CWE Version 3.1 is Released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CWE Version 3.1 is Released

Andrew Buttner

A new minor release of CWE (version 3.1) is now posted on the website. This version adds a new view associated with the 2017 version of the OWASP Top Ten

Two new weaknesses were added related to Meltdown and Spectre vulnerabilities:

CWE-1037: Processor Optimization Removal or Modification of Security-critical Code
CWE-1038: Insecure Automated Optimizations

Additionally, four weaknesses were created to address gaps recently raised by community members:

CWE-1039: Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
CWE-1023: Incomplete Comparison with Missing Factors
CWE-1024: Comparison of Incompatible Types
CWE-1025: Comparison Using Wrong Factors

A number of other small changes to improve descriptions and relationships were also made. A full description of the changes can be found in the detailed different report.

One final note, we have a few items still on our todo list that we are planning for a future 3.2 release. (no date for this) These include:

* Improvement of session management related weaknesses
* Incorporation of certain code quality related weaknesses
* Potential mappings to CISQ lists

Thank you,


Andrew Buttner
The MITRE Corporation
[hidden email]