CVE<->CWE Mapping Guidance Materials

Good afternoon! I hope all is well.

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12^th, if possible.

Looking forward to hearing from you all.

Cheers,

Alec

-- 

I particularly like the emphasized use of 1003 – Weaknesses for Simplified Mapping of Published Vulnerabilities. With all the focus on data protection and privacy, I’ll note the significance of ‘Exposure of Sensitive Information to an Unauthorized Actor’ as a key use case for CWE-1340: CISQ Data Protection Measures with process assessments associated with CMMC, HIPAA, CCPA, GDPR, etc.

Good afternoon! I hope all is well.

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12^th, if possible.

Looking forward to hearing from you all.

Cheers,

Alec

-- 

The documents are very good.  I like the attention to details to include a 1-pager vs. the full doc.  Feedback:

• It would be useful to insert a link on the summary doc back to the primer.
• My understanding is that View 1003 is software centric.  So, it may be misleading to have users start with that, especially I expect users who may need more help could be those from the HW space given it is newer.  Perhaps we can position:
• For SW issues, start with View-1003
• For HW issues, dive right into View-1194 (it is actually shorter than 1003)

- Jason

Good afternoon! I hope all is well.

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12^th, if possible.

Looking forward to hearing from you all.

Cheers,

Alec

-- 

Good afternoon/morning :-)

I hope you all had a great weekend.

I wanted to send a quick note to follow-up on this guidance material which I sent a few weeks ago. The team has been working to absorb the feedback we received from some of you, as well as some that we received during the Compatibility Summit last week.

If you haven’t yet had the chance to get back to us, there is still time and we are keen to hear from you. Our plan is to publish these materials on our site and share them with the wider community sometime next week.

Thanks for your continued support!

Cheers,

Alec

Good afternoon! I hope all is well.

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12^th, if possible.

Looking forward to hearing from you all.

Cheers,

Alec

--