Re: Guidance E-mail Research List

Want to send it to the community yourself? The list is CWE Research Discussion [hidden email] and just make sure to cc [hidden email]

Hi Alec,

I just realized that we never actually sent an e-mail via the research list. Here is what I think will be sufficient to share today:

The CWE team heard from the community about difficulty in navigating the CWE corpus to identify specific, desired information. As part of a longer effort, the CWE team has produced an initial guidance materials which will help the community identify the root cause CWE entry for the respective CVE records. Guidance for mapping vulnerabilities to weaknesses is now available on the “CVE → CWE Mapping Guidance” page on the CWE website. Vendors and researchers can use this guidance to better align vulnerabilities (CVE Records) to their respective, underlying weaknesses (CWE entries).

This guidance is informed by two years of experience in analyzing and mapping thousands of CVE Records in the NIST’s National Vulnerability Database (NVD) to CWEs for calculating the annual CWE Top 25 list. By aligning CVE Records to the most applicable CWE Entries, the community will be in a better position to mitigate or eliminate their associated operational risk most effectively.

The new guidance provides an overview of CWE, a section of helpful resources with a refresher on CWE Entry structure, and offers five different mapping methodologies that can be used on the CWE website to help identify appropriate weakness mappings for CVE Records:

• Keyword Search – via CWE ID (if known) or keywords.
• “CWE View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities” – which is a hierarchical subset of CWEs that cover the most commonly-used CWEs that are mapped by CVEs.
• Other Useful Hierarchical Views – via “CWE View-1000: Research Concepts,” “CWE View-699: Software Development,” and “CWE View-1194: Hardware Design,” each of which are targeted at specific hierarchical subsets of CWEs.
• Relationship Graph Visualizations in PDF Format – each of which includes only CWE names but can be useful in quickly seeing closely related issues.
• Keyword Scraper – a CWE Program-developed CVE description parsing script that identifies keywords in NVD’s CVE descriptions is expected to be available to the public in the near future. Meanwhile, vendors and researchers can create their own customized scripts/tools to fit their specific needs using suggestions in Keyword Scraper.

A mapping quick-tips, mapping cheat sheet, and mapping examples are also included.

Please [hidden email] with any comments or concerns about this guidance. We look forward to hearing from you!

Thank you,

Rushi Purohit