Add reference to CWE/SANS Top 25 (2011)

robocoder commented 9 years ago

https://cwe.mitre.org/top25/index.html

andresriancho commented 9 years ago

Hmmm, we already link to CWE, how would you link to the top25?

robocoder commented 9 years ago

Short-term, for the Top 25, I was thinking a reference like this:

    {
      "url": "https://cwe.mitre.org/top25/index.html#CWE-79",
      "title": "CWE/SANS Top 25 (2011)"
    }

Long-term, maybe change the schema? For example:

"mitre": {
  "cwe": ["89"],
  "top25": ["89"],
  "capec": ["7"],
}

andresriancho commented 9 years ago

Doesn't this duplicate the data in CWE?

robocoder commented 9 years ago

It does. Maybe the top 25 list is a candidate for meta/?

Where do you draw the line?

CAPEC has 463 entries
CWE dictionary has 1003 entries

andresriancho commented 9 years ago

What I'm saying is that this is a dup:

  "cwe": ["89"],
  "top25": ["89"],

And that it doesn't make (much) sense to add a top25 field if it will be duplicating cwe. Some potential solutions to the problem:

We could add a boolean field with name: cwe_top_25 which indicates if this vulnerability is in the CWE top25 or not
We could add a JSON in meta which would just be a list containing all the CWE ids which are in the Top25, so that the SDK can cross-check (if needed) using this file and show it to the user

The question, before we do anything, is... do we want to have this information? Is it really useful? IMHO, it's not a priority now, and in most cases it's not useful for the end user

vulndb / data

Add reference to CWE/SANS Top 25 (2011) #32