Ahh ok, I was just looking at "<Weakness ID=\"" (I scrolled through the file but only about halfway, which is all Weaknesses until you hit 90%). With the Category/Views added the numbers add up. My next question would be what does it take to get an entry from Draft/Incomplete to Stable?
61 Status="Deprecated" 514 Status="Draft" 607 Status="Incomplete" 96 Status="Obsolete" 79 Status="Stable" The schema says: A value of Incomplete means that the entity does not have all important elements filled, and there is no guarantee of quality. A value of Draft refers to an entity that has all important elements filled, and critical elements such as Name and Description are reasonably well-written; the entity may still have important problems or gaps. A value of Usable refers to an entity that has received close, extensive review, with critical elements verified. A value of Stable indicates that all important elements have been verified, and the entry is unlikely to change significantly in the future. Note that the quality requirements for Draft and Usable status are very resource-intensive to accomplish, while some Incomplete and Draft entries are actively used by the general public; so, this status enumeration might change in the future. E.g. https://cwe.mitre.org/community/submissions/guidelines.html doesn't list which are important/etc. and does it matter at all or is good enough ok? ("while some Incomplete and Draft entries are actively used by the general public" would be the common case). On Wed, Nov 17, 2021 at 6:50 AM Alec J Summers <asumm...@mitre.org> wrote: > Kurt, > > > > Good morning, and thanks for your note. I wanted to double check with the > team on this and was able to confirm my supposition. > > > > As you know, some CWE entries are ‘Weaknesses’, whereas others are > ‘Categories’, and others are ‘Views’. > > > > The CWE XML – as specified in the schema – first lists all weaknesses > (under the <Weaknesses> element), then all categories (under the > <Categories> element), etc. > > > > You can confirm that CWE-2 is in the downloaded XML by doing a simple grep > for ‘ID=”2”’ and noting that there is an element with the following line: > > > > <Category ID="2" Name="7PK - Environment" Status="Draft"> > > > > We have downloaded the latest cwec file using the URL that you specified > and confirmed the existence of CWE-2. > > > > You can use the following command line to see all the listed entries > (tested on Red Hat Linux): > > > > egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml > > > > To confirm that CWE-1 is present, try the following command: > > > > egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml | egrep > 'ID="1" > > > > The total list of deprecated entries (23 weaknesses, 35 categories, and 3 > views – total of 61) can be viewed here: > https://cwe.mitre.org/data/definitions/604.html > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried <k...@seifried.org> > *Date: *Tuesday, November 16, 2021 at 8:48 PM > *To: *CWE CAPEC Board <cwe-capec-board-list@mitre.org> > *Subject: *Question about the data > > I just grabbed the XML data ( > https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking > through it, by ID, so from the start e.g.: > > > > 5 > > 6 > > 7 > > 8 > > 9 > > 11 > > 12 > > 13 > > 14 > > 15 > > 20 > > > > And some are missing, when I went and looked I got: > > > > https://cwe.mitre.org/data/definitions/1.html > > deprecated (makes sense) > > > > https://cwe.mitre.org/data/definitions/2.html > > CWE CATEGORY: 7PK - Environment > > > > https://cwe.mitre.org/data/definitions/3.html > > https://cwe.mitre.org/data/definitions/4.html > > deprecated (makes sense) > > > > I'm wondering what the deal with CWE-2 is, it's clearly not terribly > useful, but it's.. sort of alive? Dead? Zombie? > > > > The CWE ID's go up to 1351 and of those there are 947 live ones, does that > sound right (so 400+ are deprecated?). > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
