Kurt, Good morning, and thanks for your note. I wanted to double check with the team on this and was able to confirm my supposition.
As you know, some CWE entries are ‘Weaknesses’, whereas others are ‘Categories’, and others are ‘Views’. The CWE XML – as specified in the schema – first lists all weaknesses (under the <Weaknesses> element), then all categories (under the <Categories> element), etc. You can confirm that CWE-2 is in the downloaded XML by doing a simple grep for ‘ID=”2”’ and noting that there is an element with the following line: <Category ID="2" Name="7PK - Environment" Status="Draft"> We have downloaded the latest cwec file using the URL that you specified and confirmed the existence of CWE-2. You can use the following command line to see all the listed entries (tested on Red Hat Linux): egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml To confirm that CWE-1 is present, try the following command: egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml | egrep 'ID="1" The total list of deprecated entries (23 weaknesses, 35 categories, and 3 views – total of 61) can be viewed here: https://cwe.mitre.org/data/definitions/604.html Best, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Kurt Seifried <k...@seifried.org> Date: Tuesday, November 16, 2021 at 8:48 PM To: CWE CAPEC Board <cwe-capec-board-list@mitre.org> Subject: Question about the data I just grabbed the XML data (https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking through it, by ID, so from the start e.g.: 5 6 7 8 9 11 12 13 14 15 20 And some are missing, when I went and looked I got: https://cwe.mitre.org/data/definitions/1.html deprecated (makes sense) https://cwe.mitre.org/data/definitions/2.html CWE CATEGORY: 7PK - Environment https://cwe.mitre.org/data/definitions/3.html https://cwe.mitre.org/data/definitions/4.html deprecated (makes sense) I'm wondering what the deal with CWE-2 is, it's clearly not terribly useful, but it's.. sort of alive? Dead? Zombie? The CWE ID's go up to 1351 and of those there are 947 live ones, does that sound right (so 400+ are deprecated?). -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org>