Upcoming CWE release to include new entries derived from CQE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Upcoming CWE release to include new entries derived from CQE

Christey, Steven M.

We anticipate releasing CWE 3.2 in a matter of weeks.  It will contain the typical kinds of changes that we regularly make in each new release - many of them contributed by outside parties, for which we are thankful.

The largest change in the new release will be the creation of dozens of new entries from the Common Quality Enumeration (CQE) - see https://cqe.mitre.org/about/.  In past messages to this list and in conversations with various stakeholders, we had mentioned the possibility of CQE integration.  We have received positive feedback or direct encouragement, especially from code analysis vendors who provide both security and "quality" checks in the same offering.

These new CQE-derived issues can reduce the performance, reliability, or maintainability of code.  Reductions in any of these characteristics can contribute (albeit indirectly) to vulnerabilities, so we still regard them as weaknesses.  Poor performance in the software can, under the right conditions, enable a denial of service; poor reliability can enable denials of service, data corruption, etc.; and poor maintainability can make it more difficult to apply security patches, make it easier to introduce vulnerabilities when porting, or make it more difficult to audit and understand the code in order to find vulnerabilities.  (The Apple "goto fail" vulnerability, CVE-2014-1266, is a good example of the latter.)

Generally, these new entries will be organized under the high-level class CWE-710 (Improper Adherence to Coding Standards) under the Research view, or CWE-398 (Poor Code Quality) under the Development view.  We will also have mid-level entries (whether other classes or categories) that will help to further structure this portion of CWE.  Also, there will be schema support for those who wish to automatically exclude weaknesses with only "indirect" impact to security.

We are pleased to resolve this long-running question of how to handle CQE and CWE.  We are open to feedback from CWE users and researchers.  Feel free to send your feedback to us at [hidden email] or reply to this list.

Thank you.
Steve, Drew, and the CWE Team