutralization flaws unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-917",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.5 directly neutralizes the exact EL/template injection vector described by CWE-917, fully preventing exploitation when applied, yet leaves residual risk from non-user-supplied paths or incomplete template contexts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's allowlist-based SSRF sanitization for service calls has no bearing on CRLF neutralization in HTTP headers, and vice versa."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A specifies allow-list validation plus sanitization for SSRF and therefore touches the validation-before-modification problem only in one narrow case, while B describes a broad class of ordering defects that this single control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.6 directly implements the exact allow-list validation and sanitization that eliminates SSRF (full prevention); the weakness is still only mostly covered because other facets such as network egress controls and URL-parser edge cases remain."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-1336",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets template injection via avoidance or sanitization so prevents the weakness mostly; the weakness spans all neutralization edge cases and engine-specific syntax that this single control only partially closes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-652",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.7 is narrowly scoped to template engines and does not address XQuery construction or neutralization at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces correct-order sanitization for one narrow injection class (JNDI), thereby partially blocking the early-validation pattern in that setting, yet A is too specific to address the general validation-before-modification weakness at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.3.8 addresses JNDI-specific sanitization and configuration; CWE-180 is a generic validation-order flaw unrelated to JNDI handling or injection defenses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates JNDI-specific resource injection via sanitization but leaves all other resource-identifier vectors untouched, so it only partially blocks the general weakness while the weakness itself is not prevented by this single narrow control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization control directly neutralizes the memcache vector (mostly), yet CWE-707 spans every upstream/downstream boundary so one narrow control removes only part of the total risk (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache directly neutralizes one narrow injection vector (partial prevention of broad CWE-74); the single control leaves all other downstream components and contexts unaddressed (partial coverage of total weakness risk)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache directly blocks one narrow injection vector (partial prevention of CWE-77) while the broad weakness spans all command contexts so one targeted control removes only partial risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sanitization for memcache addresses only one narrow injection vector and therefore prevents general resource-identifier weaknesses only partially while removing almost none of CWE-99's total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-122",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.4.1 directly mandates the exact safe-memory practices that eliminate heap overflows, fully preventing CWE-122 when implemented, yet one verification outcome still leaves residual risk from design or allocation errors outside its scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-124",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets safe string/memory ops to eliminate buffer under/over-flow defects so prevents CWE-124 mostly; the single control still leaves other root causes (index math, third-party libs, design) so only partially mitigates the full weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-466",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Safe pointer arithmetic and overflow detection directly blocks most out-of-range returns, yet the weakness can still arise from unrelated logic or range-calculation errors that the control does not cover."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-761",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Safer pointer arithmetic in A can reduce some classes of offset errors that produce CWE-761, but A targets overflow prevention and does not address allocation tracking or free() correctness at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-786",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V1.4.1 directly mandates memory-safe pointer/string handling that eliminates underflow accesses such as CWE-786, yet remains one verification outcome among possible language/runtime mitigations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-788",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets buffer overflows via safe memory/string operations, eliminating most instances of CWE-788, while the weakness's risk is largely but not completely removed by this single control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-805",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Memory-safe APIs and bounds-checked operations directly eliminate most exploitable instances of incorrect-length buffer access, yet the weakness also includes upstream length-calculation errors that this single verification outcome does not fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-806",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires safer memory-copy primitives that eliminate the exact source-size mistake in B, yet B remains only one narrow coding error among many buffer issues that A must still address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-823",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates safer pointer arithmetic that eliminates out-of-range offsets, while B is a narrow instance of the exact class of flaw A targets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1173",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires manual sign/range checks for overflows but never mandates or references any validation framework, so it neither blocks misuse of such a framework nor is itself prevented by framework adoption."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements range/sign validation on quantity inputs to block overflows, eliminating most of that defect, yet B spans additional quantity properties (e.g., semantic correctness, units) that A does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's overflow-focused sign/range checks catch one narrow failure mode that can produce bad indices, while B's broader requirement for validating index/offset properties is not addressed by that single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A implements range/sign checks solely to block integer overflows while B is a distinct syntactic-format validation failure, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's overflow-focused range/sign checks incorporate limited input validation that can incidentally address numeric type issues, but A does not target or broadly mitigate the general type-validation weakness described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-416",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact nulling/release discipline that eliminates CWE-416, yet a single verification outcome cannot guarantee every possible code path or allocator interaction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-611",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly disables the exact external-entity resolution mechanism that defines CWE-611, so the control both fully eliminates the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Full safe-deserialization enforcement requires a correctly-scoped object-type allowlist, thereby eliminating most instances of CWE-183 within deserialization, yet the same weakness can still exist in any other allow-list feature outside that single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-843",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Safe deserialization restricts object types on untrusted input and therefore blocks the type-confusion facet that can arise during deserialization, but leaves all other causes of CWE-843 untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-351",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consistent parser behavior (A) can reduce exploitability of some type-handling flaws during deserialization, yet A never enforces type distinction itself so leaves the core weakness (B) untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses application-level data-parser consistency for JSON/XML/URL to block RFI/SSRF, while B is an HTTP-protocol smuggling weakness between intermediaries; the two share no direct prevention relationship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consistent URL parsing directly eliminates the parser-difference vector that A targets, preventing most SSRF exploits of that form, yet leaves other SSRF causes (destination validation, allow-lists, etc.) unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates non-guessable transaction-specific secrets, eliminating predictable RNG for those OAuth values (mostly), yet CWE-343 is a general RNG flaw only narrowly addressed by one control (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces transaction-specific validation that blocks one class of insecure acceptance on OAuth errors, but B is a broad design principle across all failure paths that this single narrow control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.2.1 directly eliminates CSRF for OAuth code flows via PKCE/state, but only addresses one narrow facet of the general CWE-352 weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires adding the missing 'iss' factor to OAuth server comparisons, eliminating most instances of this weakness in that context; B remains only partially addressed because the broad class of multi-factor comparison defects spans many other domains and factors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements one correct protection mechanism (iss validation), thereby preventing that instance of CWE-693, yet the weakness spans many unrelated mechanisms so one OAuth control removes only part of the total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates unnecessary OAuth scopes so prevents that facet of CWE-250 mostly; the weakness spans many other execution contexts that one narrow OAuth rule cannot address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-289",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.3.2 enforces OAuth claim-based authorization decisions while CWE-289 is a name/alias handling flaw in authentication; the two mechanisms do not intersect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.3.4 mostly prevents weak auth from remaining exploitable by enforcing verification of acr/amr/auth_time claims on tokens, yet only partially addresses the broad CWE-1390 because many other weak-auth vectors exist outside OAuth resource-server token checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces token-constraint checks that can block one failure-open path in OAuth flows, yet addresses only a narrow slice of the broad CWE-636 design flaw."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-638",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.3.4 mandates per-request token verification for auth constraints (including recentness), directly enforcing mediation for those claims and thereby mostly blocking the CWE; the control is narrow to OAuth claims so it only partially addresses the CWE's broader scope of privilege changes across all resources."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.3.5 directly eliminates token-theft/replay vectors via sender-constrained tokens, preventing that facet of improper access control, yet CWE-284 spans many unrelated access-control failures this single OAuth control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A blocks one OAuth-specific vector (token theft/replay) that could expose PII, but leaves all other exposure paths unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1254",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates exact string comparison for one narrow case, eliminating stepwise timing flaws there but leaving the general CWE-1254 weakness untouched elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-187",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Exact-match allowlist validation directly eliminates partial-string redirect-URI flaws (full), yet CWE-187 spans many other comparison contexts that this single control leaves untouched (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-597",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates exact string comparison for redirect URIs, eliminating CWE-597 in that implementation; the weakness remains possible anywhere else in the codebase."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces server-side redirect validation, eliminating client reliance for that OAuth facet (mostly), yet CWE-602 spans many client-enforced mechanisms beyond redirects so one control removes only part of the weakness (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-647",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Exact-match allowlist validation directly eliminates non-canonical bypasses for OAuth redirect decisions, but leaves the broader class of URL-based authorization decisions unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.10",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side client authentication for OAuth backchannel flows, eliminating reliance on the client for those checks, yet CWE-602 spans many other client-trust scenarios beyond OAuth."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.10",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side client authentication for OAuth backchannel flows, eliminating client-only auth in that scope, yet only addresses one narrow slice of the broader CWE-603 risk surface."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.12",
      "target_framework": "CWE",
      "target_id": "CWE-354",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.12 restricts OAuth response_mode values via allow-listing or PAR/JAR; CWE-354 concerns failure to validate message checksums or integrity tags\u2014completely unrelated mechanisms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.15",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side integrity checks (PAR/JAR) so eliminates client tampering for authorization_details; B is a broad category and this control covers only one narrow OAuth vector."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.15",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly forces server-side validation of OAuth request integrity (preventing client tampering of auth details), but only addresses one narrow slice of the broader client-side auth weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates replay-resistant public-key client auth that eliminates OAuth client spoofing, but CWE-290 spans many other auth schemes and vectors outside this control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates replay-resistant client auth (mTLS/PK-JWT), directly eliminating capture-replay for OAuth; CWE-294 spans many other auth surfaces this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates strong authentication for the OAuth authorization server (a critical function), eliminating most instances of CWE-306 there, yet only addresses one narrow slice of the broad weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-enforced strong client auth for OAuth, blocking client-only auth in that scope; CWE-603 is broader and includes non-OAuth cases this control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.2 is a narrow OAuth single-use requirement unrelated to preventing or being prevented by the broad class of race conditions in CWE-362."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-1229",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.4 restricts OAuth grant types for a client while CWE-1229 concerns any indirect creation of attacker-usable resources; the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.5",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses OAuth-specific replay via token binding/rotation while B is a generic concurrency flaw; neither prevents the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.6",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.6 mandates a narrow OAuth/PKCE check for code_challenge/verifier that neither implements nor broadly addresses general unsafe-equivalence validation of arbitrary resource identifiers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.7",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.7 directly forces validation of client metadata and untrusted-client warnings, eliminating most CWE-349 instances inside dynamic registration, yet leaves the broad weakness untouched in every other data-mixing context."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.7",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.4.7's narrow OAuth client-metadata URI checks and consent prompts have no bearing on general SSRF exposure, while SSRF arises from arbitrary URL-fetch logic outside OAuth registration flows."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.9",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Token revocation mitigates one narrow post-compromise exposure path but neither stops CWE-200 from being introduced nor addresses the weakness's many other causes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.5.1 directly eliminates replay via nonce for OIDC (one narrow facet of improper auth) so prevents CWE-287 only partially; the broad CWE spans many auth failures this single protocol-specific check cannot close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Nonce validation directly blocks ID-token replay (a spoofing vector) in OIDC flows, yet leaves other spoofing techniques and broader auth-bypass surfaces untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates replay of OIDC ID tokens via nonce validation, fully preventing CWE-294 for that mechanism, yet only partially addresses the broader weakness across other auth protocols and tokens."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.5.1 requires correct client-side nonce validation while CWE-602 is the architectural flaw of placing any such enforcement on the client; the control neither removes nor is diminished by that flaw."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct identity proofing via unique non-reassignable OIDC claims, blocking most improper-authentication defects in that context, yet leaves the remainder of CWE-287's many other authentication vectors untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow OIDC-client issuer-metadata check that has no bearing on general server-side URL fetching or destination validation, so neither direction removes any SSRF risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates one correct equality check for the OIDC aud claim, blocking that narrow instance of improper equivalence validation, while B spans arbitrary inputs and identifier contexts that A never touches."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly validates one token audience identifier and thereby blocks that narrow misuse case, but the broad CWE-99 spans arbitrary resource identifiers (paths, URLs, etc.) that this single OIDC check leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.5.5 directly enforces correct validation of OIDC logout tokens, blocking one narrow slice of authentication failures, yet leaves the broad CWE-287 surface (login, session, API, etc.) untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-435",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.5.5 directly eliminates the specific OIDC logout interaction defects that CWE-435 describes, yet the CWE spans countless other entity-interaction cases that one narrow control cannot cover."