Board members, Good morning - I hope you are all well.
I am forwarding a message from Kurt that inadvertently failed to proceed through our listserv moderation process during the holiday week. Please see below... Cheers, Alec ________________________________ From: Seifried, Kurt <k...@seifried.org> Sent: Tuesday, November 22, 2022 12:15 PM To: CWE CAPEC Board <cwe-capec-board-list@mitre.org> Subject: abstraction guidelines for CWE entries Ok so I was reviewing feedback on a CWE submission and the level of abstraction came up, the person I was working with was like "well what level doe they want" to which I replied "we're not sure" I mean here's the documentation from the website: https://cwe.mitre.org/community/submissions/guidelines.html Abstraction. Consider whether the submission is at an appropriate level of abstraction that is represented within CWE. Guidelines are not well-defined as of this time, but be familiar with Classes, Bases, and Variants (from the schema or glossary, and from reviewing existing CWE content). Generally, the CWE team prefers submissions at the Base level; however, you might only be aware of a weakness at a lower Variant level. So I wanted to ask CWE what level of abstraction do we want? As a parallel project while we discuss this, do we want to also discuss labeling or tagging the abstraction better, e.g. there is all the .NET stuff which are clearly to low-level/specific to meet current guidelines (er, well the proposed guidelines?) but I don't want to throw them out. E.g. could they be tagged as ".NET specific" and maybe deemphasized in results/etc, I would hate to lose the data, and there is an argument for low level, language specific things that keep occuring (e.g. python pickle, despite a huge red banner warning ont he docs still keeps coming up https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=python+pickle&search_type=all&isCpeNameSearch=false) E.g. should we rate existing entries (e.g. PASS/FAIL or 0 to 1 score of suitability) and see what the data says? -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org>