Kurt, Absolutely! As I said, we started some metrics work after the recent card-sorting exercise, and by that I mean the metrics are under development at this time. The team will share drafts once we have something implemented.
Best, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Kurt Seifried <k...@seifried.org> Date: Thursday, November 18, 2021 at 10:48 AM To: Alec J Summers <asumm...@mitre.org> Cc: CWE CAPEC Board <cwe-capec-board-list@mitre.org> Subject: Re: Question about the data On Thu, Nov 18, 2021 at 8:25 AM Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>> wrote: Kurt, Thanks for your follow-up on this. It’s funny you should mention the <Status> attribute of entries as this is something that has recently been on our radar to recalibrate. The results of the UEWG’s schema element card-sorting exercise from this Fall suggested that the community places much more weight on this element than the team had expected. Overall, we haven’t been actively maintaining or updating the <Status> attribute of entries in years. Most recent new entries (e.g., much of the Hardware content) were originally published and labeled according to the schema definitions. Refining entries in the 2021 CWE Most Important Hardware Weaknesses List was the first time recently that we have actively updated the Status attribute – but only for those 17 entries because we filled in missing elements in those entries with the help of the original submitters. Directly after the UEWG card-sorting survey analysis, we started some metrics work to clarify the “completeness” of entries within CWE and CAPEC in order to prioritize content improvement efforts. Our plan is to integrate this completeness work with a recalibration of all entries’ Status element, so many entries’ Status may change. Additionally, we intend to change the Status values; "Incomplete" is technically correct based on our schema definition, but is actively being mis-interpreted by users. The team will change the Status enumeration values to more appropriate labels. Can you share those metrics? I am targeting the next releases (Q1 2022) for Status element recalibration, attribute value changes, and related updates to the content submission guidelines/form. Best, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Kurt Seifried <k...@seifried.org<mailto:k...@seifried.org>> Date: Wednesday, November 17, 2021 at 12:59 PM To: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>> Cc: CWE CAPEC Board <cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>> Subject: Re: Question about the data Ahh ok, I was just looking at "<Weakness ID=\"" (I scrolled through the file but only about halfway, which is all Weaknesses until you hit 90%). With the Category/Views added the numbers add up. My next question would be what does it take to get an entry from Draft/Incomplete to Stable? 61 Status="Deprecated" 514 Status="Draft" 607 Status="Incomplete" 96 Status="Obsolete" 79 Status="Stable" The schema says: A value of Incomplete means that the entity does not have all important elements filled, and there is no guarantee of quality. A value of Draft refers to an entity that has all important elements filled, and critical elements such as Name and Description are reasonably well-written; the entity may still have important problems or gaps. A value of Usable refers to an entity that has received close, extensive review, with critical elements verified. A value of Stable indicates that all important elements have been verified, and the entry is unlikely to change significantly in the future. Note that the quality requirements for Draft and Usable status are very resource-intensive to accomplish, while some Incomplete and Draft entries are actively used by the general public; so, this status enumeration might change in the future. E.g. https://cwe.mitre.org/community/submissions/guidelines.html doesn't list which are important/etc. and does it matter at all or is good enough ok? ("while some Incomplete and Draft entries are actively used by the general public" would be the common case). On Wed, Nov 17, 2021 at 6:50 AM Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>> wrote: Kurt, Good morning, and thanks for your note. I wanted to double check with the team on this and was able to confirm my supposition. As you know, some CWE entries are ‘Weaknesses’, whereas others are ‘Categories’, and others are ‘Views’. The CWE XML – as specified in the schema – first lists all weaknesses (under the <Weaknesses> element), then all categories (under the <Categories> element), etc. You can confirm that CWE-2 is in the downloaded XML by doing a simple grep for ‘ID=”2”’ and noting that there is an element with the following line: <Category ID="2" Name="7PK - Environment" Status="Draft"> We have downloaded the latest cwec file using the URL that you specified and confirmed the existence of CWE-2. You can use the following command line to see all the listed entries (tested on Red Hat Linux): egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml To confirm that CWE-1 is present, try the following command: egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml | egrep 'ID="1" The total list of deprecated entries (23 weaknesses, 35 categories, and 3 views – total of 61) can be viewed here: https://cwe.mitre.org/data/definitions/604.html Best, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World From: Kurt Seifried <k...@seifried.org<mailto:k...@seifried.org>> Date: Tuesday, November 16, 2021 at 8:48 PM To: CWE CAPEC Board <cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>> Subject: Question about the data I just grabbed the XML data (https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking through it, by ID, so from the start e.g.: 5 6 7 8 9 11 12 13 14 15 20 And some are missing, when I went and looked I got: https://cwe.mitre.org/data/definitions/1.html deprecated (makes sense) https://cwe.mitre.org/data/definitions/2.html CWE CATEGORY: 7PK - Environment https://cwe.mitre.org/data/definitions/3.html https://cwe.mitre.org/data/definitions/4.html deprecated (makes sense) I'm wondering what the deal with CWE-2 is, it's clearly not terribly useful, but it's.. sort of alive? Dead? Zombie? The CWE ID's go up to 1351 and of those there are 947 live ones, does that sound right (so 400+ are deprecated?). -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org> -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org> -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org>
