[Chris] I think the reason for choosing CWE-798 is that there were more examples of this in the NVD examples even though there was a CWE-1394 example in the Observed Examples which was the closest match to the weakness. I'll add logic to prioritize the relevant examples by Observed, Top 25, NVD in that order. I'm also thinking just to have one section / table in the report for e.g. 3 "Related Examples" that will come from ObservedExamples if available, then Top25 if available, then NVD..
[Connor]This seems problematic to me. I would just map to CWE-502. I’m confused where the mapping to CWE-20 comes into play because I’m not seeing “insufficient validation” in the CVE description and even then this is not an input validation issue. Lastly, the mapping to CWE-94 is incorrect because it is relying on the technical impact of “remote code execution” which is not a weakness.
[Connor]this is slightly more nuanced, but I would probably also map to CWE-522: Insufficiently Protected Credentials just because the NTLM hash is used to hash passwords and the current mapping of CWE-200 is a high level class
[Chris] Makes Sense. I should be able to get the model to add this extra CWE based on the context for future examples.
Description, Use Case and User Stories
For validation and feedback 10 CWE Assignment reports will be provided.
Definition of Ready
Acceptance Criteria
Additional context