Kurt, Apologies for the secondary note, but I wanted to follow up and clarify something.
To your comment: “I have some more questions but I'm finally getting around to my list of 200 vulns about 1/4 to 1/2 of which should probably be added to CWE and trying to figure out how to do this efficiently.” Do you think that ¼ to ½ of these 200 vulns should be NEW entries in CWE or simply mapped to existing entries? Having asked that, I wouldn’t want you to invest the huge amount of time of filling out forms (txt, web, or otherwise) for such a set. I think it would be better to perhaps share some of the key items (name, desc, references) for some of the entries you think might be new additions to the corpus as a way to start the conversation. I also wanted to point you to the further guidelines for submissions in addition to the txt form itself (note, these are pointed to on the form as well): Guidelines for individual elements: https://cwe.mitre.org/community/submissions/guidelines.html#guidelines Common problems encountered with poor submissions: https://cwe.mitre.org/community/submissions/guidelines.html#problems Best, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Alec J Summers <[email protected]> Date: Wednesday, October 6, 2021 at 12:16 PM To: Seifried, Kurt <[email protected]>, CWE CAPEC Board <[email protected]> Cc: Bressers, Josh <[email protected]>, Steven M Christey <[email protected]>, David B Rothenberg <[email protected]> Subject: Re: CWE submission form Kurt, Thanks for your note and patience in my reply. Yes, your message was received :-) This text form was our initial solution for standing up a solution to ingest entries during the rapid growth of CWE HW content. It was not meant to be a long-term solution, although it has worked fairly well, to be honest. We have actively finalizing a more broad, web-submission form to hopefully be included in the new minor release at the end of the month. That is my goal. That being said , to your specific questions: 1. “oa Name” This is a typo that should read “a Name” – we will resolve 2. Code language: This is not comprehensive list, and we can add new languages to this enumeration list where needed. Some that immediately come to mind are Go, Rust, etc. In the corpus, it’s always a balance of simply adding “mappings” (e.g., adding “Go” to the language element of an existing weakness) and new demonstrative examples with enumerating NEW weaknesses in newly enumerated languages. This requires subject matter experts and time, of course, but it is certainly something we want to do. I’d love to leverage the community, if possible, to identify opportunities here to expand content in these languages. This has not arisen with this form before, but one work around would be to simply add some language for an option to provide a new language not in the list. 3. Images: we actually added a new capability to incorporate a png image to an entry. See: https://cwe.mitre.org/data/definitions/1256.html Does this help? I can get updates to the form and changed in the near future to reflect #1-3 above in the text form for now. Again, we hope to have the web-submission form available on the site soon. Cheers, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Kurt Seifried <[email protected]> Date: Wednesday, October 6, 2021 at 11:49 AM To: CWE CAPEC Board <[email protected]> Cc: Bressers, Josh <[email protected]> Subject: Re: CWE submission form Did this email get received? Can we do anything about this? I'm thinking at a minimum of a simple JSON format instead of that txt file. On Fri, Oct 1, 2021 at 11:40 AM Kurt Seifried <[email protected]<mailto:[email protected]>> wrote: Regarding the CWE submission form https://cwe.mitre.org/community/submissions/guidelines.html specifically https://cwe.mitre.org/community/submissions/CWE_Submission_Form.txt it... uses ascii art boxes/etc, Also instructions are unclear: "Your entry should include either oa Name(s) or Class for each element, but not both." What is an oa Name(s)? As for the Language Name/OS/etc there are lists, are these comprehensive or can we add to them? e.g.: Language Name: Ada, ASP, ASP.NET<http://ASP.NET>, Basic, C, COBOL, C++, C#, Fortran, F#, HTML, Java, Javascript, JSP, Objective-C, Pascal, Perl, PHP, Python, Ruby, SQL, Shell, Swift, VB.Net, XML, Other Language Class: Assembly, Compiled, Interpreted, Language-Independent Also it says: "At this time, The CWE team is unable to include diagrams on CWE entry pages, but we are looking into incorporating them in the future." is there any ETA on this? I have some more questions but I'm finally getting around to my list of 200 vulns about 1/4 to 1/2 of which should probably be added to CWE and trying to figure out how to do this efficiently. Thanks -- Kurt Seifried (He/Him) [email protected]<mailto:[email protected]> -- Kurt Seifried (He/Him) [email protected]<mailto:[email protected]>