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates cross-JWT confusion and wrong-token logout by enforcing explicit claim/type checks, but B is a broad channel-endpoint weakness spanning many protocols and flows that one OIDC-specific control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V10.6.2 validates logout-request provenance solely to block forced-logout DoS; CWE-441 concerns failure to preserve upstream identity when proxying arbitrary requests, two disjoint problems."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A implements source validation only for a narrow OpenID logout flow, directly eliminating improper verification in that single case (partial) while leaving the broad CWE-940 weakness untouched across all other channels and protocols (none)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consent management enforces explicit user approval for authorization requests but does not address or constrain any multi-factor comparison logic, so neither direction has any preventive effect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consent management on the authorization server has no bearing on whether a server incorrectly delegates security enforcement to an untrusted client."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consent prompting on the authorization server neither addresses nor mitigates authentication logic that lives only in client code."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.2",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Clear consent prompts directly eliminate the consent-failure facet of exposure, yet the weakness also covers storage, transmission and access-control failures outside any consent flow."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Cryptographic key/algorithm inventory has no bearing on documentation of program execution mechanisms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.1.3 only mandates discovery of crypto operations and has no bearing on documenting general program execution mechanisms, so neither direction shows any preventive relationship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Validated crypto libraries/accelerators reduce exposure risk for crypto material but do not address hardware debug-clearing behavior; the CWE is a low-level hardware design flaw outside the scope of a single app-level crypto requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1279",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates use of validated crypto libraries/hardware but says nothing about readiness/sequencing checks, so it neither prevents CWE-1279 nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1429",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Cryptographic library validation has no bearing on hardware-interface feedback omissions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1431",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Validated crypto implementations largely avoid flawed hardware modules that leak intermediate state, yet the single control does not encompass hardware design verification or all leakage vectors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mandating 128-bit security primitives directly eliminates weak-hash algorithms, but the control is broader than hash selection alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.2.3 directly blocks weak-crypto fallbacks (one CWE-636 example) yet leaves other failure modes untouched, while the weakness's breadth means the single control removes only one facet of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-208",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates timing leaks by mandating constant-time crypto operations, but B covers observable timing discrepancies in any code path beyond cryptography."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.2.5 addresses only crypto-module error handling while CWE-1061 is a broad design-level encapsulation flaw; the two share no overlap in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.2.5 addresses only crypto-module error handling while CWE-1256 concerns hardware interface exposure for power/clock/memory/side-channels; the two domains do not intersect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Encryption-mode verification has no bearing on resource-default initialization, so neither direction removes any of the other's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Proper authenticated encryption directly eliminates the most common transmission/storage flaws for credentials, yet the weakness also includes cleartext, weak hashing, and key-management failures outside this control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces strong AE/MAC usage and thereby blocks the encryption-algorithm example of failing-open, but does nothing to prevent the broader design flaw of insecure fallback states."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1109",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly forbids reuse of specific crypto values (nonces/IVs), blocking that narrow facet of variable reuse, while B's general risk across arbitrary code remains almost entirely unaddressed by this single encryption rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-323",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies nonce/IV non-reuse and appropriate generation, eliminating CWE-323; the weakness's full risk also includes surrounding key-lifecycle and protocol choices outside this single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-331",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires appropriate generation (hence some entropy) only for nonces/IVs, preventing that narrow misuse of low-entropy values but leaving the general CWE-331 weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-340",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates appropriate (i.e., unpredictable) generation for nonces/IVs and thereby eliminates that facet of CWE-340, yet leaves the broader weakness untouched in all other identifier contexts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly bars weak hashes (e.g., MD5) from random-bit generation and thereby blocks one narrow source of predictability, yet CWE-343 can still arise from non-hash PRNG algorithms, poor seeding, or state leakage that A never addresses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-257",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 mandates irreversible KDF hashing, which directly eliminates any recoverable password storage and thereby removes the entire risk described by CWE-257."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 mandates strong password hashing (KDF) while CWE-326 concerns weak encryption algorithms; the two address entirely separate cryptographic mechanisms with no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-916",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.4.2 directly mandates the exact countermeasure (approved KDF + tuned parameters) that eliminates CWE-916, and the weakness is narrowly defined as the absence of that same practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.4.3 specifies only collision-resistant hash lengths for signatures/integrity and does not address identity verification or proof mechanisms at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Strong hashes block signature forgery or integrity tampering that could enable some spoofing, yet CWE-290 covers many unrelated vectors (protocol flaws, missing identity checks) that this single crypto rule leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-257",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.4.4 governs KDF usage only when deriving crypto keys from passwords, while CWE-257 addresses recoverable (encrypted) password storage for authentication; the two share no technical overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1 directly mandates CSPRNG usage (eliminating predictable algorithms) while CWE-1241 describes exactly that single defect, so the control both fully prevents and fully covers the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-332",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG usage plus 128-bit entropy, eliminating CWE-332 when fully implemented, yet the weakness can still arise from entropy-source availability or integration flaws outside this single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-333",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mandating CSPRNG with 128-bit entropy eliminates any TRNG usage and thus the CWE-333 defect for covered values, yet the control supplies no handling logic for TRNG entropy failure when TRNG is still employed elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-335",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Requiring CSPRNG + 128-bit entropy directly blocks predictable seeding, yet leaves other seed-management facets (source choice, reseeding, state protection) unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-336",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1's CSPRNG + 128-bit entropy mandate directly blocks reuse of a fixed seed for security-sensitive values, but leaves other seeding or PRNG misuse paths unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-337",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Requiring CSPRNG + 128-bit entropy directly mandates non-predictable seeding and therefore eliminates CWE-337, yet the control still leaves open other seeding or PRNG-implementation mistakes outside its stated scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-338",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.5.1 directly mandates CSPRNG + 128-bit entropy for non-guessable values, which eliminates CWE-338 by definition in both directions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-339",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy, eliminating small-seed PRNG defects for its scope, yet B's risk can still arise from non-covered PRNG usages or flawed seeding outside this control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mandating a CSPRNG with 128-bit entropy directly eliminates the observable-sequence predictability CWE-343 describes, yet a single generation control cannot address every possible observation or integration vector that contributes to the weakness's overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires the RNG to remain secure under load (touching predictability only indirectly) while B is a fundamental algorithm-design flaw that load testing alone does not eliminate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's narrow focus on RNG behavior under load only partially mitigates predictability that could surface under stress, while B's fundamental algorithmic weakness is untouched by this single demand-oriented requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-1204",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.6.1 addresses only public-key algorithm selection and key generation, while CWE-1204 concerns IV unpredictability for symmetric primitives that use IVs; the two domains share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-329",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V11.6.1 addresses only public-key algorithms, key generation and digital signatures; it has no bearing on IV generation or CBC-mode symmetric encryption, so neither direction shows any preventive effect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates approved/strong algorithms and parameters for key exchange but does not address negotiation logic or selection behavior, so it only partially blocks the weakness while the weakness's full scope (any protocol negotiation) is untouched by this single narrow control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Memory encryption neither implements nor refines access-control granularity, so it neither prevents the CWE nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Memory encryption addresses only the in-use memory facet of the broad CWE-200 exposure weakness, so the control prevents one slice of the weakness (partial) while the weakness itself is only fractionally mitigated by this single narrow control (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mandating TLS 1.2/1.3 directly supplies authenticated encryption and thus blocks the 'no integrity' condition for that channel, but the CWE covers any transmission protocol so one TLS-version rule cannot close the entire weakness class."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks TLS-version downgrade by disabling older protocols, but B also covers cipher/auth negotiation paths outside TLS version selection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-207",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "TLS cipher standardization can reduce one observable handshake discrepancy vector but leaves the broad behavioral-fingerprinting weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates untrusted mTLS cert use (preventing that facet of weak auth), yet B spans many other auth mechanisms this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces trusted-certificate checks before mTLS identity use, while B concerns premature validation before canonicalization/modification; the two address unrelated ordering problems."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 addresses mTLS certificate trust validation before authz use; CWE-180 is a generic validate-before-canonicalize ordering flaw in input handling\u2014neither control nor weakness touches the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-181",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 enforces trusted-certificate validation before mTLS identity use, while CWE-181 concerns validation occurring before (rather than after) a filtering step; the two address unrelated ordering problems."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces trusted mTLS certificate validation and therefore blocks one common vector of improper authentication, yet addresses only a narrow facet of the broad CWE-287 weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 only enforces trusted mTLS certificate validation on its own channel and has no bearing on the existence or closure of any alternate unauthenticated path."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only ensures correct trust validation when mTLS certificates are already used for auth, so it neither introduces nor covers the absence of authentication required by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-322",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V12.1.3 directly enforces trusted-certificate validation for mTLS client identity, eliminating the unauthenticated key-exchange flaw in TLS contexts; CWE-322 remains broader and spans non-TLS protocols and other authentication gaps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-299",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates proper revocation checking via OCSP Stapling and therefore eliminates CWE-299 when fully implemented; the single control still leaves room for incorrect-check variants outside stapling configuration."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-370",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only mandates initial revocation configuration (e.g. stapling) and does not address or constrain any subsequent checks, so it neither prevents CWE-370 nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.5",
      "target_framework": "CWE",
      "target_id": "CWE-1230",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V12.1.5 directly eliminates SNI metadata exposure in TLS handshakes (one narrow facet of CWE-1230) but leaves all other metadata vectors untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Mandating TLS with no fallback to unencrypted/insecure comms directly blocks most downgrade paths for external HTTP traffic, yet the CWE spans any protocol negotiation so one TLS-specific control removes only part of the total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Publicly-trusted TLS certs directly eliminate one narrow trust failure (impersonation of external endpoints) but do nothing to prevent the broad range of supply-chain, updateability, or maintainability defects covered by CWE-1357."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A explicitly mandates TLS with no fallback to insecure protocols, directly eliminating the failing-open behavior for service connections; the weakness is broader and also covers access-control and algorithm-selection failures outside communication security."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A performs one narrow, protocol-specific validation and neither stops the general class of syntactic-input flaws from appearing elsewhere nor removes more than a negligible slice of that broad weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1288",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "TLS certificate validation is transport-layer crypto hygiene and has zero overlap with consistency checks on multi-field application inputs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-181",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "TLS client certificate validation and validate-before-filter are unrelated concerns in separate domains with no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks fallback to unencrypted transport (mostly preventing that CWE manifestation) but only covers one narrow facet of the broad failing-open weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks downgrade to unencrypted/insecure transport, removing most of this weakness in its scoped context, yet B spans any protocol negotiation and is only partly addressed by one service-comms control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-454",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A secures one specific channel (TLS service comms) against tampering and therefore can block one narrow source of untrusted initialization data, but CWE-454 spans many other vectors (files, env vars, CLI, etc.) that A does not address at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates endpoint verification via strong mutual auth for internal channels, eliminating most of this weakness in that scope, yet B spans any channel plus integrity failures that one service-mesh control does not fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-599",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires proper PKI-based TLS client auth for service comms and therefore largely eliminates missing certificate validation, while the narrow OpenSSL coding error can still be introduced if the control's implementation is incomplete."