fix disabling of non oas rulesets with individual extending

Author: tx3stn

rulesets/rulesets.go

@@ -363,8 +363,10 @@ func (rsm ruleSetsModel) GenerateRuleSetFromSuppliedRuleSetWithHTTPClient(rulese
 				if rsm.openAPIRuleSet.Rules[k] != nil {
 					rs.Rules[k] = rsm.openAPIRuleSet.Rules[k]
 				} else {
-					// Check if it's an OWASP rule when vacuum:all is used
-					if extends[VacuumAllRulesets] == VacuumOff || extends[VacuumAllRulesets] == VacuumAll || extends[VacuumAllRulesets] == VacuumAllRulesets {
+					// Check if it's an OWASP rule when vacuum:all or vacuum:owasp is used
+					if extends[VacuumAllRulesets] == VacuumOff || extends[VacuumAllRulesets] == VacuumAll || extends[VacuumAllRulesets] == VacuumAllRulesets ||
+						extends[VacuumOwasp] == VacuumOff || extends[VacuumOwasp] == VacuumAll || extends[VacuumOwasp] == VacuumRecommended ||
+						extends[SpectralOwasp] == VacuumOff || extends[SpectralOwasp] == VacuumAll || extends[SpectralOwasp] == VacuumRecommended {
 						allOWASPRules := GetAllOWASPRules()
 						if allOWASPRules[k] != nil {
 							rs.Rules[k] = allOWASPRules[k]

rulesets/rulesets_test.go

@@ -831,3 +831,22 @@ func TestRuleSet_GetExtendsLocalSpec_Multi_Chain_Loop(t *testing.T) {
 	assert.Contains(t, logBuffer.String(), "ruleset links to its self, circular rulesets are not permitted")
 
 }
+func TestRuleSetsModel_GenerateRuleSetFromConfig_OwaspOff_EnableSpecificRule(t *testing.T) {
+	// This test captures the bug where extending [vacuum:owasp, off] and then
+	// enabling a specific OWASP rule fails with "Rule does not exist, ignoring it"
+	yaml := `extends: 
+  - [vacuum:oas, all]
+  - [vacuum:owasp, off]
+rules:
+  owasp-integer-format: true`
+
+	def := BuildDefaultRuleSets()
+	rs, err := CreateRuleSetFromData([]byte(yaml))
+	assert.NoError(t, err)
+
+	repl := def.GenerateRuleSetFromSuppliedRuleSet(rs)
+
+	assert.NotNil(t, repl.Rules["owasp-integer-format"], "owasp-integer-format rule should be available")
+	assert.Nil(t, repl.Rules["owasp-no-numeric-ids"], "other OWASP rules should be disabled")
+	assert.Greater(t, len(repl.Rules), 1, "should have OpenAPI rules plus the one OWASP rule")
+}