updating convention and docs

Author: sofiaoreis

docs/assets/index-C6IzIce3.css

@@ -13,8 +13,8 @@
     <meta property="og:type" content="website" />
     <meta property="og:image" content="" />
 
-    <script type="module" crossorigin src="/assets/index-CPT1Z4_R.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-C6IzIce3.css">
+    <script type="module" crossorigin src="/assets/index-CFKOEWSV.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-DNSp1Evt.css">
   </head>
 
   <body>

docs/assets/index-CPT1Z4_R.js renamed to docs/assets/index-CFKOEWSV.js

@@ -10,7 +10,7 @@ import BlogPage from "./pages/Blog";
 import Docs from "./pages/Docs";
 import DocsConvention from "./pages/DocsConvention";
 import DocsReference from "./pages/DocsReference";
-import DocsInstallation from "./pages/DocsInstallation";
+import DocsConfiguration from "./pages/DocsConfiguration";
 import NotFound from "./pages/NotFound";
 
 const queryClient = new QueryClient();
@@ -29,7 +29,7 @@ const App = () => (
           <Route path="/docs" element={<Docs />} />
           <Route path="/docs/convention" element={<DocsConvention />} />
           <Route path="/docs/reference" element={<DocsReference />} />
-          <Route path="/docs/installation" element={<DocsInstallation />} />
+          <Route path="/docs/configuration" element={<DocsConfiguration />} />
           <Route path="*" element={<NotFound />} />
         </Routes>
       </BrowserRouter>

docs/assets/index-DNSp1Evt.css

@@ -27,7 +27,7 @@ const docSections: DocSection[] = [
     title: "Getting Started",
     links: [
       { title: "Introduction", href: "/docs" },
-      { title: "Installation", href: "/docs/installation" }
+      { title: "Configuration", href: "/docs/configuration" }
     ]
   },
   {
@@ -190,7 +190,7 @@ const DocsLayout = ({ children }: DocsLayoutProps) => {
         </aside>
 
         {/* Main content */}
-        <main className="flex-1 py-6 px-4 md:px-8 max-w-5xl mx-auto w-full">
+        <main className="flex-1 px-4 md:px-8 max-w-5xl mx-auto w-full mt-6 md:mt-10">
           {children}
 
           {/* Previous/Next navigation */}

docs/index.html

@@ -8,8 +8,9 @@ import { coldarkDark } from 'react-syntax-highlighter/dist/esm/styles/prism';
 const examples = [
   {
     id: "",
-    title: "CVE-2012-0036 (before SECOM)",
+    title: "BEFORE SECOM",
     code: `URL sanitize: reject URLs containing bad data
+
 Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
 decoded manner now use the new Curl_urldecode() function to reject URLs
 with embedded control codes (anything that is or decodes to a byte value
@@ -26,22 +27,21 @@ This flaw is considered a security vulnerability: CVE-2012-0036
 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
 
 Reported by: Dan Fandrich`,
-    explanation: "This commit message shows the documentation uses Curl_urldecode() to reject control‐code–embedded URLs in IMAP/POP3/SMTP, preventing command injection (CVE-2012-0036), links the advisory, and credits the reporter."
-  },
+    explanation: "Covers the What/Why/How succinctly but lacks SECOM framing: no vuln-fix: header, 75-word tri-section, weakness metadata, or attribution/footer fields. To be fully SECOM-compliant it needs the standardized header, per-weakness block, CVSS/severity, and formal “Reported-by/Reviewed-by/Signed-off-by” lines."
+},
   {
     id: "auth-improvement",
-    title: "CVE-2012-0036 (after SECOM)",
+    title: "AFTER SECOM",
     code: `vuln-fix: Sanitize URLs to reject malicious data (CVE-2012-0036)
 
-Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
-decoded manner now use the new Curl_urldecode() function to reject URLs
-with embedded control codes (anything that is or decodes to a byte value
-less than 32).
-URLs containing such codes could easily otherwise be used to do harm and
-allow users to do unintended actions with otherwise innocent tools and
-applications.
-Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 
-when the app wants a URL to get a mail and instead this would delete one.
+libcurl IMAP/POP3/SMTP parsers accepted URL-path bytes that decode 
+to ASCII control characters, enabling attackers to smuggle extra 
+protocol commands—e.g. pop3://host/1%0D%0ADELE%201—and perform 
+unintended mail operations. Any application that forwards 
+untrusted URLs could thus silently delete or alter messages. 
+The fix routes path decoding through Curl_urldecode(), which 
+aborts when a decoded byte < 0x20 and returns CURLE_URL_MALFORMAT, 
+preventing the crafted request from ever reaching the server.
 