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires server-side verification of every endpoint via strong mutual auth, eliminating client-only auth for internal services, yet only addresses that narrow intra-service slice of the broader CWE-603 risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates endpoint identity verification via strong auth for internal service channels, eliminating most instances of CWE-923 in that scope, yet the weakness spans any privileged channel and is not fully closed by this single service-mesh-oriented control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires complete documentation of one execution-control mechanism (connection limits), preventing incompleteness for that facet only; B's broad scope over all program-execution mechanisms means a single narrow control removes only part of the risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1118",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation of one narrow fallback scenario (connection-limit exhaustion) that touches error-handling docs, but leaves the broad weakness of insufficient error-handling technique documentation almost untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1325",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only documents connection-pool limits for DoS avoidance and has no bearing on per-object memory-allocation code that lacks aggregate caps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates strong per-service auth for backend channels and thereby eliminates weak-auth defects in that scope, yet CWE-1390 spans all authentication surfaces so one backend-only control removes only a fraction of the weakness's total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1392",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly bans unchanging/default credentials for backend components and therefore removes most instances of CWE-1392 in that scope, yet the weakness also covers defaults in user accounts, admin interfaces and other surfaces that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces least-privilege accounts for backend communications and therefore removes most instances of CWE-250 in that scope, yet the weakness can still arise in any other code path or component outside backend comms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege assignment for backend accounts directly reduces unsafe privilege scope in that narrow domain but leaves the general CWE-267 risk (unsafe actions granted by any privilege) only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-270",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege accounts for backend links can reduce blast radius of a switching flaw but do not address the switching logic itself, so the control only partially mitigates introduction while removing essentially none of the weakness's core risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks default credentials for one narrow backend-auth case, preventing that facet of CWE-1188 but leaving all other insecure-default initializations untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1229",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V13.2.3 addresses only default credential usage in service auth and has no bearing on unintended resource creation or policy-violating emergent resources."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-671",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V13.2.3 enforces one narrow rule on credentials while CWE-671 describes absence of any administrator-configurable security surface, so the control neither prevents the weakness nor removes any meaningful portion of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Allowlist for backend comms directly enforces granular outbound access control, preventing CWE-1220 in that scope, yet the weakness spans all access-control domains so one control leaves residual risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-219",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Allow-listing external comms/file targets neither stops developers from placing sensitive files under the web root nor removes the exposure that placement creates."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-57",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Allowlist for backend/file resources can restrict some unauthorized file access but does not address or normalize path-equivalence bypasses such as '../' traversal."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A supplies one narrow allow-listing control for backend outbound access, which can mitigate insufficient granularity only in that specific scenario (partial prevention); the broad CWE weakness spans all access-control policies and cannot be removed by this single backend configuration alone (none)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires and verifies documentation only for narrow backend-connection settings, so it partially prevents the broad documentation weakness while the weakness itself is only fractionally addressed by this single narrow control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-1322",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's connection-timeout/retry rules can mitigate blocking on service calls but do not stop developers from inserting blocking calls elsewhere in a single-threaded event loop."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-1325",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Connection-configuration controls address external service limits and retries but have no bearing on arbitrary per-object memory allocations or their aggregate bounds."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-435",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's narrow connection-configuration rules can avoid a few integration misbehaviors, but CWE-435 spans arbitrary component interactions far beyond backend comms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-455",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A specifies connection-parameter configuration but never requires exit or degraded-mode handling on init failure, so it neither prevents CWE-455 nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1083",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege controls on secret assets neither address nor constrain code that bypasses an application's designated data-manager component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1193",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secret-management least-privilege rules address credential access and have no bearing on hardware power-on sequencing or fabric-control initialization timing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces least privilege only for secrets so it blocks insufficient granularity solely for that asset class (partial forward); the same narrow scope removes only a fraction of the broad CWE risk surface (partial reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1230",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege controls on secret assets address direct access but have no bearing on metadata-derived exposure."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Least-privilege access rules for secrets have no bearing on hardware-level alternate interface protections or bypass paths."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1083",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "HSM/vault key isolation addresses only cryptographic secret handling and has no effect on whether code bypasses a designated data-manager component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires HSM isolation to keep keys from leaving the module, indirectly reducing exploitability of uncleared debug values, while B is an unaddressed hardware debug-clearing flaw outside the scope of the secret-management control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "HSM-based key isolation addresses only cryptographic secret exposure and shares no overlap with alternate hardware-interface bypasses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1431",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V13.3.3 mandates use of an HSM/vault solely to protect key material, while CWE-1431 describes a hardware-level output-leak flaw inside the module itself; the control neither eliminates nor meaningfully mitigates that specific leakage vector."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1053",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secret rotation/expiry requirements neither create design documentation nor are blocked by its absence."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V13.3.4 only consumes existing secret-rotation documentation and does nothing to create or enforce any of the broader technical documentation whose absence defines CWE-1059, so neither direction removes risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes mitigates a symptom of leakage but neither eliminates nor meaningfully addresses the underlying design flaw of insufficient encapsulation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-11",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V13.4.2 directly mandates disabling debug modes in production, which fully eliminates the exact ASP.NET debug-binary misconfiguration defined by CWE-11."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1209",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes directly blocks the covert debug use of reserved bits (mostly), yet the hardware-specific design flaw in CWE-1209 is only one facet addressed by the broader software-oriented control (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1295",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes in production directly eliminates exposure from this exact weakness (full), yet the underlying coding defect can still exist in source or non-prod environments and may require message sanitization as well (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-215",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling debug modes in production fully eliminates exploitability of any sensitive data left in debug code, yet the control does nothing to stop the insertion itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-529",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "No directory listings directly blocks the primary exposure vector for ACL files placed in web-visible paths (mostly), yet the weakness also covers other access paths and the root storage decision that one listing control cannot fully close (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.5",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow source of leakage (docs/monitoring endpoints) that could produce observable discrepancies, but leaves the general CWE-204 weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.6",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only one narrow symptom (version strings) of the broad design flaw in B, so it mitigates one facet without eliminating the weakness or removing most of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-213",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Classification forces explicit consideration of stakeholder/regulatory sensitivity views (mostly preventing policy mismatch), yet leaves enforcement, design decisions, and runtime exposure vectors unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of requirements can indirectly reduce exposure likelihood via better planning but removes none of CWE-200's actual risk, which stems from implementation flaws."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documenting required encryption strength guides choices but does not enforce correct implementation or address algorithm selection, key management, or other root causes of CWE-326."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-497",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of requirements (incl. access controls) can indirectly guide prevention of exposure but removes none of the actual implementation risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-538",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of protection requirements can partially address logging/access facets of exposure but alone removes none of the implementation risk of placing sensitive data in accessible files."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-550",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A restricts sensitive data placement to bodies/headers while B concerns leakage via server error messages, so the control neither prevents nor addresses the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-598",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is a direct, complete verification of the exact practice whose absence defines CWE-598, so the control both eliminates the weakness and accounts for essentially all of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies and blocks the exact transmission behavior described by CWE-201, but a single verification control cannot cover every possible data-flow path or actor classification that contributes to the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses outbound sensitive-data leakage to trackers while B concerns inbound executable inclusion from untrusted sources, so neither direction has any preventive effect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 verifies data-protection controls against their own documentation; it neither addresses nor constrains documentation of program-execution mechanisms, so the two items have no preventive relationship in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A touches access controls only narrowly for sensitive data in logs, so it can partially block one facet of insufficient granularity but leaves the broad weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-1230",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's privacy/access controls for sensitive data can touch metadata exposure in logs or defined protection levels (partial forward) but do not specifically mandate metadata-limiting measures, leaving the core CWE-1230 risk untouched (none reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 specifies logging/access/privacy controls for sensitive data but never addresses clearing during debug/power transitions, leaving CWE-1272 untouched in both directions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.2.4 mostly prevents CWE-200 via its explicit access-control and protection requirements for sensitive data, yet only partially addresses the weakness because many exposure vectors (error messages, side channels, etc.) lie outside this single documented-data control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires verification of encryption controls matched to data protection level, eliminating most instances of inadequate strength, while also encompassing many unrelated data-protection facets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Caching rules for content-type and non-existent files have no bearing on index/offset validation in buffers or files."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.2.5 configures cache behavior and error responses for content-type safety; CWE-173 is an input-encoding validation defect unrelated to caching."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.2.5 addresses cache-configuration rules for content-type and non-existent paths; CWE-179 concerns validation-before-sanitization ordering, so the two share no causal link in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-525",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses non-caching of sensitive content but targets cache-deception rather than browser-cache policy, while B's broad caching weakness is only partly covered by A's narrow deception-focused control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-8",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A reduces exploitability of data exposure from the misconfiguration but does not prevent the J2EE remote-interface flaw itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-1230",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly removes sensitive metadata from the exact file-upload scenario CWE-1230 describes, yet only covers one source of metadata exposure and therefore leaves the broader weakness only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-212",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates removal of sensitive metadata from user files, eliminating the weakness for that vector, while CWE-212 spans many other storage/transfer scenarios that one control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-226",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces metadata sanitization for one narrow file-upload scenario and therefore only partially blocks the general 'resource not cleared before reuse' weakness, which spans memory, files, and many other reuse paths."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-312",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates cleartext metadata exposure for one narrow resource type while B spans all storage locations, so each direction addresses only a single facet."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-515",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only consent-based removal of sensitive file metadata and has no bearing on the existence or exploitability of covert storage channels, which can use any shared storage bits."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-538",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly removes sensitive metadata from user files and thereby fully prevents that specific insertion case, yet CWE-538 covers many other externally-accessible files and directories outside metadata."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-226",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires clearing of client storage resources on termination, eliminating most instances of CWE-226 in that scope, yet the weakness spans many other resource types (memory, files, etc.) that this single client-side control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Anti-caching headers address browser storage of responses and have no bearing on whether a resource is initialized with an insecure default value."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-524",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates browser-cache exposure by mandating no-store headers, fully preventing that CWE-524 manifestation, yet the weakness also covers server-side, disk, and memory caches outside A\u2019s scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-525",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact anti-caching headers whose absence defines CWE-525, fully eliminating the weakness when implemented, yet the weakness description also encompasses broader policy decisions beyond a single header directive."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-212",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V14.3.3 directly verifies removal of sensitive data from browser storage and therefore mostly prevents CWE-212 in that setting, yet only partially covers the weakness's full scope across arbitrary storage/transfer surfaces."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates one narrow slice of documentation, thereby partially ensuring some docs exist, while B's broad absence of technical/engineering documentation is virtually untouched by this single requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of update timeframes addresses one narrow facet (updateability planning) and therefore only partially prevents the weakness from remaining exploitable, while removing essentially none of the weakness's broader risk around component selection and trustworthiness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1395",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of remediation timelines addresses one management facet (forward partial) but alone removes none of the actual dependency risk (reverse none)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A supplies only a narrow SBOM-style inventory for third-party components, addressing one limited facet of the broad documentation weakness while leaving product architecture, design, and usage undescribed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1104",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's SBOM + trusted-repo verification directly blocks introduction of unmaintained components (mostly), yet the weakness can still arise from post-inventory decay or incomplete coverage that one control does not fully close (mostly)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1177",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SBOM inventory from trusted repos enables detection of some third-party components but does not enforce explicit prohibition lists or cover internal functions, so A only partially blocks introduction while B's full scope remains unaddressed by this control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks untrusted sources via SBOM/repo verification, preventing most introductions of the weakness, yet B spans additional trustworthiness facets (vetting, maintenance, reliability) that one control does not fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1060",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation on availability defenses may indirectly flag resource-heavy data patterns (partial forward) but supplies no implementation controls that actually eliminate inefficient query volume (none reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of resource limits/parallelism may indirectly surface concurrency concerns (partial forward) but addresses neither synchronization mechanics nor the broad causes of race conditions (none reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-410",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of resource-heavy paths and suggested mitigations can reduce the chance of an undersized pool being shipped, but supplies zero actual pool capacity or runtime controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's documentation of resource-intensive paths and availability defenses (queues, limits) neither targets nor mitigates the concurrency synchronization defects described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only one narrow documentation facet (risky libs) so prevents the broad CWE only partially; that single facet removes essentially none of CWE-1059's total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-1103",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of risky (security) libraries neither targets nor mitigates platform-dependency of third-party components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-1177",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation that flags risky libraries can raise awareness and thereby partially deter introduction of prohibited components, but the single control of documentation removes essentially none of the weakness without accompanying policy enforcement or tooling."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "CWE",
