CWE 1.0 to be released Tuesday, September 9, 2008

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE 1.0 to be released Tuesday, September 9, 2008

Steven M. Christey-2
All,

We will be releasing CWE 1.0 on Tuesday, September 9.

While we had a goal for everything to be finished by the end of August, we
want CWE 1.0 to be as stable as possible, especially with respect to the
schema.  Ironing out the issues with the schema has taken more time than
we wanted, plus we have added a number of new elements.

During our interactions with various community members over the summer,
we've realized that it would be best for us to write a number of white
papers, as well as creating some new views.  These were somewhat
unexpected additions that came in July and August, so this introduced more
work than we had originally expected.

We didn't want to release CWE 1.0 too early, only to make some more
changes soon after we released it because it was incomplete.  So we've
slipped in our schedule, but the quality will be higher.

This is our biggest release to date, and we believe that it will be worth
the wait.  Thank you for your patience.


- Steve
Reply | Threaded
Open this post in threaded view
|

RE: CWE 1.0 to be released Tuesday, September 9, 2008

paulslewis66
Hello,

May I ask if CWE references will be included within the XML CVE feeds in a similar way the searchable database is?

many thanks

Paul S Lewis
Reply | Threaded
Open this post in threaded view
|

RE: CWE 1.0 to be released Tuesday, September 9, 2008

Steven M. Christey-2
On Tue, 9 Sep 2008, paulslewis66  wrote:

> May I ask if CWE references will be included within the XML CVE feeds in
> a similar way the searchable database is?

We do not track CWE references within CVE.  You're probably talking about
NIST's NVD (nvd.nist.gov), which is an extension of CVE.  NVD has been
mapping to CWE on individual pages, but it is not yet included in their
downloads.  However, NVD has stated that they will start including CWE
names in the downloads within a matter of weeks.

For those who were not aware of NVD's use of CWE, see:

  http://nvd.nist.gov/cwe.cfm

The current selection of CWE identifiers used in NVD faces many of the
same issues that have been brought up by Information-technology Promotion
Agency, Japan (IPA), specifically that sometimes you can't assign CWE
identifiers when you are dealing with incomplete third-party vulnerability
information.  We are aware of this limitation and hope to address it in
the coming months.

- Steve