 Weakness: CWE-89
 Severity: High
@@ -53,8 +53,8 @@ Signed-off-by: Daniel Stenberg ([email protected])
 
 Resolves: #17940
 See also: #17937`,
-    explanation: "This example shows how to document a new security feature that addresses a brute force vulnerability. It clearly describes the problem, impact, and solution."
-  }
+    explanation: "SECOM-compliant commit message. Uses the vuln-fix: header, concise What/Why/How body, and a weakness block with CWE, severity and report link."
+}
 ];
 
 const Examples = () => {
@@ -66,25 +66,25 @@ const Examples = () => {
     <section id="examples" className="py-16">
       <div className="container mx-auto px-4">
         <div className="max-w-3xl mx-auto mb-12 text-center">
-          <h2 className="text-3xl font-bold mb-6">Example SECOM Messages</h2>
+          <h2 className="text-3xl font-bold mb-6">Example</h2>
           <p className="text-lg text-muted-foreground">
-            See how SECOM can be applied to different security scenarios with these practical examples.
+            See how SECOM can improve an existing security commit message.
           </p>
         </div>
 
         <div className="max-w-4xl mx-auto">
           <Tabs defaultValue={examples[0].id} value={selectedExample} onValueChange={setSelectedExample}>
-            <TabsList className="grid w-full grid-cols-2 md:grid-cols-4">
+            <TabsList className="grid w-full grid-cols-2 md:grid-cols-2">
               {examples.map(ex => (
                 <TabsTrigger key={ex.id} value={ex.id}>{ex.title}</TabsTrigger>
               ))}
             </TabsList>
 
             <TabsContent value={currentExample.id} className="mt-6">
               <Card className="p-0 overflow-hidden">
-                <div className="p-3 bg-secondary/50 border-b">
+                {/* <div className="p-3 bg-secondary/50 border-b">
                   <h3 className="font-medium">{currentExample.title}</h3>
-                </div>
+                </div> */}
                 <SyntaxHighlighter 
                   language="markdown"
                   style={coldarkDark}

src/App.tsx

@@ -20,7 +20,7 @@ const Hero = () => {
               </p>
               <div className="mt-10 flex items-center justify-center gap-x-6">
                 <Button size="lg" className="flex items-center gap-2" asChild>
-                  <Link to="/convention">
+                  <Link to="/convention" className="text-white hover:text-blue-100">
                     Get Started
                   </Link>
                 </Button>
@@ -50,14 +50,14 @@ const Hero = () => {
               <code>
 {`vuln-fix: Sanitize URLs to reject malicious data (CVE-2012-0036)
 
-Protocols (IMAP, POP3 and SMTP) that use the path part of a URL 
-in a decoded manner now use the new Curl_urldecode() function to 
-reject URLs with embedded control codes (anything that is or decodes 
-to a byte value less than 32). URLs containing such codes could easily 
-otherwise be used to do harm and allow users to do unintended actions 
-with otherwise innocent tools and applications. Like for example using 
-a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants 
-// a URL to get a mail and instead this would delete one.
+libcurl IMAP/POP3/SMTP parsers accepted URL-path bytes that decode 
+to ASCII control characters, enabling attackers to smuggle extra 
+protocol commands—e.g. pop3://host/1%0D%0ADELE%201—and perform 
+unintended mail operations. Any application that forwards 
+untrusted URLs could thus silently delete or alter messages. 
+The fix routes path decoding through Curl_urldecode(), which 
+aborts when a decoded byte < 0x20 and returns CURLE_URL_MALFORMAT, 
+preventing the crafted request from ever reaching the server.
 
 Weakness: CWE-89
 Severity: High

src/components/Convention.tsx

@@ -3,8 +3,8 @@ import DocsLayout from "@/components/DocsLayout";
 const Docs = () => {
   return (
     <DocsLayout>
-      <div className="space-y-6">
-        <h1 className="text-4xl font-bold text-primary mb-6">SECOM Documentation</h1>
+      <div className="space-y-6 pt-8 md:pt-12">
+        <h1 className="text-4xl font-bold text-primary mb-10 mt-6">SECOM Documentation</h1>
 
         <div className="text-lg text-muted-foreground mb-8">
           Comprehensive documentation for the SECOM convention, a standardized approach to security commit messages.
@@ -47,10 +47,10 @@ const Docs = () => {
           </p>
 
           <ul>
-            <li><a href="/docs/installation" className="text-primary hover:underline">Installation</a> - Set up SECOM in your development environment</li>
+            <li><a href="/docs/configuration" className="text-primary hover:underline">Configuration</a> - Set up SECOM in your development environment</li>
             <li><a href="/docs/convention" className="text-primary hover:underline">Convention Overview</a> - Understand the full convention specification</li>
             <li><a href="/docs/reference" className="text-primary hover:underline">Reference Guide</a> - Explore example patterns and templates</li>
-            <li><a href="https://tqrg.github.io/secomlint/" className="text-primary hover:underline" target="_blank" rel="noopener noreferrer">Linter Tool</a> - Check compliance with the convention</li>
+            <li><a href="https://security-commits.org/secomlint/" className="text-primary hover:underline" target="_blank" rel="noopener noreferrer">Linter Tool</a> - Check compliance with the convention</li>
           </ul>
 
           <div className="bg-muted p-4 rounded-md mt-8">