Closed sthagen closed 3 years ago
I like the idea of having the textual description in it (mostly because I can't remember which number is which type...). However, I think we should provide a clear statement which type of description should be used.
Example: CWE-79 I've see different names for this number:
The same happens with CWE-89, CWE-352, CWE-78, CWE-22, CWE-94, ...
Maybe, we could add a comment that the issuing authority should use the (full) name as given in the specification.
We should also think about allowing references to other databases that support the evaluation of vulnerabilities, such as e.g. for MITRE ATT&CK (https://attack.mitre.org/).
I second the proposal of @tschmidtb51 using SHOULD
for the full description.
This issue was addressed in pull request https://github.com/oasis-tcs/csaf/pull/135
As discussed in the CSAF TC September 2020 monthly meeting, since this was addressed in #135 , we are closing this issue.
@tschmidtb51 suggests to revisit the CWE referencing in the CSAF. Should we allow place for the longer descriptions or should we stay with the CVRF v1.2 wa of clearly going for the CWE-ID matching the pattern
CWE-[1-9]\d{0,5}
only?Cf. section 6.9 of CVRF v1.2
and the referenced model section 2.2.13 of CVRF v1.2: