Re: [EXT] Question regarding CWE-295 and its (missing) relationships

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Question regarding CWE-295 and its (missing) relationships

Robin Gandhi
Matthew,

Categories by definition are just collections of CWEs that share a common characteristic. They don't reflect hierarchies. In the "Research Concepts" (CWE-1000) view you will find that CWE 295 is a "parent of" CWEs 296-299. Also, in the research view, CWE 295 is a parent of CWE 599. 

If you want to focus on hierarchical relationships, I would recommend you consult the "Research Concepts" https://cwe.mitre.org/data/definitions/1000.html or the "Developmental Concepts" https://cwe.mitre.org/data/definitions/699.html views which are CWE-1000 and CWE-699 respectively.

Robin

--

Robin Gandhi

Charles & Margre Durham Associate Professor

University of Nebraska at Omaha 

http://faculty.ist.unomaha.edu/rgandhi/

Lock-up color on white



From: Coles, Matthew
Sent: Thursday, July 25, 2019 4:32 PM
To: [hidden email]
Subject: [EXT] Question regarding CWE-295 and its (missing) relationships

Hello,

 

I’d like to raise an potential hierarchy issue with a couple of CWEs. If this has been reported previously my apologies for the duplication.

 

Recently I was trying to locate the correct CWE for “failing to validate a TLS certificate”. In the CWE search box, I entered “failure to validate” and find the top items related to certificates.

 

First I found these:

 

CWE-296: Improper Following of a Certificate's Chain of Trust

CWE-297: Improper Validation of Certificate with Host Mismatch

CWE-298: Improper Validation of Certificate Expiration

CWE-299: Improper Check for Certificate Revocation

 

Which are in Category: CWE-948 CWE CATEGORY: SFP Secondary Cluster: Digital Certificate

 

Also in this Category is the very specialized CWE-599: Missing Validation of OpenSSL Certificate

 

Later, I found CWE-295 Improper Certificate Validation, which probably should be the parent to CWE-296, 297, 298, and 299, and potentially should be part of CWE-948 (but it is not).

 

Is CWE-599 really special or should it be considered a duplicate of CWE-295?

 

 

Thanks in advance for your thoughts,

 

Matthew Coles

CSSLP

Product Security

 

BOSE

 

Legal Disclaimer:
The information contained in this message may be privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message!