jburns12
commented
5 years ago @rpiazza do you have thoughts or feedback on this?
Closed HamptonJ closed 4 years ago
jburns12
commented
5 years ago @rpiazza do you have thoughts or feedback on this?
rpiazza
commented
5 years ago Hi @HamptonJ,
Currently in STIX 2.1, there is no Weakness object, so it's not clear how we could explicitly represent a CWE in STIX.
However, if you want to reference a CWE from any STIX Object you can always use the external_references property.
isaisabel
commented
4 years ago Closing due to lack of activity.
garanews
commented
1 year ago @rpiazza what do you think to have CWE under vulnerability object?
rpiazza
commented
1 year ago We try to emphasize the difference between a weakness (CWE) and a vulnerability (CVE). Here are some definitions that explain those differences:
Weakness: A condition in a software, firmware, hardware, or service component that, under the right circumstances, could contribute to the introduction of vulnerabilities
Vulnerability: A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.
Because of this, I think it would be confusing to use the STIX Vulnerability object for a CWE. MITRE is working with the CWE/CAPEC community to provide an API to those corpuses. The responses to the API calls will be a JSON representation of CWE and CAPECs, but not STIX at this time.
garanews
commented
1 year ago I understand perfectly, thanks. Do you have a draft of a possible weakness stix object or at least how it should look like? In that case I will implement it at my side as custom "temporary" object, like x-weakness with following properties: cwe_id name weakness_abstraction status description extended_description related_weaknesses weakness_ordinalities applicable_platforms background_details alternate_terms modes_of_introduction exploitation_factors likelihood_of_exploit common_consequences detection_methods potential_mitigations observed_examples functional_areas affected_resources taxonomy_mappings related_attack_patterns notes
And then create relationships from cwe to cve , like targets?
Any suggestion will be much appreciated.
rpiazza
commented
1 year ago Hi @garanews
Here is the current JSON schema we have for CAPEC attack patterns AttackPattern Schema.json.txt
I hope this helps!
Are there any plans on making STIX documents for CWE?