Guidance for Mapping CVEs to CWEs Now Available

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Guidance for Mapping CVEs to CWEs Now Available

Purohit, Rushi B

Dear CWE Community,

Apologies for the internal communications goof moments ago!

The CWE team heard from you about the difficulty in navigating the CWE corpus to identify specific, desired mapping information. As part of a longer effort, the CWE team has produced an initial guidance materials which will help you identify the root cause CWE Entry for the respective CVE Records. Guidance for mapping vulnerabilities to weaknesses is now available on the “CVE → CWE Mapping Guidance” page on the CWE website.

This guidance is informed by two years of experience in analyzing and mapping thousands of CVE Records in the NIST’s National Vulnerability Database (NVD) to CWEs for calculating the annual CWE Top 25 list. By aligning CVE Records to the most applicable CWE Entries, you will be in a better position to mitigate or eliminate your associated operational risk most effectively.

The new guidance provides an overview of CWE, a section of helpful resources with a refresher on CWE Entry structure, and offers five different mapping methodologies that can be used on the CWE website to help identify appropriate weakness mappings for CVE Records:

  • Keyword Search – via CWE ID (if known) or keywords.
  • CWE View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities” – which is a hierarchical subset of CWEs that cover the most commonly-used CWEs that are mapped by CVEs.
  • Other Useful Hierarchical Views – via “CWE View-1000: Research Concepts,” “CWE View-699: Software Development,” and “CWE View-1194: Hardware Design,” each of which are targeted at specific hierarchical subsets of CWEs.
  • Relationship Graph Visualizations in PDF Format – each of which includes only CWE names but can be useful in quickly seeing closely related issues.
  • Keyword Scraper – a CWE Program-developed CVE description parsing script that identifies keywords in NVD’s CVE descriptions is expected to be available to the public in the near future. Meanwhile, you can create your own customized scripts/tools to fit your specific needs using suggestions in Keyword Scraper.

A mapping quick-tips, mapping cheat sheet, and mapping examples are also included.

Please [hidden email] with any comments or concerns about this guidance. We look forward to hearing from you!


Thank you,

The CWE Team

smime.p7s (6K) Download Attachment