      "target_id": "CWE-1053",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A forces narrow documentation of dangerous functionality (partial prevention of total design-doc absence) while B's broad missing-design weakness is untouched by that single narrow requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation only for dangerous functionality (one narrow facet of B's broad scope), so it addresses part but not most of the weakness in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A ensures documentation of dangerous functionality (a subset of execution mechanisms), preventing only part of B while B's broader scope means A alone leaves most risk unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "CWE",
      "target_id": "CWE-1118",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation only of dangerous functionality while B concerns missing error-handling documentation, so the two have no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.2.1 only checks component freshness against remediation timelines and does not address or require comprehensive technical documentation of architecture, interfaces or design, so neither direction removes any measurable portion of CWE-1059 risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1067",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates availability impact of resource-heavy queries (one facet) but does not address query indexing or prevent CWE-1067's introduction; B's root cause remains untouched by the architecture-level control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-682",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.2.2 mitigates availability loss from expensive operations but never constrains calculation correctness, so neither direction removes any part of CWE-682."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1164",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly verifies and removes irrelevant code from production, fully eliminating the weakness in the deployed product, while a single verification step leaves some upstream development vectors partially open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Removing extraneous/dev functionality eliminates the most common source of unauthenticated critical endpoints, but leaves the broader weakness unaddressed on required production functions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.2.4 targets supply-chain package provenance to block dependency confusion, while CWE-441 describes runtime request-source loss in proxies; the two problems and their mitigations are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements source verification for one narrow channel (dependency fetches) so it blocks that specific CWE-940 instance, yet the weakness spans all runtime communication origins and is not addressed by a dependency-only control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.2.5 partially prevents CWE-1061 by listing encapsulation among several isolation techniques for risky components only, while the broad weakness spans all internal representation exposure that this single narrow control leaves mostly unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-1103",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.2.5 adds runtime containment around already-chosen risky libraries but never addresses or avoids selection of platform-dependent third-party components, so neither direction removes any part of CWE-1103."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sandboxing/encapsulation can limit post-exploitation pivot damage from command injection (partial forward) but does nothing to address the missing neutralization of special elements that defines the weakness (none reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Sandboxing/risky-component isolation can partially limit post-exploitation impact of command injection but does nothing to prevent the underlying input-neutralization flaw itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-495",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly stops returning whole objects and thus blocks most instances of CWE-495, yet the weakness also covers mutable reference semantics and encapsulation design that this single field-subset rule does not fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-611",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A restricts redirect following on backend URL calls while B is an XML-parser configuration flaw allowing external entity expansion; the two mechanisms do not intersect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.2 restricts redirect following on outbound URL calls while CWE-829 concerns deliberate import of executable code from an untrusted sphere; the two have no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses one narrow trust issue (IP provenance from proxies) so only partially prevents introduction of the broad reliance weakness; the weakness spans many component types and properties that this single control does not touch."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-182",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.4 addresses trusted IP propagation for logging/rate-limiting and has no bearing on data-collapse filtering defects described by CWE-182."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-435",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates one narrow class of proxy-IP interaction errors but leaves the broad CWE-435 space of other multi-entity misbehaviors untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-1024",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.5 directly mandates strict typing and equality checks that eliminate CWE-1024 comparisons, yet the weakness can still arise from language-level or design issues outside this single defensive-coding outcome."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-1077",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.5 targets type safety and strict equality to block juggling, while CWE-1077 is a numeric-precision issue unrelated to operand types."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-473",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only type-checking/strict comparison (one possible symptom of external var tampering) while leaving the root exposure described by B untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-843",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates type-correctness checks that eliminate the exact assumption errors CWE-843 describes, yet the weakness also covers pointer/object casting and memory-layout cases outside variable/equality handling."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-1108",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.6's narrow Map/Set recommendation mitigates one prototype/global-object vector but leaves the broader structural reliance on globals untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-1321",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.6 directly mandates code-level verification that eliminates prototype-pollution vectors, while CWE-1321 encompasses broader input-handling and attribute-control issues beyond any single coding pattern."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-1173",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's narrow pollution defenses may incidentally rely on validation but do not require or enforce correct use of any validation framework, while B's broad weakness spans many validation scenarios that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.7 addresses only HTTP parameter pollution from ambiguous input sources, while CWE-441 concerns failure to preserve request origin when forwarding to external actors; the two share no causal overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.3.7 addresses only parameter-name collisions from mixed sources while CWE-444 concerns inconsistent framing/parsing of entire requests by intermediaries, so neither direction overlaps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "CWE",
      "target_id": "CWE-473",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mitigates one facet (parameter-source collisions) of external-variable tampering but leaves other PHP-specific vectors untouched, while B's broad weakness is only narrowed\u2014not removed\u2014by that single defensive-coding outcome."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1058",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates thread-safe access and synchronization for shared objects, eliminating most exploitability of the exact unsafe static/member pattern in B, while B's narrow scope means A alone removes most but not necessarily all design-related risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact synchronization primitives that eliminate CWE-362; the weakness can still arise from design-level atomicity or ordering decisions outside this single verification outcome."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the synchronization mechanisms whose absence defines CWE-662, eliminating the weakness in the multi-threaded shared-object case, yet the CWE also covers processes/components/systems outside V15.4.1's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates TOCTOU instances of the race via required atomicity, but B covers many other synchronization flaws outside that single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-363",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates atomic TOCTOU checks that eliminate the exact file-status race CWE-363 describes, yet the weakness can still arise from symlink or directory-edge cases outside a single concurrency control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-366",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates TOCTOU check-act races via atomicity but only one facet of broader thread-level races; B's full risk spans unsynchronized access patterns beyond that single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-367",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the atomic check-then-act pattern that eliminates the exact TOCTOU window described by B, so the control both fully prevents the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-379",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.4.2 enforces atomic TOCTOU checks but does not address directory permission choices, while CWE-379 is solely a permissions weakness unaffected by atomicity alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-59",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Atomic check-and-act directly closes the TOCTOU race that enables most link-following exploits, yet CWE-59 also covers non-race cases such as unconditional symlink traversal that the control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-638",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces atomic check+action for permissions and thereby stops one narrow TOCTOU facet of incomplete mediation, but does nothing to ensure repeated mediation on every subsequent access when privileges may have changed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates only the TOCTOU facet of synchronization via atomic checks, so it prevents one slice of CWE-662 (partial) while the broad weakness spans many other synchronization failures that this single control leaves untouched (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-1048",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Safe-concurrency locking rules have no bearing on the number or scope of outward references from a callable, and high fan-out is a coupling issue outside the scope of any single concurrency control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-1050",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses endless retry/deadlock cases involving locks and thereby mitigates one facet of resource-consuming loops, yet B spans many other resources and loop patterns that A does not touch."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-1096",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires consistent protected locking for resources and thereby eliminates most unsynchronized singleton creation, yet B remains only partially covered because A is a broad concurrency outcome that does not by itself address every singleton design nuance."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consistent, protected locking directly eliminates most improper-synchronization race windows, yet CWE-362 also covers non-lock timing flaws and design-level ordering issues that one concurrency control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-366",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Consistent lock usage directly eliminates most simultaneous-access races, yet the control's emphasis on deadlock avoidance and encapsulation leaves other race vectors (e.g., atomicity, design-level ordering) unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-833",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V15.4.3 directly targets consistent lock usage to avoid mutual waiting, eliminating most deadlock introduction, yet leaves other deadlock vectors (ordering, reentrancy, timing) unaddressed by this single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-1050",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates starvation effects of resource-hogging loops via fair allocation/thread pools but does not stop the loops themselves; B's broad consumption risk is only narrowly addressed by A's concurrency focus."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only the narrow starvation/fairness facet of concurrency via thread pools, partially reducing likelihood of some related defects but leaving the core synchronization failures of CWE-662 untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's thread-pool/fair-access policies impose limited throttling that only partially blocks unbounded allocation (forward), while B's broad lack-of-limits weakness spans many resources beyond concurrency fairness (reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1102",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Time-source synchronization for logs has no bearing on low-level data-representation choices that vary by machine or OS."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Time-sync logging addresses only timestamp consistency for event records and does not prevent general shared-state or cache divergence across distributed components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Logging rules for sensitive data have no bearing on the completeness of input-disallow lists or the input-validation weakness they leave open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-213",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mitigates one exposure vector (improper logging of sensitive data) but does not address policy mismatches in other functionality, so it prevents only part of CWE-213 while CWE-213's breadth means a single logging control removes only part of the risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Logging security events has no bearing on the presence or completeness of technical documentation, and vice versa."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1429",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Application-level error logging has no bearing on hardware-interface silent-discard behavior, so neither direction prevents the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-455",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Logging of errors (A) neither stops improper non-exit behavior on init failure (B) nor is that behavior prevented by logging alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Log-encoding control addresses only injection in logs and neither prevents nor mitigates reliance on untrusted components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1083",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Log-protection controls address integrity of audit records and have no bearing on whether application code bypasses an intended data-manager component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Log protection is a narrow integrity control on one asset type and neither eliminates nor is hindered by overly-broad access-control policies elsewhere in the system."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Log protection transmits logs off-system but has no bearing on component selection or trustworthiness, so neither direction prevents the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-209",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V16.5.1 directly mandates the exact behavior (generic error messages with no sensitive data) that eliminates CWE-209, so the control both fully prevents the weakness and accounts for essentially all of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-210",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V16.5.1 directly mandates the exact behavior (generic messages with no sensitive data) that eliminates CWE-210, so the control both fully prevents the weakness and removes essentially all of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-211",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly suppresses exposure of external error content via generic responses, preventing exploitability of CWE-211 in most cases, yet the weakness spans interpreter-level messages outside product control so one error-handling outcome removes only part of the total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-213",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A stops one narrow exposure vector (error messages) but does not address policy incompatibility, so B's root cause remains untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-396",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates info-leakage risk that can result from broad catches but does not stop the declaration of generic exception handlers themselves."