CVE to CWE Mapping Guidance

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE to CWE Mapping Guidance

Andrew Buttner
Administrator
CWE/CAPEC Board,

Some vendors and researchers who work to produce CVEs have realized the importance of mapping CVE to CWE. They have reached out to the CWE team asking for guidance on how to accurately and efficiently map a vulnerability to CWE. In response, the CWE team has begun working on a CWE mapping guidance document that can be shared with all vendors interested in utilizing it. This is meant as a first step and will evolve through an iterative process considering vendors' and researchers' feedback. We are targeting the release of this initial document for December 10th.
 
This is likely something that is relevant to many of you, and we want to understand your experience producing CVEs, mapping to CWE in static analysis tools, or your willingness to use a guidance document once available.

If this is the case for you, would you be interested/willing/able to participate in an individual call with the CWE team to talk about it? Please let me know offline and I will put the team in touch. If that doesn't work, then we would be interested in hearing any thoughts via an e-mail.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

[EXT] RE: CVE to CWE Mapping Guidance

Alexander Hoole
Good morning Drew,

As part of the requirements gathering for this document, is MITRE already working with communities such as Bug Bounty programs and Software Component/Composition Analysis vendors?  Outside of the large software vendors who produce a large volume of CVEs, these other two communities are likely great sources of input as well.

Best,
-Alex

-----Original Message-----
From: Drew Buttner [mailto:[hidden email]]
Sent: Monday, November 23, 2020 7:30 AM
To: CWE CAPEC Board <[hidden email]>
Subject: CVE to CWE Mapping Guidance

CWE/CAPEC Board,

Some vendors and researchers who work to produce CVEs have realized the importance of mapping CVE to CWE. They have reached out to the CWE team asking for guidance on how to accurately and efficiently map a vulnerability to CWE. In response, the CWE team has begun working on a CWE mapping guidance document that can be shared with all vendors interested in utilizing it. This is meant as a first step and will evolve through an iterative process considering vendors' and researchers' feedback. We are targeting the release of this initial document for December 10th.
 
This is likely something that is relevant to many of you, and we want to understand your experience producing CVEs, mapping to CWE in static analysis tools, or your willingness to use a guidance document once available.

If this is the case for you, would you be interested/willing/able to participate in an individual call with the CWE team to talk about it? Please let me know offline and I will put the team in touch. If that doesn't work, then we would be interested in hearing any thoughts via an e-mail.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515