[EXT] Question about CWE Views: which IDs are members?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[EXT] Question about CWE Views: which IDs are members?

chorn

Hello!

The research team here at Secure Decisions has a question:
What is the definitive way to determine if a CWE ID is a member of a View?

The data we see suggest two different methods:
1.    Recursive travel of View::Members entities
2.    Inspect member elements of the <Categories> and <Weaknesses> sections of the [view ID].xml file

The attached a Word document describes more detail about what we've found.

As a bit of background, Secure Decisions has been working with the CWE as part of its work on the DHS S&T STAMP contract (Static Analysis Modernization Program). We've been making good use of the taxonomy and appreciate the work that's gone into it.

I have separate email(s) planned to discuss several threads of our work (spoiler: https://kompar.tools/ catalog of static analyzers + research into using graph distance in the CWE to determine similarity of weakness types), but am not quite ready to go into too much detail. Stay tuned, or reach out if you can't bear to wait ;)

Thanks,
Chris
-- 
w (518) 207-3111
m (703) 407-7389
https://securedecisions.com
PGP fingerprint EBD0 41C6 0CD1 3583 C7F2 E252 5350 DDE1 87C6 FE31

CWE View member discrepency.docx (52K) Download Attachment
OpenPGP_0x5350DDE187C6FE31.asc (6K) Download Attachment
OpenPGP_signature (855 bytes) Download Attachment
--
Chris Horn
Secure Decisions
w +1 (518) 207-3111
https://securedecisions.com
Reply | Threaded
Open this post in threaded view
|

RE: [EXT] Question about CWE Views: which IDs are members?

Andrew Buttner
Administrator

Chris,

 

Thank you for reaching out. The two methods you suggest are correct regarding how to determine if a CWE ID is a member of a View. Technically, a View's members are just the one level of CWEs listed in its <Members> section, but I understand the need/desire to recursively look within those members. When doing this recursive check, if any of those CWEs are Categories, then they may have their own members, but make sure to look at the "View_ID" attribute to verify that membership is related to the top-level View in question.  (however, most categories are only relevant to a single View)

 

Note that on the Website, we tried to make the information more user friendly and as such have combined certain information from Relationships and Members sections of the XML.  All data processing should be done leveraging the XML only.

 

Note that Views and Categories have "members", while Weaknesses have "relationships" to other weaknesses (e.g., ChildOf, PeerOf, CanAlsoBe)

 

Both methods of traversing a view that you laid out should result in the same answer. The discrepancies you have pointed out are due to errors in the content that we will fix for the next release.  Specifically ...

 

Example #1 - Category 320 will be added as a member of View 699.  It was incorrectly removed when the category was marked "Obsolete"

 

Example #2 - Category 1237 and Category 1238 will be added as members of View 888. It is incorrect that they are not listed in the Members section of View 888

 

Example #3 - CWE-689 is a Compound weakness. The two "Requires" relationships within CWE-689 both specify a View_ID of "1000" which is why CWE-689 is showing up in the metrics. However, CWE-689 currently does not have a ChildOf relationship with any other weakness.  This is an error as such a relationship should exist. This will be fixed in the next version.

 

Thank you for pointing out these issues., and for helping make CWE a better source of information for everyone.

 

Thanks

Drew

 

 

From: Chris Horn <[hidden email]>
Sent: Wednesday, July 22, 2020 8:47 PM
To: CWE Research Discussion <[hidden email]>
Cc: Matthew DeLetto <[hidden email]>; [hidden email]
Subject: [EXT] Question about CWE Views: which IDs are members?

 

Hello!

The research team here at Secure Decisions has a question:
What is the definitive way to determine if a CWE ID is a member of a View?

The data we see suggest two different methods:
1.    Recursive travel of View::Members entities
2.    Inspect member elements of the <Categories> and <Weaknesses> sections of the [view ID].xml file

The attached a Word document describes more detail about what we've found.

As a bit of background, Secure Decisions has been working with the CWE as part of its work on the DHS S&T STAMP contract (Static Analysis Modernization Program). We've been making good use of the taxonomy and appreciate the work that's gone into it.

I have separate email(s) planned to discuss several threads of our work (spoiler: https://kompar.tools/ catalog of static analyzers + research into using graph distance in the CWE to determine similarity of weakness types), but am not quite ready to go into too much detail. Stay tuned, or reach out if you can't bear to wait ;)

Thanks,
Chris

-- 
w (518) 207-3111
m (703) 407-7389
https://securedecisions.com
PGP fingerprint EBD0 41C6 0CD1 3583 C7F2 E252 5350 DDE1 87C6 FE31