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V16.5.2 directly enforces secure failure for external-resource errors (mostly preventing CWE-636), yet the weakness spans many other error paths the control does not address (only partial prevention)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-535",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Graceful/secure error handling directly stops exception info from reaching shell messages, yet the weakness also spans unhandled paths and shell-specific exposure that one control does not fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-537",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure error-handling verification directly stops exception-driven leaks of sensitive data, yet the CWE can still arise from logging configuration or framework defaults outside this single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates secure failure on errors (eliminating fail-open), while B spans multiple failure-mode facets beyond error-handling verification alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-600",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A last-resort handler directly catches unhandled servlet exceptions and stops default exposure, yet the weakness also encompasses servlet-specific mapping and output sanitization that this single control does not fully address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-410",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.1.2 directly verifies elimination of resource-exhaustion exposure in TURN, fully preventing CWE-410 for that component, yet only partially addresses the general weakness across an entire product."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "DTLS key-management policy has no bearing on hardware debug-register clearing, so neither direction prevents the other at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces DTLS-SRTP (which supplies integrity) for media, blocking the weakness in that scope, yet only addresses one narrow protocol instance of the broad CWE-353 risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.2 directly mandates approved/strong DTLS suites and profiles, eliminating downgrade risk for DTLS-SRTP media, yet CWE-757 spans any negotiation protocol so one media-specific control removes only part of the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.3 enforces SRTP authentication checks against RTP injection; CWE-757 concerns algorithm-negotiation downgrade, two unrelated protocol-layer issues."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.4 tests robustness to malformed SRTP (availability), while CWE-349 concerns logical mixing of trusted/untrusted data sources; the two share no causal link."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.4 tests robustness/availability on malformed SRTP input while CWE-636 concerns insecure fallback choices on any error; the two address unrelated failure dimensions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.5 addresses DoS resilience for SRTP traffic volume while CWE-353 concerns absence of any integrity mechanism in the protocol itself; the two have no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-1395",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only tests one narrow DTLS race condition and therefore catches at most one instance of a vulnerable component, while B spans any third-party dependency and is not addressed by this single verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.6 directly verifies and can eliminate one specific DTLS ClientHello race condition (mostly preventing that CWE-362 instance), yet a single narrow check removes only a fraction of the broad class of synchronization flaws covered by CWE-362."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-366",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A verifies one narrow DTLS protocol race condition (preventing that specific instance only), while B describes a broad class of intra-thread races that A neither targets nor covers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-367",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V17.2.6 directly eliminates only one narrow DTLS-specific race condition (one facet of TOCTOU), while CWE-367 spans many check-use patterns across the entire system that this single media-server verification leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-368",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A verifies one narrow DTLS ClientHello case and therefore only partially blocks that facet of CWE-368, while the single control removes essentially none of the weakness's broad risk across arbitrary context switches."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-297",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements the missing certificate-to-identity binding check for DTLS/SDP media, thereby blocking that specific manifestation of CWE-297, yet only covers one narrow protocol scenario out of the weakness's broad scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies the missing integrity/authenticity mechanism for DTLS media streams, eliminating CWE-353 in that scope, yet only one narrow protocol use-case of the broad weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-358",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies the exact protocol-mandated certificate check, eliminating this instance of the weakness; B remains only partially addressed because the CWE spans every standardized check across all protocols."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "CWE",
      "target_id": "CWE-599",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's DTLS/SDP fingerprint binding is a protocol-level media check unrelated to the specific OpenSSL API omission described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-837",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Rate limiting mitigates signaling floods but neither implements nor meaningfully constrains the one-time/unique-action enforcement required by CWE-837."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly calls for preventing buffer overflows via input validation on malformed messages, blocking most CWE-119 instances in the signaling path, yet the weakness is far broader than one server control can fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-606",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's input-validation and error-handling requirements directly block the unchecked loop-condition vector in signaling, yet the CWE spans many other code paths outside that single server."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation of one narrow topic (input validation rules), which only partially mitigates general insufficient technical documentation while the single narrow rule removes essentially none of B's overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of quantity-validation rules guides correct implementation (partial forward) but does not itself perform validation or guarantee the code follows the rules (partial reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of validation rules can guide correct index handling and thus reduce likelihood (partial), but supplies none of the actual runtime checks required to close CWE-1285."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documented syntax rules guide developers but do not implement runtime checks, so the control only partially reduces the chance of the weakness while removing none of its actual implementation risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of validation rules reduces likelihood of type-validation defects by defining expected checks but does not implement or enforce them in code, addressing only one narrow facet of the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-164",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of input-validation rules can indirectly reduce incidence by guiding format checks that may incidentally reject dangerous internal elements, yet supplies no implementation of neutralization and therefore removes essentially none of the weakness's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires one narrow slice of technical documentation, so it addresses only a single facet of the broad insufficiency described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-105",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact validation practice whose absence defines B, eliminating the Struts-specific defect; yet B represents only one narrow framework manifestation of missing validation, so A removes most but not necessarily every related risk vector."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-109",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates validation so the Struts validator cannot remain disabled (full); B is a narrow Struts-specific misconfiguration whose risk A removes except for framework-specific configuration details (mostly)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Fully implementing the broad input-validation control directly eliminates the narrow quantity-validation defect for all inputs (L2+), and conversely that single control removes the entire risk of CWE-1284."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Broad input-validation rules directly cover index/offset checks and therefore eliminate most instances of CWE-1285, yet a single general control still leaves some risk if the specific index properties are not explicitly enumerated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Full input validation (A) requires effective checks after any modifications, eliminating most early-validation bypasses, yet the narrow ordering flaw (B) is only one facet of validation risk so a single control removes it only partially."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-643",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Strict allow-list validation removes most XPath injection vectors by rejecting control characters and unexpected structures, yet leaves residual risk from incomplete rule coverage and the weakness's focus on query neutralization itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-647",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Input validation on URL inputs used for security decisions can normalize/reject non-canonical paths and thereby block exploitation, yet the weakness ultimately stems from authorization logic assumptions that validation alone does not fully redesign."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-652",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Strict allow-list validation removes most XQuery payloads before they reach query construction, yet the weakness also encompasses missing escaping inside the expression builder itself so validation alone leaves residual risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-105",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation design directly removes the root cause of an unvalidated Struts form field, yet the narrow Struts configuration gap can still exist if the general control is not mapped to the exact validator wiring."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1173",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Trusted-layer validation enforcement largely eliminates incorrect framework usage by requiring correct behavior, yet addresses only one facet of framework misuse risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "General trusted-layer input validation directly eliminates quantity-validation defects (full prevention) yet still leaves open the possibility of incomplete property checks or edge-case gaps for this narrow weakness (mostly)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation directly eliminates the specific index/offset validation defect; the weakness's total risk is only mostly removed because correct validation rules for indices must still be explicitly authored."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Control directly requires server-side input validation, blocking the core omission in CWE-1286, yet leaves open the possibility of incorrect syntactic rules and addresses only one facet of the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1287",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Enforcing input validation at the trusted layer directly targets and removes most type-validation defects, yet the single general control only partially closes the weakness because it does not guarantee every type-specific check or edge case."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1288",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Enforcing trusted-layer input validation directly eliminates most consistency-validation defects, yet the single broad control still leaves risk from incomplete or narrowly-scoped checks that do not cover every consistency requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Server-side input validation directly requires proper equivalence/canonicalization checks, eliminating most of this narrow validation defect while the control itself is not CWE-specific."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates server-side enforcement for input validation and thereby eliminates client reliance for that control, yet B spans any server-side security decision and is therefore only partly addressed by this single validation outcome."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-237",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's combination-reasonableness checks can catch some structural-input problems but do not address parsing, nesting, or element-order handling that defines CWE-237."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Business-logic step-order enforcement has no bearing on whether validation occurs before or after input-modification routines."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1053",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Business-logic limit verification neither produces design documentation nor is itself prevented by its absence."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V2.3.2 verifies runtime business-logic limits while CWE-1059 concerns missing engineering documentation; neither activity produces or requires the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-110",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Business-logic limit verification has no bearing on Struts form-field/validator synchronization."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A verifies implementation against existing docs but never creates or completes documentation, while B is solely a documentation-gap weakness unrelated to business-logic verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Transactional atomicity at business-logic level directly eliminates most opportunities for divergent shared-state copies, yet the weakness also encompasses replication timing, cache invalidation and non-transactional sync paths that one control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Atomic rollback enforces a prior correct state for transaction failures (partial prevention of insecure fallback) but addresses only one narrow slice of the broad failing-open weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1229",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Locking directly stops logic-driven double-booking (mostly prevents this CWE manifestation) yet only covers one narrow resource scenario out of the weakness's many possible emergent-resource vectors (partial coverage overall)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces consistency for one narrow class of shared resource counts via locking, preventing that specific manifestation of B, while B's broad distributed-state consistency risk is untouched by this single business-logic control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Locking mitigates exploitation of quantity manipulation in limited-resource flows but does not address or eliminate the input-validation defect itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1050",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation limits invocation frequency and thereby reduces exploitability of a resource-consuming loop, but does not address or remove the underlying coding defect itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1229",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation limits excessive calls that could create or abuse emergent resources, mitigating one exploitation path but not preventing the underlying design flaw that produces such resources."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1325",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Anti-automation rate-limits calls and can therefore blunt memory-exhaustion exploits, yet leaves the underlying allocation flaw untouched; the coding defect itself is unaffected by call-rate controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires one narrow slice of security documentation, so it only partially eliminates the general insufficiency described by B while B's broad scope means A removes only a fraction of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation only for a narrow set of browser security mechanisms, thereby partially addressing incompleteness for those items while leaving the broad class of program-execution mechanisms untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires documenting secure fallback behavior for missing browser features, which can address one narrow class of fail-open cases, while CWE-636 spans arbitrary error paths that documentation alone leaves almost entirely open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-205",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses only context-specific content rendering controls while B concerns any observable behavioral differences that leak state, so the two share no overlap in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-435",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the browser/server interaction flaw it targets, but B spans many unrelated entity-interaction problems beyond content context."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses browser rendering context via headers while B concerns request-source preservation in proxies; the two share no mechanism or scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses context-isolation for rendered content while B is a broad error-handling design flaw; the two share no causal relationship in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1108",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A recommends avoiding globals on the document object (plus namespaces) as one DOM-clobbering mitigation, so it partially curbs global-variable reliance, yet remains a narrow control that leaves most of the broad structural weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-454",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks only the DOM-clobbering vector of untrusted variable initialization in client-side JS, leaving the broad CWE-454 unaffected by other external sources."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-843",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's strict type checking provides a narrow facet that can catch some JS type mismatches, but A targets DOM clobbering while B is a broad language-level weakness unaffected by namespace or declaration rules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-614",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the Secure attribute (plus related prefix rules) that B describes, so the control both eliminates the weakness and fully accounts for its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-784",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces transport and origin integrity via flags/prefixes but never performs value validation or user binding, so it only partially mitigates introduction of the weakness while removing almost none of its total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1275",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is the exact verification step that enforces the SameSite attribute setting whose absence defines B, so the control directly eliminates the weakness with no remaining facets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SameSite cookie attributes directly block most cookie-based CSRF vectors, yet the weakness also encompasses token, referer, and non-cookie authentication gaps that one cookie control leaves open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-435",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Cookie __Host- prefix rule directly eliminates one narrow cookie-host interaction flaw but leaves the broad class of multi-entity behavioral mismatches untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only verifies safe ACAO values/allow-listing and never touches CRLF neutralization, so it prevents none of CWE-113 and CWE-113 is prevented by A to none degree."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1230",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "CORS header rules can block one vector of direct sensitive-data leakage in cross-origin responses but do not address metadata exposure at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires allow-list validation of Origin values and therefore removes the CWE in the CORS path, yet only addresses one narrow instance of unsafe-equivalence checking."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-942",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces a strict CSP (with allowlist/nonces and the listed directives) that eliminates permissive untrusted-domain CSP configurations, but B also encompasses cross-domain policy files and other permissive variants outside A's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.5",
