search

CyberSecAI / CWEMap

Apache License 2.0
0 stars 0 forks source link

end2end Demo for 10 CVEs #21

Open Crashedmind opened 1 week ago

Crashedmind commented 1 week ago

Description, Use Case and User Stories

For validation and feedback 10 CWE Assignment reports will be provided.

  1. https://github.com/cisagov/vulnrichment/issues/109
  2. https://github.com/cisagov/vulnrichment/issues/110
  3. https://github.com/cisagov/vulnrichment/issues/111
  4. https://github.com/cisagov/vulnrichment/issues/112
  5. https://github.com/cisagov/vulnrichment/issues/113
  6. https://github.com/cisagov/vulnrichment/issues/114
  7. https://github.com/cisagov/vulnrichment/issues/115
  8. https://github.com/cisagov/vulnrichment/issues/116

Definition of Ready

  1. The agreed functionality to date is ready to be able to produce the report features

Acceptance Criteria

  1. 10 reports are provided for review

Additional context

  1. The purpose of reviewing 10 reports is to understand what is possible, and based on that ask for and ensure we have the features we want.
  2. This is a validation step before a larger number of reports are generated.
  3. These reports were generated while testing and adding features - manual fixups were applied to some (as shown if the issue was edited)
Crashedmind commented 3 days ago
    1. CVE-2023-49224 CWE assigned by CISA ADP is incorrect cisagov/vulnrichment#109
      • [Connor]: I believe a more precise mapping for this would be CWE-1394: Use of Default Cryptographic Key
      • [Chris] Different versions of the model chose between CWE-1394 and CWE-798. A previous version of the model chose CWE-1394 per https://cybersecai.github.io/Grounded/vertex_ai/#example-usage-cwe-1394. This model only had the ObservedExamples as a reference (not the Top25 or NVD)
      • [Chris] I think the reason for choosing CWE-798 is that there were more examples of this in the NVD examples even though there was a CWE-1394 example in the Observed Examples which was the closest match to the weakness. I'll add logic to prioritize the relevant examples by Observed, Top 25, NVD in that order. I'm also thinking just to have one section / table in the report for e.g. 3 "Related Examples" that will come from ObservedExamples if available, then Top25 if available, then NVD..
  2. [Connor]Agree with mappings
  3. CVE-2024-39705 CWE-300 assigned by CISA ADP is incorrect cisagov/vulnrichment#111
    • [Connor]This seems problematic to me. I would just map to CWE-502. I’m confused where the mapping to CWE-20 comes into play because I’m not seeing “insufficient validation” in the CVE description and even then this is not an input validation issue. Lastly, the mapping to CWE-94 is incorrect because it is relying on the technical impact of “remote code execution” which is not a weakness.
    • [Chris] The primary recommended CWE was CWE-502 and that's the one that CISA ADP added (and only that one) based on the report https://github.com/cisagov/vulnrichment/blob/a6183aecd13d1b167612088e39fcb0d1e67d038b/2024/39xxx/CVE-2024-39705.json#L97 -[Chris] The LLM I was using in this CVE (Claude) tends to be more verbose and zealous - thus the extra CWEs
  4. [Connor]agree
  5. CVE-2024-33881 CWE-400 assigned by CISA ADP is incorrect cisagov/vulnrichment#113
    • [Connor]this is slightly more nuanced, but I would probably also map to CWE-522: Insufficiently Protected Credentials just because the NTLM hash is used to hash passwords and the current mapping of CWE-200 is a high level class
    • [Chris] Makes Sense. I should be able to get the model to add this extra CWE based on the context for future examples.
  6. [Connor]agree
  7. [Connor]agree
  8. [Connor]agree