Merge pull request #738 from tschmidtb51/cwe

CWEs, CWE version and CWE Weakness clarification
oasis-tcs · Jun 17, 2024 · 40a2236 · 40a2236
2 parents f86388e + 06e1b0b
commit 40a2236
Show file tree

Hide file tree

Showing 27 changed files with 839 additions and 90 deletions.
diff --git a/csaf_2.1/examples/csaf/bsi-2022-0001.json b/csaf_2.1/examples/csaf/bsi-2022-0001.json
@@ -134,10 +134,13 @@
         }
       ],
       "cve": "CVE-2022-27193",
-      "cwe": {
-        "id": "CWE-611",
-        "name": "Improper Restriction of XML External Entity Reference"
-      },
+      "cwes": [
+        {
+          "id": "CWE-611",
+          "name": "Improper Restriction of XML External Entity Reference",
+          "version": "4.6"
+        }
+      ],
       "ids": [
         {
           "system_name": "Github Issue",

diff --git a/csaf_2.1/examples/csaf/rhsa-2021_5186.json b/csaf_2.1/examples/csaf/rhsa-2021_5186.json
@@ -165,10 +165,13 @@
   "vulnerabilities": [
     {
       "cve": "CVE-2021-4104",
-      "cwe": {
-        "id": "CWE-20",
-        "name": "Improper Input Validation"
-      },
+      "cwes": [
+        {
+          "id": "CWE-20",
+          "name": "Improper Input Validation",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2021-12-13T00:00:00Z",
       "ids": [
         {

diff --git a/csaf_2.1/examples/csaf/rhsa-2021_5217.json b/csaf_2.1/examples/csaf/rhsa-2021_5217.json
@@ -116,10 +116,13 @@
         }
       ],
       "cve": "CVE-2021-4133",
-      "cwe": {
-        "id": "CWE-863",
-        "name": "Incorrect Authorization"
-      },
+      "cwes": [
+        {
+          "id": "CWE-863",
+          "name": "Incorrect Authorization",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2021-12-17T00:00:00Z",
       "ids": [
         {

diff --git a/csaf_2.1/examples/csaf/rhsa-2022_0011.json b/csaf_2.1/examples/csaf/rhsa-2022_0011.json
@@ -340,10 +340,13 @@
   "vulnerabilities": [
     {
       "cve": "CVE-2020-10188",
-      "cwe": {
-        "id": "CWE-119",
-        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
-      },
+      "cwes": [
+        {
+          "id": "CWE-119",
+          "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2020-03-06T00:00:00Z",
       "ids": [
         {

diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -996,36 +996,58 @@
             "type": "string",
             "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$"
           },
-          "cwe": {
-            "title": "CWE",
-            "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
-            "type": "object",
-            "required": [
-              "id",
-              "name"
-            ],
-            "properties": {
-              "id": {
-                "title": "Weakness ID",
-                "description": "Holds the ID for the weakness associated.",
-                "type": "string",
-                "pattern": "^CWE-[1-9]\\d{0,5}$",
-                "examples": [
-                  "CWE-22",
-                  "CWE-352",
-                  "CWE-79"
-                ]
-              },
-              "name": {
-                "title": "Weakness name",
-                "description": "Holds the full name of the weakness as given in the CWE specification.",
-                "type": "string",
-                "minLength": 1,
-                "examples": [
-                  "Cross-Site Request Forgery (CSRF)",
-                  "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
-                  "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-                ]
+          "cwes": {
+            "title": "List of CWEs",
+            "description": "Contains a list of CWEs.",
+            "type": "array",
+            "minItems": 1,
+            "uniqueItems": true,
+            "items": {
+              "title": "CWE",
+              "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
+              "type": "object",
+              "required": [
+                "id",
+                "name",
+                "version"
+              ],
+              "properties": {
+                "id": {
+                  "title": "Weakness ID",
+                  "description": "Holds the ID for the weakness associated.",
+                  "type": "string",
+                  "pattern": "^CWE-[1-9]\\d{0,5}$",
+                  "examples": [
+                    "CWE-22",
+                    "CWE-352",
+                    "CWE-79"
+                  ]
+                },
+                "name": {
+                  "title": "Weakness name",
+                  "description": "Holds the full name of the weakness as given in the CWE specification.",
+                  "type": "string",
+                  "minLength": 1,
+                  "examples": [
+                    "Cross-Site Request Forgery (CSRF)",
+                    "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+                    "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+                  ]
+                },
+                "version": {
+                  "title": "CWE version",
+                  "description": "Holds the version string of the CWE specification this weakness was extracted from.",
+                  "type": "string",
+                  "minLength": 1,
+                  "pattern": "^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$",
+                  "examples": [
+                    "1.0",
+                    "3.4.1",
+                    "4.0",
+                    "4.11",
+                    "4.12"
+                  ]
+                }
               }
             }
           },