      "target_framework": "CWE",
      "target_id": "CWE-598",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Referrer-Policy mitigates only the Referer-header leakage facet of sensitive query strings while leaving logging, history, and other exposure paths untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.6",
      "target_framework": "CWE",
      "target_id": "CWE-942",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces a restrictive frame-ancestors directive that blocks the exact permissive-embedding case in B, yet B also covers other CSP directives and cross-domain files that A leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.8",
      "target_framework": "CWE",
      "target_id": "CWE-1022",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "COOP header directly blocks window.opener sharing for cross-origin loads, eliminating most of the described abuse, yet the weakness also spans link markup, popup handling, and other opener protections outside this single header."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates anti-forgery validation that eliminates CSRF, while B can also be mitigated by other mechanisms such as SameSite cookies or CORS preflight that A does not cover."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A validates request origins to block CSRF on the receiving app; B is a distinct proxy-forwarding flaw about source preservation to external actors, so neither direction overlaps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-650",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin exploitation of unsafe GET state changes via tokens/headers, but leaves the underlying server-side method assumption itself only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces proper CORS preflight triggering via header checks and is unrelated to maintaining complete denylists of disallowed inputs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-648",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "CORS preflight enforcement addresses cross-origin request restrictions while CWE-648 concerns conformance to privileged-API contracts; the two domains share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-942",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces that CORS preflight cannot be bypassed for sensitive calls but does not constrain which domains appear in the policy, while B is exactly the defect of listing untrusted domains."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Origin/Sec-Fetch validation directly blocks cross-origin confused-deputy flows (mostly) yet leaves non-browser, server-to-server, and same-origin proxy cases unaddressed (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-650",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces non-GET methods (or Sec-Fetch validation) for sensitive actions and therefore mostly eliminates CWE-650, yet the weakness's core server-side trust assumption can still be triggered through other vectors the single control does not close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly supplies Sec-Fetch-* validation that eliminates most browser-origin cases of CWE-940, yet the weakness spans non-browser channels and design flaws that one control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-694",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Origin separation via hostnames addresses cross-origin browser interactions but has no relation to duplicate resource identifiers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires syntax validation for postMessage (eliminating B in that interface) while B is a broad input-syntax weakness that one narrow browser control only partially covers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-130",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PostMessage origin/syntax checks address cross-origin trust, while CWE-130 concerns length-field parsing mismatches; the two share no technical overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements origin/syntax checks for postMessage and therefore eliminates most instances of the weakness in that interface, yet B is a broad, cross-cutting authenticity problem that one narrow browser control cannot fully close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.6",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling JSONP eliminates one specific cross-origin exposure vector but neither stops nor meaningfully mitigates the broad design flaw of insufficient encapsulation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.6",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "No-JSONP rule blocks one narrow browser-side inclusion vector but does not address the general practice of pulling executable code from outside the trust boundary."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.8",
      "target_framework": "CWE",
      "target_id": "CWE-402",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin leakage of authenticated resources via headers/validation, preventing most instances of B in web contexts, yet B spans many non-browser spheres so one control covers it only partially."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.8",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks cross-origin confused-deputy flows via Sec-Fetch/CORP validation, but CWE-441 also covers non-browser proxy scenarios outside A's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SRI-based external-resource integrity has no bearing on input-equivalence validation for resource identifiers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.1",
      "target_framework": "CWE",
      "target_id": "CWE-111",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A restricts deprecated browser plug-ins while B concerns unsafe native calls from Java; the two domains share no overlap so neither direction yields any prevention."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.2",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow redirect-allowlist requirement unrelated to validation ordering, so it neither prevents CWE-179 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.2",
      "target_framework": "CWE",
      "target_id": "CWE-601",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates an allowlist check that eliminates exploitable open redirects, while B's broader risk surface (input handling, validation gaps) means one control removes most but not every facet."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.3",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is a browser redirect-warning control unrelated to privilege design, so it neither prevents CWE-267 nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.3",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A is a narrow UI notification for external redirects while B is a broad data-handling flaw about mixing trusted/untrusted inputs; the two share no causal relationship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.4",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "HSTS preload list membership addresses only transport-layer enforcement and has no relation to component trustworthiness or supply-chain risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Content-Type enforcement addresses only response metadata/charset correctness and has no bearing on the framing or proxy-vs-destination parsing inconsistencies that define CWE-444 smuggling."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-213",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses one narrow transport-leakage scenario that can result from policy mismatch, but does not define or reconcile stakeholder policies so cannot prevent CWE-213 itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates user override of specific proxy headers (one facet of header injection) but does not address CRLF neutralization at all, so it leaves the general weakness fully intact."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the header-override vector that commonly enables CWE-441 in web proxies, but the weakness also covers non-header source-preservation failures outside HTTP."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A guards against user override of intermediary headers but does not constrain how an intermediary parses ambiguous requests, so neither direction mitigates CWE-444's inconsistent-interpretation root cause."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-1061",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Method allow-listing blocks one narrow vector for invoking unexpected functionality but does nothing to hide internal representations or close the broader design-level encapsulation gap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-650",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Method allow-listing blocks unintended verbs but does not eliminate server-side logic that performs state changes on GET."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "HTTP message-boundary validation targets request smuggling via header parsing and has no mechanism that touches distributed state/cache consistency."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-130",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct Content-Length vs. actual length handling for HTTP, eliminating most instances of the weakness in that domain, yet B spans arbitrary message formats beyond HTTP so one protocol-specific control removes only part of its total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact boundary and header-consistency rules that eliminate inconsistent interpretation, while B can still involve response paths and downstream entity quirks outside a single validation control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-130",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates inconsistent lengths only in generated messages (addressing one facet of smuggling risk) while B describes a parser-side flaw that A does not modify or correct at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets Content-Length/framing consistency to block smuggling vectors, preventing most instances of the weakness, while B's broader inconsistent-interpretation risk spans additional vectors (Transfer-Encoding, chunking, etc.) that one narrow check leaves open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets response splitting via HTTP/2-3 header rules, eliminating most such defects, yet B's broad CRLF-neutralization gap spans additional vectors and protocols that this single control leaves open."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1288",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces HTTP header consistency to block splitting/injection, eliminating most instances of that CWE facet, yet B spans arbitrary multi-field inputs far beyond HTTP/2-3 headers so one narrow control leaves the general weakness only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks the Transfer-Encoding vector that commonly enables smuggling in HTTP/2/3, but B covers any inconsistent parsing by intermediaries so one narrow validation removes only part of the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-644",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A restricts only connection-specific headers in HTTP/2/3 to block splitting, while B concerns failure to neutralize scripting syntax inside arbitrary header values; the two controls address disjoint facets of header handling."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly rejects CRLF sequences in incoming headers, eliminating the described injection vector; B's broader neutralization flaw across outgoing header construction is only partly addressed by this single input check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A blocks newline-based header injection on HTTP/2/3 endpoints and thereby stops one smuggling vector, yet leaves the core inconsistency between intermediary and destination parsers untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-93",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates CRLF sequences in HTTP headers (full prevention for that vector), yet CWE-93 spans many other input contexts so one HTTP-specific control leaves substantial residual risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1049",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Cost/depth controls in A directly block exploitable expensive joins/subqueries (mostly), yet B can still be written in any data layer outside GraphQL controls (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1067",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GraphQL cost controls can partially limit exploitability of expensive queries but do not address or prevent missing SQL indexes at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-606",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates GraphQL query-complexity DoS via allow-lists/depth/cost analysis while B is a general coding flaw of unchecked loop bounds; the two mechanisms and scopes are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-643",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses GraphQL DoS via query-cost controls while B is an XPath injection flaw in XML query construction; the two share neither technology nor vulnerability class."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-917",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GraphQL DoS controls (query limits/allowlists) have no relation to neutralizing expression-language injection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-207",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling introspection removes one observable GraphQL-specific behavior (partial prevention of that discrepancy vector) but addresses only a narrow slice of the broad CWE-207 class of product-identifying differences."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-671",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disabling GraphQL introspection is a narrow, feature-specific rule that neither addresses nor is addressed by the broad lack of administrator-configurable security settings."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1385",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Control A directly implements the exact Origin-header check whose absence defines CWE-1385, eliminating the weakness when fully applied, yet the weakness description still admits other validation gaps (e.g., post-handshake or non-Origin checks) that one control does not close."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "The control mandates an allow-list for origins but neither eliminates the possibility of that list being too permissive nor addresses the general CWE of permissive allow-lists."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A implements an allowed-origin whitelist for WebSocket, directly avoiding any reliance on an incomplete disallowed-input blacklist, yet addresses only this narrow case and leaves the general CWE-184 risk elsewhere untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates session-fixation risk during HTTPS-to-WebSocket transitions by mandating authenticated-token validation, but only addresses that narrow facet of the broad CWE-384 weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of size limits addresses one facet of quantity validation for uploads (partial prevention of the weakness being introduced) but removes essentially none of the broad coding flaw's risk by itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-434",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation defines expected file-type rules and reduces likelihood of the weakness during design, but supplies no runtime enforcement so the weakness remains fully possible."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.2.1 limits uploaded file sizes to avoid resource-exhaustion DoS and has no bearing on whether buffer-copy code performs size checks, so neither direction prevents the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1287",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact type/content validation that B describes for file inputs, fully eliminating the weakness in that scope, while B spans all input types so one file-specific control removes only part of its overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A's content/magic-byte checks mitigate some file-type equivalence bypasses during uploads, but B is a broad input-canonicalization weakness that one narrow upload control leaves almost entirely unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-61",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A blocks only the compressed-upload symlink vector (one narrow facet of introduction), while CWE-61 spans every file-open operation so this single control removes only a fraction of total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-64",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one upload vector for symlink abuse but does not address .LNK parsing or resolution at all, so it removes only a narrow slice of the broader shortcut-following weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-190",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A bounds image dimensions before size calculations, eliminating one narrow overflow path in uploads, while CWE-190 spans arbitrary arithmetic throughout an application."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.3.1 addresses execution of uploaded files while CWE-349 concerns mixing trusted/untrusted data during processing; the two share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-433",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks execution of untrusted uploads (mostly preventing CWE-433 exploitation), yet B also covers storage location and extension-handling choices that one verification does not fully eliminate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly mandates the exact pathname neutralization that eliminates CWE-22, so the control fully prevents the weakness and the weakness is fully prevented by this control alone."