Hi Kurt,
Thanks for your question. While the CVE and CWE Programs encourage accurate and precise CWE mappings at the time of disclosure, there may be times where one doesn’t exist due to a potential gap in the CWE corpus. In these cases, the CVE Record can be published with other enriched data elements also supported by the new CVE data format (e.g., CVSS, CPE), and the relevant party can submit a suggestion using the CWE Submission Form to fill the gap in CWE. Submission(s) can be viewed and commented on in the CDR (CWE Content Development Repository), and when ready, published on the CWE site. The relevant CVE Record(s) can be subsequently modified to include the new CWE as a root cause mapping. One potential concern is if a CWE gap is perceived due to an error in identifying the underlying weakness. It is important to note that all CWE weaknesses fall under one of ten top-level Pillars (see https://cwe.mitre.org/data/definitions/1000.html ). Finding a weakness that does not fall under one of those Pillars is unlikely and it is more likely that there was an error in identifying the underlying weakness. Although mapping to a Pillar is discouraged due to their high level of abstraction (example of mapping notes https://cwe.mitre.org/data/definitions/284.html#:~:text=Vulnerability%20Mapping%20Notes), a mapping to a Pillar is better than no mapping and might indicate the potential for new CWE entries to be submitted which would fall under that pillar. Better education within the community on root cause mapping would hopefully reduce the number of false positives for CWE gaps and in turn reduce potentially bad submissions coming into the submission server. To help educate the community, the CWE Program has done two things: 1. Updated the Root Cause Mapping guidance on the CWE website (https://cwe.mitre.org/documents/cwe_usage/guidance.html ) 2. Helped create the Root Cause Mapping Working Group to facilitate community discussion on root cause mapping (https://github.com/Root-Cause-Mapping-Working-Group/RCM-WG ) Thank you, Connor Mullaly He / Him / His Cybersecurity Engineer L527 – Cyber for Identity Trust & Assurance Phone: 781-857-9714 [MITRE logo. Solving Problems for a safer world] From: Kurt Seifried <[email protected]> Sent: Wednesday, April 10, 2024 12:12 PM To: CWE Research Discussion <[email protected]> Subject: [EXT] Microsoft committing to CWEs https://msrc.microsoft.com/blog/2024/04/toward-greater-transparency-adopting-the-cwe-standard-for-microsoft-cves/ "Today, we are pleased to announce a significant shift: we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard. " What happens when they have CVEs that aren't covered by a CWE and they want a CWE for it? Does everyone go through the front door so to speak at https://cwesubmission.mitre.org/? -- Kurt Seifried (He/Him) [email protected]<mailto:[email protected]>