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -127,9 +127,18 @@ Secondly, the program fulfills the following for all items of:
 * `/product_tree/relationships[]`: If more than one `prod:FullProductName` instance is given,
   the CVRF CSAF converter converts the first one into the `full_product_name`.
   In addition, the converter outputs a warning that information might be lost during conversion of product relationships.
-* `/vulnerabilities[]/cwe`: If more than one `vuln:CWE` instance is given,
-  the CVRF CSAF converter converts the first one into `cwe`.
-  In addition, the converter outputs a warning that information might be lost during conversion of the CWE.
+* `/vulnerabilities[]/cwes[]`:
+  * The CVRF CSAF converter MUST determine the CWE specification version the given CWE was selected from by
+    using the latest version that matches the `id` and `name` exactly and was published prior to the value of
+    `/document/tracking/current_release_date` of the source document.
+    If no such version exist, the first matching version published after the value of `/document/tracking/current_release_date`
+    of the source document SHOULD be used.
+    > This is done to create a deterministic conversion.
+
+    If the CWE does not match at all, the CVRF CSAF converter MUST omit this CWE and output a warning that an invalid CWE was found and has
+    been removed.
+  * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
+    warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
 * `/vulnerabilities[]/remediation[]`: If no `product_ids` or `group_ids` is given,
   the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`,
@@ -523,6 +532,13 @@ Secondly, the program fulfills the following for all items of:
 * `/document/publisher/category`: If the value is `other`, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a warning that some parties have
   been regrouped into the new value `multiplier`. An option to suppress this warning MUST exist. In addition, an option SHOULD be provided to
   set the value to `multiplier`.
+* `/vulnerabilities[]/cwes[]`: The CSAF 2.0 to CSAF 2.1 converter MUST determine the CWE specification version the given CWE was selected from by
+  using the latest version that matches the `id` and `name` exactly and was published prior to the value of `/document/tracking/current_release_date`
+  of the source document. If no such version exist, the first matching version published after the value of `/document/tracking/current_release_date`
+  of the source document SHOULD be used.
+  > This is done to create a deterministic conversion.
+
+  The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 

diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -74,6 +74,7 @@ An array SHOULD NOT have more than:
   * `/vulnerabilities[]/acknowledgments`
   * `/vulnerabilities[]/acknowledgments[]/names`
   * `/vulnerabilities[]/acknowledgments[]/urls`
+  * `/vulnerabilities[]/cwes`
   * `/vulnerabilities[]/ids`
   * `/vulnerabilities[]/remediations[]/entitlements`
 
@@ -192,8 +193,9 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/acknowledgments[]/names[]`
   * `/vulnerabilities[]/acknowledgments[]/organization`
   * `/vulnerabilities[]/cve`
-  * `/vulnerabilities[]/cwe/id`
-  * `/vulnerabilities[]/cwe/name`
+  * `/vulnerabilities[]/cwes[]/id`
+  * `/vulnerabilities[]/cwes[]/name`
+  * `/vulnerabilities[]/cwes[]/version`
   * `/vulnerabilities[]/flags[]/group_ids[]`
   * `/vulnerabilities[]/flags[]/product_ids[]`
   * `/vulnerabilities[]/ids[]/system_name`

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -15,7 +15,7 @@ properties represents a list of all relevant vulnerability information items.
 The Vulnerability item of value type `object` with 1 or more properties is a container for the aggregation of all fields that are related to
 a single vulnerability in the document.
 Any vulnerability MAY provide the optional properties Acknowledgments (`acknowledgments`), Common Vulnerabilities and Exposures (CVE) (`cve`),
-Common Weakness Enumeration (CWE) (`cwe`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
+Common Weakness Enumeration (CWE) (`cwes`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
 Notes (`notes`), Product Status (`product_status`), References (`references`), Release Date (`release_date`), Remediations (`remediations`),
 Scores (`scores`), Threats (`threats`), and Title (`title`).
 