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-23",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates the exact avoidance or sanitization of untrusted path components that CWE-23 describes, fully eliminating the weakness when implemented, yet the single control still leaves a residual facet of risk around edge-case pathname canonicalization outside its file-storage scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-57",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates trusted paths or strict sanitization that eliminates this exact path-equivalence bypass; the single control removes nearly all risk of CWE-57 but leaves minor residual exposure if normalization edge cases remain."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly mandates trusted names or strict validation for file paths, eliminating most instances of CWE-73 in file operations, yet the weakness spans broader path/file influences beyond this single control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.3.2 directly eliminates SSRF vectors arising from untrusted file paths/metadata, but leaves the broader weakness open via non-file inputs such as arbitrary URL parameters."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1285",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces path validation for one narrow file-decompression scenario that falls under CWE-1285, eliminating that facet but leaving the broad class of index/offset validation defects untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-1386",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates generic path traversal during decompression and can incidentally block some junction-based escapes, yet leaves the core Windows junction/mount-point resolution flaw untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces syntactic validation only for filenames in downloads (one narrow facet of B), while B spans all input syntaxes so a single control removes only limited risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Filename sanitization in download responses has no bearing on HTTP message parsing consistency between intermediaries and endpoints."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V5.4.2 directly neutralizes special elements in file-name output and therefore blocks that injection vector, yet CWE-74 spans many other downstream interpreters that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A supplies documentation for one narrow domain (auth controls), thereby partially eliminating the general insufficiency described by B, while B's broad scope across all product elements means this single control removes only a fraction of the total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires narrow documentation of auth-rate-limiting controls while B concerns missing documentation of general program-execution mechanisms, so the two have no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1118",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation only for authentication defenses while B concerns error-handling documentation, so the two topics share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A ensures consistent factor documentation across auth paths only, partially blocking one narrow slice of CWE-1023 while leaving the broad weakness untouched elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documentation of required auth strengths across pathways can surface downgrade risks during review (partial prevention) but supplies no runtime negotiation logic or enforcement, leaving the core CWE-757 flaw untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Enforcing password length requires validating one specific quantity, so A only partially addresses B's general validation flaw while leaving all other quantity inputs untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-193",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-length rules address authentication policy and have no relation to off-by-one calculation defects in code."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.11",
      "target_framework": "CWE",
      "target_id": "CWE-671",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.2.11 addresses only password guessing via wordlists and has no bearing on administrator configurability of security features."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.12",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Breached-password checking directly blocks one class of weak passwords (partial forward) but leaves length/complexity rules and overall policy unenforced, so it removes only one facet of the broad CWE weakness (partial reverse)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-change capability lets users replace defaults (partial prevention of one facet) but does nothing to stop hard-coded or initially weak credentials from existing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-280",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-change verification is unrelated to privilege-insufficiency handling and neither prevents nor mitigates CWE-280."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A adds authentication to one specific critical function (password change) and therefore only partially blocks introduction of CWE-306, while the broad weakness spans many other functions that A does not touch at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.2.4 directly blocks the top 3000 weak passwords at registration/change time, eliminating most instances of CWE-521, yet the weakness also covers absent length/complexity rules that this single control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.5",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password composition policy has no connection to SQL command construction or neutralization of input."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.6",
      "target_framework": "CWE",
      "target_id": "CWE-549",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.2.6 directly mandates the exact masking behavior whose absence defines CWE-549, so the control fully eliminates the weakness in both directions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.9",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Permitting 64-character passwords removes one common length-limit facet of weak requirements but neither enforces any strength rules nor covers the weakness's full scope of missing complexity/length policies."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Authentication brute-force controls have no bearing on existence or completeness of technical documentation, and vice versa."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mitigates exploitation of guessable creds via rate limiting but does not stop their introduction, while B is a design/implementation flaw unaffected by runtime brute-force controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates the specific insecure-default case of default accounts, but CWE-1188 covers many other resource types that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Control A directly removes default accounts (core CWE-1391 example) so prevents most instances, yet the weakness also covers hard-coded/derived/guessed creds beyond defaults so one control addresses it only partially."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 directly mandates MFA (or equivalent) for application access and thus fully eliminates single-factor reliance for that decision; CWE-654 remains only partially prevented because the weakness applies to any security decision, not just authentication entry points."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 directly mandates correct use of a strong auth protection mechanism, eliminating most auth-related instances of CWE-693, yet the weakness spans every protection mechanism so one control covers only a facet."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-837",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.3.3 addresses only initial authentication strength and intent, while CWE-837 concerns post-auth business-logic enforcement of action uniqueness; the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses undocumented auth pathways and consistent strength enforcement; B is a general comparison-logic flaw unrelated to pathway documentation or consistency checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-1242",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly targets undocumented auth pathways (preventing that slice of B) but leaves all non-auth undocumented features untouched, so each direction rates only partial."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks undocumented single-factor paths by mandating consistent strength across pathways, but leaves single-path or policy-decision cases of CWE-308 unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-656",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates undocumented auth pathways (one obscurity vector) but does nothing to stop reliance on hidden algorithms or keys elsewhere, so B's overall risk remains untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces consistent auth strength across pathways (partially blocking weaker-path exploits) but does not address algorithm negotiation or selection logic at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.5",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Notification of suspicious attempts is unrelated to whether comparison logic itself includes all required factors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates one narrow weak factor (email) so only partially blocks the general weakness; B's broad risk surface is untouched by this single rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A bans only email as a factor and therefore blocks the single-factor case that uses email but leaves all other single-factor schemes untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A bans one specific mechanism (email) without constraining the number or independence of factors, so it neither prevents CWE-654 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only mandates short-lived initial secrets and never touches the product's general password-aging interval, so it neither prevents CWE-263 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates cryptographically secure random generation for initial secrets, directly blocking predictable-value flaws in that narrow scope, yet leaves the underlying RNG weakness untouched for all other uses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-459",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces expiration/cleanup only for initial auth secrets, directly addressing one narrow slice of incomplete cleanup while leaving the broad weakness otherwise untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A only mandates secure random generation, policy adherence and short expiry for initial secrets and does not define or enforce password strength rules, so it neither prevents nor is sufficient to block CWE-521."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates only the narrow KBA/secret-question facet of weak authentication, so it addresses one contributor to CWE-1390 without covering the weakness's broader scope of insufficient identity proofing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates one narrow class of guessable KBA secrets but leaves defaults, hard-coded values and other weak-credential vectors untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.4.2 only disallows hints/KBA in recovery flows and has no bearing on whether the primary login uses single-factor authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Control eliminates bypass only via the password-reset channel while CWE-288 covers any alternate unauthenticated path, so each direction addresses merely one facet."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-289",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-reset MFA enforcement has no bearing on name canonicalization or alternate-identifier checks during authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-reset recovery that preserves MFA neither targets spoofing vectors in auth schemes nor removes any of the root causes of CWE-290."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-305",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one recovery-specific bypass vector but leaves all other primary weaknesses untouched, so it only partially prevents the broad CWE-305 class while CWE-305's total risk is reduced only partially by this single narrow control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A protects an already-enabled MFA path during reset but never requires or enforces multi-factor authentication, so it neither prevents nor meaningfully mitigates CWE-308."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly strengthens identity proofing only for MFA recovery flows, eliminating that narrow slice of CWE-1390 but leaving enrollment, factor strength, and other auth paths untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.4.4 directly enforces proper identity proofing only during MFA-factor recovery (one narrow facet of authentication), so it partially blocks CWE-287 in that scenario while removing only a small slice of the weakness's overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.4",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.4.4 only governs identity-proofing during MFA-factor recovery and does not address whether authentication exists for critical functions at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.6",
      "target_framework": "CWE",
      "target_id": "CWE-648",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.4.6 constrains admin password-reset behavior while CWE-648 concerns nonconformant calls to privileged APIs, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-341",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Single-use enforcement for MFA tokens addresses replay/reuse but has no bearing on whether values are generated predictably from observable state."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Single-use enforcement for auth secrets addresses replay but shares no mechanism or scope with improper multi-threaded synchronization of arbitrary shared resources."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.1",
      "target_framework": "CWE",
      "target_id": "CWE-837",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly implements single-use enforcement for specific auth tokens, eliminating that facet of CWE-837, yet B spans arbitrary actions outside authentication so one control cannot address its full scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A forces strong hashing only for low-entropy lookup secrets in MFA storage, eliminating CWE-328 in that narrow case but leaving the broad weakness untouched elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-331",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.5.2 only mandates salted hashing for already-low-entropy lookup secrets and never constrains entropy sources or generation, so it neither prevents CWE-331 nor removes any of its risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.5.2 addresses only secure hashing of stored low-entropy lookup secrets and has no bearing on RNG state or value predictability."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-760",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates a 32-bit random salt for the relevant secrets, eliminating predictable-salt usage; CWE-760 however spans all password/lookup hashing contexts so one MFA-specific rule only partially covers the weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG use for MFA secrets and thus eliminates predictable RNG in that scope, while B is a broad RNG weakness whose total risk is only partly addressed by one narrow control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-337",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG use for TOTP/lookup seeds and thereby eliminates CWE-337 in that scope, yet the weakness exists in many other PRNG contexts outside MFA."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-341",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG for auth secrets/codes/seeds, eliminating observable-state predictability for those items; CWE-341 remains broader and can still arise elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.3",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG for the listed auth values and thereby eliminates predictability for those generators, while B remains only partially covered because the weakness applies to any RNG in the product."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "The control directly strengthens only one narrow facet of MFA (entropy of lookup/OOB secrets) and therefore only partially blocks introduction of that specific flaw, while CWE-287's broad scope across all authentication mechanisms means this single requirement removes essentially none of the weakness's overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.4",
      "target_framework": "CWE",
      "target_id": "CWE-333",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces output entropy for specific auth secrets and therefore only indirectly touches RNG quality, while CWE-333 concerns general TRNG failure-handling behavior that A never addresses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Lifetime limits address one narrow facet of token misuse but leave the broad space of identity-proof failures untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.5",
      "target_framework": "CWE",
      "target_id": "CWE-341",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Short lifetimes reduce the exploitation window for time-based tokens but do not address or eliminate the underlying predictability from observable state."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.7",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces multi-factor use (preventing single-factor biometric comparisons) but only addresses one narrow slice of the broad CWE-1023 comparison defect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.7",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.5.7 directly blocks one narrow biometric-primary failure mode of improper authentication (partial prevention) but leaves the vast majority of CWE-287 surfaces untouched (none of total risk removed)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.8",
      "target_framework": "CWE",
      "target_id": "CWE-341",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks client-time manipulation for TOTP predictability (mostly), yet CWE-341 spans many other observable-state vectors this single control leaves untouched (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly hardens one common class of alternate channel (SMS/PSTN OTP) via validation and deprecation rules, thereby preventing that slice of CWE-288, yet leaves other bypass paths untouched so neither direction reaches mostly."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-341",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.6.1 governs when/which OOB channels may be offered and does not constrain OTP generation or observable state, so it neither prevents CWE-341 nor removes any measurable portion of that weakness's risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.6.1 constrains only OTP delivery and method selection; it never touches error paths or fallback states, so neither direction has any preventive effect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.6.2 binds OOB tokens to their originating request to block replay, while CWE-441 concerns failure to preserve request source identity when acting as a proxy; the two address unrelated problems."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.3",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "The control directly hardens one class of OOB protection mechanism against brute-force failure, but CWE-693 spans every possible protection mechanism so a single narrow control removes only part of the weakness's total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.4",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.6.4 only hardens an already-deployed MFA channel and never addresses whether single-factor authentication is used at all, so neither direction removes any of CWE-308."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.7.2",
