Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add version to CWE #660

Open
tschmidtb51 opened this issue Oct 25, 2023 · 2 comments
Open

Add version to CWE #660

tschmidtb51 opened this issue Oct 25, 2023 · 2 comments
Assignees
@tschmidtb51
Labels
csaf 2.1 csaf 2.1 work editor-revision already worked on in the editor revision

Comments

@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Oct 25, 2023
edited

CWE list changes over time (see https://cwe.mitre.org/data/archive.html). As we always check against the latest version this might result in invalid documents over time, e.g., if old CWEs get deprecated. To avoid these issues and aid in validation, we should add a version to CWE and declare a minimum acceptable version.

Here is an example, how this would look:

      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation",
        "version": "4.11"
      },

The JSON schema definition would unfold as:

          "cwe": {
            "title": "CWE",
            "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
            "type": "object",
            "required": [
              "id",
              "name",
              "version"
            ],
            "properties": {
              "id": {
                "title": "Weakness ID",
                "description": "Holds the ID for the weakness associated.",
                "type": "string",
                "pattern": "^CWE-[1-9]\\d{0,5}$",
                "examples": [
                  "CWE-22",
                  "CWE-352",
                  "CWE-79"
                ]
              },
              "name": {
                "title": "Weakness name",
                "description": "Holds the full name of the weakness as given in the CWE specification.",
                "type": "string",
                "minLength": 1,
                "examples": [
                  "Cross-Site Request Forgery (CSRF)",
                  "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
                ]
              },
              "version": {
                "title": "CWE version",
                "description": "Holds the version string of the CWE specification this weakness was extracted from.",
                "type": "string",
                "minLength": 1,
                "pattern": "\\d\\.\\d{1,3}"
                "examples": [
                  "4.0",
                  "4.11",
                  "4.12"
                ]
              }
            }
          },
@tschmidtb51 tschmidtb51 added the csaf 2.1 csaf 2.1 work label Oct 25, 2023
@tschmidtb51 tschmidtb51 self-assigned this Oct 25, 2023
@tschmidtb51 tschmidtb51 added the email To be sent via email to the TC label Oct 25, 2023
@santosomar
Copy link
Contributor

Thomas Schmidt proposed a motion, as detailed in this OASIS mailing list archive, to add a CWE version to CSAF v2.1 and later data files. Stefan Hagen seconded the motion. There were no discussions or objections raised, and consequently, the motion was automatically passed on November 1, 2023, at 20:00 UTC.

@tschmidtb51 tschmidtb51 removed the email To be sent via email to the TC label Nov 29, 2023
@tschmidtb51
Copy link
Contributor Author

tschmidtb51 commented May 23, 2024
edited

Todos:

tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 23, 2024
@tschmidtb51
CWE version
70afea3 
- addresses parts of oasis-tcs#660
- add `version` as new required field to `cwe`
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 23, 2024
@tschmidtb51
CWE version
432d454 
- addresses parts of oasis-tcs#660
- adopt prose to reflect schema
- add CSAF 2.0 to CSAF 2.1 conversion rule
- copy conversion rule to CVRF CSAF converter
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 23, 2024
@tschmidtb51
CWE version
5732616 
- addresses parts of oasis-tcs#660
- adopt testdata to reflect current version of the schema
- adopt examples to reflect current version of the schema
@tschmidtb51 tschmidtb51 added the editor-revision already worked on in the editor revision label May 25, 2024
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 25, 2024
@tschmidtb51
CWE version
9e28312 
- addresses parts of oasis-tcs#660
- add invalid examples for 6.1.11
- add valid examples for 6.1.11
- explicitly state in 6.1.11 that CWE Views and Categories are not valid
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 25, 2024
@tschmidtb51
CWEs
d433431 
- addresses parts of oasis-tcs#530, oasis-tcs#660
- add `/vulnerabilities[]/cwes[]/version` to guidance on size
- add `/vulnerabilities[]/cwes` to guidance on size
- adopt pathes to match schema
@tschmidtb51 tschmidtb51 mentioned this issue May 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tschmidtb51 tschmidtb51

Labels
csaf 2.1 csaf 2.1 work editor-revision already worked on in the editor revision
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@santosomar @tschmidtb51