The authoritative URL is: https://csaurl.org/blockchain-vulnerabilities
points to a google sheet right now, long term once it settles down it'll hopefully be something else like github. Some of these map to existing CWE and are flavours/maybe children, and some are completely new like "vote token trapping" or "Smart Contract Unprotected SELFDESTRUCT Instruction" On Wed, Oct 6, 2021 at 11:18 AM Alec J Summers <asumm...@mitre.org> wrote: > Kurt, > > > > Apologies for the secondary note, but I wanted to follow up and clarify > something. > > > > To your comment: “I have some more questions but I'm finally getting > around to my list of 200 vulns about 1/4 to 1/2 of which should probably be > added to CWE and trying to figure out how to do this efficiently.” > > > > Do you think that ¼ to ½ of these 200 vulns should be NEW entries in CWE > or simply mapped to existing entries? > > > > Having asked that, I wouldn’t want you to invest the huge amount of time > of filling out forms (txt, web, or otherwise) for such a set. I think it > would be better to perhaps share some of the key items (name, desc, > references) for some of the entries you think might be new additions to the > corpus as a way to start the conversation. > > > > I also wanted to point you to the further guidelines for submissions in > addition to the txt form itself (note, these are pointed to on the form as > well): > > Guidelines for individual elements: > https://cwe.mitre.org/community/submissions/guidelines.html#guidelines > > Common problems encountered with poor submissions: > https://cwe.mitre.org/community/submissions/guidelines.html#problems > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Alec J Summers <asumm...@mitre.org> > *Date: *Wednesday, October 6, 2021 at 12:16 PM > *To: *Seifried, Kurt <k...@seifried.org>, CWE CAPEC Board < > cwe-capec-board-list@mitre.org> > *Cc: *Bressers, Josh <j...@bress.net>, Steven M Christey <co...@mitre.org>, > David B Rothenberg <drothenb...@mitre.org> > *Subject: *Re: CWE submission form > > Kurt, > > > > Thanks for your note and patience in my reply. Yes, your message was > received :-) > > > > This text form was our initial solution for standing up a solution to > ingest entries during the rapid growth of CWE HW content. It was not meant > to be a long-term solution, although it has worked fairly well, to be > honest. We have actively finalizing a more broad, web-submission form to > hopefully be included in the new minor release at the end of the month. > That is my goal. > > > > That being said , to your specific questions: > > 1. “oa Name” > This is a typo that should read “a Name” – we will resolve > 2. Code language: > This is not comprehensive list, and we can add new languages to this > enumeration list where needed. Some that immediately come to mind are Go, > Rust, etc. In the corpus, it’s always a balance of simply adding “mappings” > (e.g., adding “Go” to the language element of an existing weakness) and new > demonstrative examples with enumerating NEW weaknesses in newly enumerated > languages. This requires subject matter experts and time, of course, but it > is certainly something we want to do. I’d love to leverage the community, > if possible, to identify opportunities here to expand content in these > languages. This has not arisen with this form before, but one work around > would be to simply add some language for an option to provide a new > language not in the list. > 3. Images: we actually added a new capability to incorporate a png > image to an entry. See: > https://cwe.mitre.org/data/definitions/1256.html > > > > Does this help? > > > > I can get updates to the form and changed in the near future to reflect > #1-3 above in the text form for now. Again, we hope to have the > web-submission form available on the site soon. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried <k...@seifried.org> > *Date: *Wednesday, October 6, 2021 at 11:49 AM > *To: *CWE CAPEC Board <cwe-capec-board-list@mitre.org> > *Cc: *Bressers, Josh <j...@bress.net> > *Subject: *Re: CWE submission form > > Did this email get received? Can we do anything about this? I'm thinking > at a minimum of a simple JSON format instead of that txt file. > > > > On Fri, Oct 1, 2021 at 11:40 AM Kurt Seifried <k...@seifried.org> wrote: > > Regarding the CWE submission form > > > > https://cwe.mitre.org/community/submissions/guidelines.html > > > > specifically > > > > https://cwe.mitre.org/community/submissions/CWE_Submission_Form.txt > > > > it... uses ascii art boxes/etc, > > > > Also instructions are unclear: "Your entry should include either oa > Name(s) or Class for each element, but not both." > > > > What is an oa Name(s)? > > > > As for the Language Name/OS/etc there are lists, are these comprehensive > or can we add to them? e.g.: > > > > Language Name: Ada, ASP, ASP.NET, Basic, C, COBOL, C++, C#, Fortran, F#, > HTML, Java, Javascript, JSP, Objective-C, Pascal, Perl, PHP, Python, Ruby, > SQL, Shell, Swift, VB.Net, XML, Other > Language Class: Assembly, Compiled, Interpreted, Language-Independent > > > > Also it says: > > > > "At this time, The CWE team is unable to include diagrams on CWE entry > pages, but we are looking into incorporating them in the future." > > > > is there any ETA on this? > > > > I have some more questions but I'm finally getting around to my list of > 200 vulns about 1/4 to 1/2 of which should probably be added to CWE and > trying to figure out how to do this efficiently. Thanks > > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
