0

I was tasked with developing a consistent, relatively complete map for CVEs to CWEs at my internship, and I'm kind of at a loss finding a method to find a 1-to-1 way to map CVEs onto CWEs. Ideally, this would all be automated in the end. The format isn't important, a spreadsheet, text file, database etc are all fine.

HelloMolle
  • 1
  • I've written some (incredibly basic) code that does this for some research I'm doing. Feel free to use/contribute/fork it. Will try and spruce it up a bit more if I have time. [https://github.com/dreadn0ught/CveAnalysis](https://github.com/dreadn0ught/CveAnalysis) – Dave Feb 05 '21 at 15:21

2 Answers2

1

CWE and CVE are very different things, which can't really be mapped arbitrarily from one to the other. CWE is a categorization system for vulnerability types, while CVE is a reference to a specific vulnerability.

But a specific vulnerability can be references by a CVE and also be categorized via CWE (something the researcher who discovered the issue or the CNA who assigned the CVE may have done).

You could scape nvd.nist.gov or cvedetails.com, both of which have a CWE entry for CVEs (see https://nvd.nist.gov/vuln/detail/CVE-2019-10086 or https://www.cvedetails.com/cve/CVE-2019-10086/ for examples). You could also look for CVE APIs which contain the field (this related question has one example).

But for many CVEs - especially older ones - a vulnerability might not be categorized via CWE. You could try to map the Vulnerability Type field from cvedetails.com to a CWE, but if that is also not set, you'd need to categorize the vulnerability manually.

tim
  • 29,018
  • 7
  • 95
  • 119
1

The National Vulnerability Database (NVD) already maps CVEs to CWEs so have done a lot of the work for you. See: https://nvd.nist.gov/vuln/data-feeds for JSON and XML feeds that you can process progrmmatically.

Here's a snippet from the JSON feed:

"cve" : {
  "data_type" : "CVE",
  "data_format" : "MITRE",
  "data_version" : "4.0",
  "CVE_data_meta" : {
    "ID" : "CVE-2014-8939",
    "ASSIGNER" : "cve@mitre.org"
  },
  "problemtype" : {
    "problemtype_data" : [ {
      "description" : [ {
        "lang" : "en",
        "value" : "CWE-22"
      } ]
    } ]
  },

Here you can see the CVE ID and the related CWE ID noted a few lines below.

You may find that a few are missing, for example I found this for CVE-2018-21243 today:

"CVE_data_meta" : {
    "ID" : "CVE-2018-21243",
    "ASSIGNER" : "cve@mitre.org"
  },
  "problemtype" : {
    "problemtype_data" : [ {
      "description" : [ ]
    } ]
  },

... but the vast majority seem to be there. If they're not there, it's often because the CVE is unused, unspecified, or there's not enough detail to be sure what the underlying weakness is.

Notably, one other popular database, cvedetails.com, uses these NVD feeds as its source and allows you to list CVEs by CWE: https://www.cvedetails.com/cwe-definitions.php which is good for browsing / searching manually.

itscooper
  • 2,230
  • 13
  • 15