@@ -27,7 +27,7 @@ Scores (`scores`), Threats (`threats`), and Title (`title`).
       "cve": {
         // ...
       },
-      "cwe": {
+      "cwes": {
         // ...
       },
       "discovery_date": {
@@ -90,23 +90,36 @@ CVE (`cve`) of value type `string` with `pattern` (regular expression):
 
 holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.
 
-#### Vulnerabilities Property - CWE
+#### Vulnerabilities Property - CWEs
 
-CWE (`cwe`) of value type `object` with the 2 mandatory properties Weakness ID (`id`) and Weakness Name (`name`) holds the
-MITRE standard Common Weakness Enumeration (CWE) for the weakness associated. For more information cf. [cite](#CWE).
+List of CWEs (`cwes`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of CWEs.
 
 ```
-    "cwe": {
+    "cwes": {
       // ...
+      "items": {
+        // ...
+      }
+    },
+```
+
+> It is expected that the list of CWEs is ordered from the most specific weakness ID to the least specific one.
+
+Every CWE item of value type `object` with the 3 mandatory properties Weakness ID (`id`), Weakness Name (`name`), CWE version (`version`) holds the
+MITRE standard Common Weakness Enumeration (CWE) for the weakness associated. For more information cf. [cite](#CWE).
+
+```
       "properties": {
         "id": {
           // ...
         },
         "name": {
           // ...
+        },
+        "version": {
+          // ...
         }
       }
-    },
 ```
 
 The Weakness ID (`id`) has value type `string` with `pattern` (regular expression):
@@ -115,7 +128,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio
     ^CWE-[1-9]\\d{0,5}$
 ```
 
-and holds the ID for the weakness associated.
+It holds the ID for the weakness associated.
 
 *Examples 1:*
 
@@ -136,6 +149,25 @@ in the CWE specification.
     Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
 ```
 
+The CWE version (`version`) has value type `string` with `pattern` (regular expression):
+
+```
+    ^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$
+```
+
+It holds the version string of the CWE specification this weakness was extracted from.
+When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
+
+*Examples 3:*
+
+```
+    "1.0",
+    "3.4.1",
+    "4.0",
+    "4.11",
+    "4.12"
+```
+
 #### Vulnerabilities Property - Discovery Date
 
 Discovery date (`discovery_date`) of value type `string` with format `date-time` holds the date and time the vulnerability was originally discovered.

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md
@@ -1,20 +1,24 @@
 ### CWE
 
-It MUST be tested that given CWE exists and is valid.
+It MUST be tested that given CWE exists and is valid in the version provided.
+Any `id` that refers to a CWE Category or View MUST fail the test.
 
 The relevant path for this test is:
 
 ```
-    /vulnerabilities[]/cwe
+    /vulnerabilities[]/cwes[]
 ```
 
 *Example 1 (which fails the test):*
 
 ```
-  "cwe": {
-    "id": "CWE-79",
-    "name": "Improper Input Validation"
-  }
+  "cwes": [
+    {
+      "id": "CWE-79",
+      "name": "Improper Input Validation",
+      "version": "4.13"
+    }
+  ]
 ```
 
-> The `CWE-79` exists. However, its name is `Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')`.
+> The `CWE-79` exists. However, its name in version `4.13` is `Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')`.
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-02.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-02.json
@@ -35,10 +35,13 @@
     },
     {
       "cve": "CVE-2014-0160",
-      "cwe": {
-        "id": "CWE-119",
-        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
-      },
+      "cwes": [
+        {
+          "id": "CWE-119",
+          "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
+          "version": "4.13"
+        }
+      ],
       "title": "Heartbleed"
     },
     {

diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-11.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-11.json
@@ -31,10 +31,13 @@
   "vulnerabilities": [
     {
       "cve": "CVE-2019-0708",
-      "cwe": {
-        "id": "CWE-416",
-        "name": "Use After Free"
-      },
+      "cwes": [
+        {
+          "id": "CWE-416",
+          "name": "Use After Free",
+          "version": "4.13"
+        }
+      ],
       "title": "BlueKeep"
     }
   ]