# Introduction

Let's start our exploration of how CVE Details create types by examining this sample table of one of CVE Details 13 types. Specifically, this table refers to all entries labeled [**SQL Injection** in 2016](http://www.cvedetails.com/vulnerability-list/year-2016/opsqli-1/sql-injection.html). 

In [46]:
#using panda 
import pandas as pd
import csv
import numpy as np
import math

#We specify the cwe_id column type is str, otherwise pandas will infer it as a float adding a misleading decimal.
cved_df = pd.read_csv("cve_details_sql_injection_2016.csv",dtype={'cwe_id': str})
cved_df

Unnamed: 0,cve_id,cwe_id,n_exploits,vulnerability_type,published_date,updated_date,description,score,gained_access_level,access,complexity,authentication,conf,integ,avail
0,CVE-2016-1000217,89,,Sql,2016-10-06,2016-12-22,Zotpress plugin for WordPress SQLi in zp_get_a...,7.5,,Remote,Low,Not required,Partial,Partial,Partial
1,CVE-2016-1000125,89,,Sql,2016-10-06,2017-01-19,Unauthenticated SQL Injection in Huge-IT Catal...,7.5,,Remote,Low,Not required,Partial,Partial,Partial
2,CVE-2016-1000124,89,,Sql,2016-10-06,2016-11-28,Unauthenticated SQL Injection in Huge-IT Portf...,7.5,,Remote,Low,Not required,Partial,Partial,Partial
3,CVE-2016-1000123,89,,Sql,2016-10-06,2016-12-22,Unauthenticated SQL Injection in Huge-IT Video...,7.5,,Remote,Low,Not required,Partial,Partial,Partial
4,CVE-2016-1000122,89,,Sql XSS,2016-10-27,2016-12-22,XSS and SQLi in Huge IT Joomla Slider v1.0.9 e...,6.5,,Remote,Low,Single system,Partial,Partial,Partial
5,CVE-2016-1000120,89,,Sql XSS,2016-10-27,2016-12-22,SQLi and XSS in Huge IT catalog extension v1.0...,6.5,,Remote,Low,Single system,Partial,Partial,Partial
6,CVE-2016-1000116,79,,Sql XSS,2016-10-21,2016-11-28,Huge-IT Portfolio Gallery manager v1.1.5 SQL I...,6.5,,Remote,Low,Single system,Partial,Partial,Partial
7,CVE-2016-1000115,79,,Sql XSS,2016-10-21,2016-12-22,Huge-IT Portfolio Gallery manager v1.1.5 SQL I...,6.5,,Remote,Low,Single system,Partial,Partial,Partial
8,CVE-2016-1000113,89,,Sql XSS,2016-10-06,2016-11-28,XSS and SQLi in huge IT gallery v1.1.5 for Joomla,7.5,,Remote,Low,Not required,Partial,Partial,Partial
9,CVE-2016-1000000,89,,Sql,2016-10-06,2017-01-17,Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.as...,6.5,,Remote,Low,Single system,Partial,Partial,Partial


Notice that the column **vulnerability_type** not only includes sql injection. It may also cite other identified types out of the 13. For instance, row 4 value is **SQL XSS**, indicating the entry is both of **SQL** and **XSS** types. 

**Important**: Entries labeled with multiple types **WILL** appear, accordingly, on the **tables**. A combination of tables must be done carefully when collecting textual descriptions, to avoid redundance! 

# Analysis 

To begin the analysis, let's consider how cwe ids, which by definition group vulnerabilities, are distributed across the type for this year and SQL Injection. Notice a cwe_id may or not occur, but the type is always defined. cve_id's, always occur, hence defining the upper bound a vulnerability type could had.

In [41]:
vulnerability_type_histogram = cved_df.groupby(by=['vulnerability_type'])['cwe_id','cve_id'].count()
vulnerability_type_histogram

Unnamed: 0_level_0,cwe_id,cve_id
vulnerability_type,Unnamed: 1_level_1,Unnamed: 2_level_1
+Priv Dir. Trav.,0,1
Dir. Trav.,69,80
Dir. Trav. +Info,4,4
Dir. Trav. Bypass,3,6
Dir. Trav. File Inclusion,3,3
DoS Sql,2,2
Exec Code Dir. Trav.,4,4
Exec Code Sql,118,118
Exec Code Sql +Info,2,2
Sql,52,52


We can note some combinations of type occur much more frequently than others.

Let's explore further the vulnerability types proposed by CVE Details, by not only counting the number of cwe id's per vulnerability type, but also **what** are the cwe_id'per type. Out of curiosity, let's also include the number of exploits that were reported. 

In [36]:
vulnerability_type_histogram = cved_df.groupby(by=['vulnerability_type','cwe_id'])['cve_id','n_exploits'].count()
vulnerability_type_histogram


Unnamed: 0_level_0,Unnamed: 1_level_0,cve_id,n_exploits
vulnerability_type,cwe_id,Unnamed: 2_level_1,Unnamed: 3_level_1
Dir. Trav.,22,67,0
Dir. Trav.,434,1,0
Dir. Trav.,77,1,0
Dir. Trav. +Info,200,3,0
Dir. Trav. +Info,22,1,0
Dir. Trav. Bypass,22,3,0
Dir. Trav. File Inclusion,22,3,0
DoS Sql,89,2,0
Exec Code Dir. Trav.,22,3,0
Exec Code Dir. Trav.,77,1,0


A pattern emerges in the construction of the types: For vulnerability types with a higher number of cwe entries, this **higher number is led by a single cwe id**. This is the case for 3 vulnerability types in the table above: **Dir.Trav.** being led by cwe_id **22**, **Exec Code Sql** being led by cwe_id **89**, and vulnerability type **SQL** on cwe_id **89**. 

Additionally, we should remember that the column **vulnerability type** can be a combination of 1 or more types of the 13 proposed by CVE Details. Specifically, **Exec Code Sql** actually refers to the type **Code Execution** and the type **SQL**. 

We can also observe just the distribution of cwe_id's reported for SQL table for 2016.

In [43]:
vulnerability_type_histogram = cved_df.groupby(by=['cwe_id'])['cve_id','n_exploits'].count()
vulnerability_type_histogram

Unnamed: 0_level_0,cve_id,n_exploits
cwe_id,Unnamed: 1_level_1,Unnamed: 2_level_1
200,7,0
22,77,0
264,2,0
434,1,0
77,2,0
79,4,0
89,178,0
