search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
152 stars 40 forks source link

Add version to CWE #660

Open tschmidtb51 opened 1 year ago

tschmidtb51 commented 1 year ago

CWE list changes over time (see https://cwe.mitre.org/data/archive.html). As we always check against the latest version this might result in invalid documents over time, e.g., if old CWEs get deprecated. To avoid these issues and aid in validation, we should add a version to CWE and declare a minimum acceptable version.

Here is an example, how this would look:

      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation",
        "version": "4.11"
      },

The JSON schema definition would unfold as:


          "cwe": {
            "title": "CWE",
            "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
            "type": "object",
            "required": [
              "id",
              "name",
              "version"
            ],
            "properties": {
              "id": {
                "title": "Weakness ID",
                "description": "Holds the ID for the weakness associated.",
                "type": "string",
                "pattern": "^CWE-[1-9]\\d{0,5}$",
                "examples": [
                  "CWE-22",
                  "CWE-352",
                  "CWE-79"
                ]
              },
              "name": {
                "title": "Weakness name",
                "description": "Holds the full name of the weakness as given in the CWE specification.",
                "type": "string",
                "minLength": 1,
                "examples": [
                  "Cross-Site Request Forgery (CSRF)",
                  "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
                ]
              },
              "version": {
                "title": "CWE version",
                "description": "Holds the version string of the CWE specification this weakness was extracted from.",
                "type": "string",
                "minLength": 1,
                "pattern": "\\d\\.\\d{1,3}"
                "examples": [
                  "4.0",
                  "4.11",
                  "4.12"
                ]
              }
            }
          },
santosomar commented 1 year ago

Thomas Schmidt proposed a motion, as detailed in this OASIS mailing list archive, to add a CWE version to CSAF v2.1 and later data files. Stefan Hagen seconded the motion. There were no discussions or objections raised, and consequently, the motion was automatically passed on November 1, 2023, at 20:00 UTC.

tschmidtb51 commented 6 months ago

Todos: