CWE Taxonomy Mappings

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

CWE Taxonomy Mappings

Andrew Buttner

**QUESTION - Would anyone be negatively affected if CWE focused the Taxonomy Mappings field on the current/living versions of external taxonomies, and only captured historical mappings in dedicated views? **

Details related to this question ...

CWE has a field called "Taxonomy Mappings" that is used to hold mappings to nodes of other taxonomies that are similar in meaning to the given CWE.

Some taxonomies are historical in nature and were "released" at a specific point in time. (e.g., OWASP Top Ten 2004) Other taxonomies are "living" and are frequently updated. (CERT C Secure Coding Rules)

CWE is trying to accomplish two goals:

1) Provide a historical mapping for things that are persistent in time and may be leveraged into the future. For example, someone reading the CERT C Secure Coding book from 2008 may follow a reference in that book and expect to find information in CWE that helps them understand the topic they are reading.

2) Provide a current mapping that helps users who may be looking to map CWE to items that are currently mapped using an external taxonomy. The current id for the external taxonomy may be used and CWE should be referencing this appropriately.

CWE is not currently consistent with its use of the taxonomy mappings field and its use of views to achieve the above goals. We would like to make some changes but want to make sure that we limit any negative effect for our current users.

To reduce the amount of repetitive, mostly-overlapping data, we would like to focus the taxonomy mappings field on the current / living "version" of a taxonomy. For example, CERT keeps a list of secure coding rules that may change slightly over time. CWE would use the taxonomy mapping field to keep a mapping between CWE and the current version of the coding rules.

CWE-369 : Divide by Zero <--> SEI CERT C Coding Standard : INT33-C

** Note that this mapping is only visible when you select the "Complete" presentation filter.

CWE would then use a view to hold a historical mapping between CWE and each release of the CERT Secure Coding books that contain snapshots of the coding rules at that time. Views work well since historical mappings don't change so there is no need to modify categories and other details over time. The use of views for this purpose is currently in place for other historical mappings. See the following list for how the views look:  (

CWE/SANS Top 25 (2011)
CWE/SANS Top 25 (2009)
OWASP Top 10 (2013)
OWASP Top 10 (2004)
SEI CERT C Coding Standard (2016)
SEI CERT C Coding Standard (2008)

IMPORTANT ::  Note that if the choice is made to support taxonomy mappings only for the most up-to-date taxonomies, then there may be situations where a taxonomy deprecates an item and is therefore removed from the CWE taxonomy mapping. In this situation, since the mapping views only provide high level categories and don't provide the individual taxonomy IDS, then there may be situations where users  could no longer automatically extract maps from CWE IDs directly to IDs in historical taxonomies.  For example, the INT33-CPP rule for CWE-369 (divide-by-zero) is listed in the CERT 2008 C++ Secure Coding standard is now deprecated and replaced with a different rule ID; the associated Taxonomy_Mappings rule in CWE-369 would therefore be changed.  A user examining a CERT-2008 historical view could see that CWE-369 is mapped to the Integers category in CERT's 2008 rules, but the user would not be able to tell what the rule ID(s) is.

The other side to this is that if we include all historical mappings as well as the current living mapping, then the taxonomy mapping field may become long with a lot of repeated information for those fields that have not changed.

Thank you,


Andrew Buttner
The MITRE Corporation
[hidden email]

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].