On Thu, Nov 18, 2021 at 8:25 AM Alec J Summers <asumm...@mitre.org> wrote:
> Kurt, > > > > Thanks for your follow-up on this. It’s funny you should mention the > <Status> attribute of entries as this is something that has recently been > on our radar to recalibrate. The results of the UEWG’s schema element > card-sorting exercise from this Fall suggested that the community places > much more weight on this element than the team had expected. > > > > Overall, we haven’t been actively maintaining or updating the <Status> > attribute of entries in years. Most recent new entries (e.g., much of the > Hardware content) were originally published and labeled according to the > schema definitions. Refining entries in the 2021 CWE Most Important > Hardware Weaknesses List was the first time recently that we have actively > updated the Status attribute – but only for those 17 entries because we > filled in missing elements in those entries with the help of the original > submitters. > > > > Directly after the UEWG card-sorting survey analysis, we started some > metrics work to clarify the “completeness” of entries within CWE and CAPEC > in order to prioritize content improvement efforts. Our plan is to > integrate this completeness work with a recalibration of all entries’ > Status element, so many entries’ Status may change. Additionally, we intend > to change the Status values; "Incomplete" is technically correct based on > our schema definition, but is actively being mis-interpreted by users. The > team will change the Status enumeration values to more appropriate labels. > Can you share those metrics? > > > I am targeting the next releases (Q1 2022) for Status element > recalibration, attribute value changes, and related updates to the content > submission guidelines/form. > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried <k...@seifried.org> > *Date: *Wednesday, November 17, 2021 at 12:59 PM > *To: *Alec J Summers <asumm...@mitre.org> > *Cc: *CWE CAPEC Board <cwe-capec-board-list@mitre.org> > *Subject: *Re: Question about the data > > Ahh ok, I was just looking at "<Weakness ID=\"" (I scrolled through the > file but only about halfway, which is all Weaknesses until you hit 90%). > With the Category/Views added the numbers add up. My next question would be > what does it take to get an entry from Draft/Incomplete to Stable? > > > > 61 Status="Deprecated" > > 514 Status="Draft" > > 607 Status="Incomplete" > > 96 Status="Obsolete" > > 79 Status="Stable" > > > > The schema says: > > > > A value of Incomplete means that the entity does not have all important > elements filled, and there is no guarantee of quality. A value of Draft > refers to an entity that has all important elements filled, and critical > elements such as Name and Description are reasonably well-written; the > entity may still have important problems or gaps. A value of Usable refers > to an entity that has received close, extensive review, with critical > elements verified. A value of Stable indicates that all important elements > have been verified, and the entry is unlikely to change significantly in > the future. Note that the quality requirements for Draft and Usable status > are very resource-intensive to accomplish, while some Incomplete and Draft > entries are actively used by the general public; so, this status > enumeration might change in the future. > > > > E.g. https://cwe.mitre.org/community/submissions/guidelines.html doesn't > list which are important/etc. > > > > and does it matter at all or is good enough ok? ("while some Incomplete > and Draft entries are actively used by the general public" would be the > common case). > > > > On Wed, Nov 17, 2021 at 6:50 AM Alec J Summers <asumm...@mitre.org> wrote: > > Kurt, > > > > Good morning, and thanks for your note. I wanted to double check with the > team on this and was able to confirm my supposition. > > > > As you know, some CWE entries are ‘Weaknesses’, whereas others are > ‘Categories’, and others are ‘Views’. > > > > The CWE XML – as specified in the schema – first lists all weaknesses > (under the <Weaknesses> element), then all categories (under the > <Categories> element), etc. > > > > You can confirm that CWE-2 is in the downloaded XML by doing a simple grep > for ‘ID=”2”’ and noting that there is an element with the following line: > > > > <Category ID="2" Name="7PK - Environment" Status="Draft"> > > > > We have downloaded the latest cwec file using the URL that you specified > and confirmed the existence of CWE-2. > > > > You can use the following command line to see all the listed entries > (tested on Red Hat Linux): > > > > egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml > > > > To confirm that CWE-1 is present, try the following command: > > > > egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml | egrep > 'ID="1" > > > > The total list of deprecated entries (23 weaknesses, 35 categories, and 3 > views – total of 61) can be viewed here: > https://cwe.mitre.org/data/definitions/604.html > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried <k...@seifried.org> > *Date: *Tuesday, November 16, 2021 at 8:48 PM > *To: *CWE CAPEC Board <cwe-capec-board-list@mitre.org> > *Subject: *Question about the data > > I just grabbed the XML data ( > https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking > through it, by ID, so from the start e.g.: > > > > 5 > > 6 > > 7 > > 8 > > 9 > > 11 > > 12 > > 13 > > 14 > > 15 > > 20 > > > > And some are missing, when I went and looked I got: > > > > https://cwe.mitre.org/data/definitions/1.html > > deprecated (makes sense) > > > > https://cwe.mitre.org/data/definitions/2.html > > CWE CATEGORY: 7PK - Environment > > > > https://cwe.mitre.org/data/definitions/3.html > > https://cwe.mitre.org/data/definitions/4.html > > deprecated (makes sense) > > > > I'm wondering what the deal with CWE-2 is, it's clearly not terribly > useful, but it's.. sort of alive? Dead? Zombie? > > > > The CWE ID's go up to 1351 and of those there are 947 live ones, does that > sound right (so 400+ are deprecated?). > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
