search

oasis-open / cti-stix-common-objects

OASIS Cyber Threat Intelligence (CTI) TC: A repository for commonly used STIX objects in order to avoid needless duplication. https://github.com/oasis-open/cti-stix-common-objects
BSD 3-Clause "New" or "Revised" License
84 stars 37 forks source link

CWE and CPE Information #6

Closed SteliosZ closed 3 years ago

SteliosZ commented 3 years ago

Hello !

Is it possible to add CWE and CPE data that already exists in NIST's NVD ? Or you would have to create Software Objects first, for CPEs for example, and then reference it ?

Is it something you may add sometime in the future ?

Thanks in advance for your time :)

rpiazza commented 3 years ago

Hi @SteliosZ,

Thanks for your interest.

We considered using CPE (or SWID) data as the basis of common STIX objects, but there are over 600,000 entries. It might make sense to select some of the more common software products - as you mentioned, sometime in the future.

As for CWEs, there is currently no STIX object type for weaknesses. There is an ongoing discussion within the CWE community how CWEs might be represented in STIX, but no conclusions yet.