      "target_framework": "CWE",
      "target_id": "CWE-1284",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates one narrow length check for nonces while B is a general failure to validate any quantity field; the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "CWE",
      "target_id": "CWE-694",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates composite (IdP+user) identifiers, eliminating the duplicate-ID flaw for multi-IdP auth, yet only addresses one narrow facet of the broad CWE-694 weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates unsigned/invalid assertion attacks (one facet of CWE-287) but leaves all other improper-auth vectors untouched, so each direction rates only partial."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "CWE",
      "target_id": "CWE-649",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates signature-based integrity validation for auth assertions, eliminating the described weakness in that narrow scope, yet B spans any obfuscated/encrypted input so one control cannot address the full risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.3",
      "target_framework": "CWE",
      "target_id": "CWE-323",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A addresses SAML assertion replay via unique IDs while B is a cryptographic encryption-nonce reuse flaw; the control neither implements nor constrains nonce/key handling in ciphers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V6.8.4 directly enforces verification of IdP-provided strength claims (or safe fallback), eliminating most weak-auth defects in that usage pattern, yet leaves the broad CWE-1390 surface (non-IdP mechanisms, broken protocols, missing multi-factor, etc.) only partially addressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces verification of IdP auth claims (or safe fallback), eliminating most improper-auth defects in IdP flows, yet CWE-287 spans many other auth surfaces this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces IdP claim checks (or safe fallback) so largely eliminates single-factor use when stronger auth is required; B remains only partially addressed because the weakness also arises in non-IdP flows and broader auth design."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1068",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Documenting session timeouts reduces mismatch likelihood only for that narrow topic (partial prevention); the broad CWE is untouched by one specific documentation requirement (none)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session-management documentation in federated SSO systems has no bearing on consistency of independent shared-state replicas across distributed components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Backend session-token verification neither mandates nor addresses completeness of multi-factor entity comparisons, so the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1057",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session-token verification has no bearing on whether data-access code bypasses a central data-manager component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-1083",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session-token verification on a backend service has no bearing on whether data-access code bypasses an intended data-manager component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-454",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly stops client-side tampering only for session tokens via backend verification, mitigating one narrow facet of external initialization, while B spans arbitrary trusted variables and data stores that A never touches."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-841",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Backend token verification can indirectly reduce client-side tampering that enables workflow bypasses (partial) but does not itself implement or enforce any behavioral sequence checks (none)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1052",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates static secrets/keys for sessions (mostly preventing that facet of B), yet B spans all initialization literals so one control removes only partial overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1106",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly discourages static literal secrets for one narrow purpose, giving partial prevention of that CWE manifestation, while the CWE spans all magic values so A removes none of its overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-344",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates invariant static secrets for sessions by requiring dynamic tokens, but CWE-344 spans many other contexts that this single control leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG+entropy for session tokens, eliminating predictable RNG in that scope, but B is a device-wide weakness that A only partially constrains."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-332",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating that specific instance of CWE-332, yet only covers one narrow usage of PRNGs so leaves the broader weakness largely unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-335",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A forces CSPRNG + 128-bit entropy for session tokens (directly eliminating bad seeding in that scope), yet B is a general PRNG-seeding flaw that can appear in many other contexts one session control does not cover."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-336",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating same-seed predictability in that scope, yet B can still exist in any other PRNG usage outside sessions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-337",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating predictable-seed flaws in that scope (mostly), yet leaves the broader CWE-337 risk untouched in all other PRNG uses (partial)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-338",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for session tokens, eliminating weak-PRNG use in that narrow scope; the CWE remains broader and can appear in any security context outside sessions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-339",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly mandates CSPRNG + 128-bit entropy for tokens, eliminating small seed space in that usage; B spans all PRNG applications so one control removes only part of its total risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-343",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates CSPRNG + 128-bit entropy for session tokens, directly eliminating predictability (CWE-343) in that scope; the same control only partially prevents the weakness overall because the product's RNG could still be weak elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V7.2.4 addresses only session-token regeneration on auth events and has no bearing on weaknesses that arise from assuming arbitrary data elements are immutable."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-304",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces one specific authentication step (session regeneration) so prevents that facet of CWE-304, yet leaves all other possible missing steps unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-305",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A eliminates session fixation (one primary weakness enabling auth bypass) but leaves all other bypass vectors untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session termination directly enforces fail-closed behavior for one narrow case but leaves the broad failing-open weakness untouched in error handling, crypto, and access decisions elsewhere."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session termination on account disable is an account-lifecycle control unrelated to error-handling paths or secure-fallback design, so neither direction has any preventive effect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.3",
      "target_framework": "CWE",
      "target_id": "CWE-640",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session termination after a recovery-driven password change addresses one post-exploitation facet (reducing session hijack impact) but leaves the recovery mechanism's inherent weaknesses untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.5",
      "target_framework": "CWE",
      "target_id": "CWE-771",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session termination addresses user session lifecycle while CWE-771 concerns low-level resource reference tracking; the two domains share no overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.2",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session termination UI has no bearing on whether comparison logic includes all required factors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-1250",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A touches only auth-session lifetime consistency between IdP/RP while B is a broad distributed-state consistency flaw across any data."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V7.6.1 only governs session lifetime/re-auth timing in federated flows and does not strengthen or validate the underlying identity-proofing mechanism that CWE-1390 concerns."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A enforces re-auth timing in federated sessions, mitigating only one narrow facet of improper auth; the broad CWE-287 weakness spans initial identity proof, credential handling, and many other vectors untouched by this control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-1050",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Session-consent rules address authentication flow and have no effect on unbounded resource consumption inside loops."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A partially blocks silent/pre-created sessions that enable fixation but never addresses invalidation of existing IDs, so it removes none of CWE-384's core risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.2",
      "target_framework": "CWE",
      "target_id": "CWE-837",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces explicit single-action consent for session creation so largely eliminates that CWE instance, yet B spans many non-session actions that A never touches."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A covers only the authorization facet of execution-control documentation, so it prevents one slice of CWE-1112 while leaving other mechanisms unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A supplies one narrow slice of required documentation and therefore only partially eliminates the broad absence of technical docs (B), while B's wide scope means this single control removes only a fraction of the overall weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Authorization documentation can indirectly guide secure failure behavior for access rules (partial prevention of introduction), but addresses only a narrow slice of the broad failing-open weakness and does not constrain error-handling implementations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A requires documentation of a narrow slice of security-decision attributes that can influence execution, so it only partially closes the broader gap described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-1112",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A mandates documentation of contextual authz decisions (one narrow facet of execution control) so prevents B only partially, while B's broad program-execution scope is not addressed by A at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.4",
      "target_framework": "CWE",
      "target_id": "CWE-671",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Requiring documentation of contextual authorization factors partially surfaces environmental tailoring options but supplies no actual administrator controls or configurability, leaving the core weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-749",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.2.1 directly enforces function-level permission checks that block exposure of dangerous methods, yet the weakness also encompasses design choices about which functions are inherently dangerous and how they are surfaced via any API."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-782",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly requires function-level access control that would block an unprotected IOCTL, but B's narrow kernel/driver exposure surface is only partly covered by the general application-oriented control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly stops client-side manipulation of authorization decisions (one facet of treating untrusted data as trusted) but is too narrow to address the broader data-mixing weakness described by B."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-454",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks external/client-driven initialization of trusted authorization variables by mandating a server-side trusted layer, but only covers the authorization facet of the broader CWE-454 weakness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.1",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "full",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly eliminates client-side reliance for authorization (full prevention of that CWE facet), yet CWE-602 spans any server-protection logic so one authz control leaves residual risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-280",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces correct subject permissions for authorization decisions but does not address error handling or state transitions when those permissions are insufficient, leaving CWE-280 fully possible."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-289",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces propagation of the original subject's identity for authorization decisions, while CWE-289 is a name-canonicalization flaw that allows authentication bypass regardless of whose permissions are later consulted."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.3.3 enforces subject-based authorization on every hop but never addresses error paths or fallback behavior, while CWE-636 is exclusively about insecure failure modes unrelated to delegation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-694",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.1 enforces cross-tenant permission boundaries but never addresses identifier uniqueness, while CWE-694 is a naming/namespace collision flaw outside the scope of authorization checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces tenant isolation via cross-tenant authorization, eliminating most multi-tenant instances of endpoint confusion, yet CWE-923 spans many non-tenant channel-validation failures that A leaves untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1023",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 directly mandates multiple identity/device/context factors for admin authorization comparisons, largely eliminating missing-factor defects in that scope, yet CWE-1023 spans arbitrary comparisons system-wide so one control leaves most of the weakness unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 adds contextual/multi-layer checks for admin interfaces that can partially mitigate overly broad policies, but does not address or prevent the general design flaw of insufficient access-control granularity across assets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 directly discourages sole reliance on network/endpoint trust for admin access and therefore partially prevents that narrow facet of CWE-1357, yet the single control removes essentially none of the weakness's broad architectural risk around any untrustworthy component."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 addresses layered auth only for admin interfaces and has no bearing on file/directory exposure, so neither direction shows any preventive relationship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V8.4.2 addresses multi-factor admin authorization decisions while CWE-642 concerns externally writable storage of critical state; the two share no direct causal link in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.2",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V9.1.2 mostly prevents CWE-757 for tokens by mandating an allowlist that excludes weak/none algorithms, yet only partially mitigates the weakness overall since the CWE spans arbitrary protocol negotiation beyond token verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A implements allow-list validation for one narrow class of token metadata inputs, blocking that specific attack vector but leaving the broad equivalence-validation weakness untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.3",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly blocks one narrow vector of untrusted key material for tokens, preventing that specific facet of B, while B's broad scope (libraries, executable code) remains untouched by this token-only control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.1",
      "target_framework": "CWE",
      "target_id": "CWE-670",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Implementing the token time-span check directly enforces correct control-flow logic for that validation path (mostly preventing CWE-670 there), yet one narrow token rule leaves the broad class of incorrect-control-flow defects elsewhere untouched (only partial prevention)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1289",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "V9.2.2 implements one narrow token-type check that can block a subset of token-related equivalence failures, but CWE-1289 is a broad input-equivalence weakness across all identifiers and this single control removes none of its overall risk."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces correct token-type usage for authentication decisions and therefore blocks one narrow class of token-related authentication failures, but leaves the broader weakness (any insufficient proof of identity) largely untouched."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Token-type/purpose validation neither defines nor constrains the actions permitted by a privilege, so the two are unrelated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Token-type/purpose validation addresses only JWT misuse and has no relation to restricting untrusted input used as resource identifiers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.3",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Audience validation in tokens enforces intended service scope but has no bearing on how privileges are defined or whether they permit unsafe actions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.4",
      "target_framework": "CWE",
      "target_id": "CWE-694",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "A directly enforces unique audience identifiers for tokens (eliminating duplicate-ID reuse in that setting), yet B spans any resources so one token-specific rule removes only a fraction of its overall risk."
    }
  ]
}