You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In this PR i checked whether the CWE is deprecated by checkign if the CWE name starts with the string "DEPRECATED:". I saw no status field in the pulled CWE data, so the string comparison was the best solution I could come up with. Is there a better one?
I decided to check in the CWE description of the document before looking into the pulled CWE descriptions of the respective version. This is fully optional, and I also checked that the test cases are properly run if omitting the check for deprecation in the CWEs mentioned under vulnerability.
Note that if the version is not mentioned in the vulnerabilities CWEs i skipped the check with continue.
I think, looking for DEPRECATED: in the title is not sufficient, for example CWE 1.10 contains CWE 218 with title DEPRECATED (Duplicate): Failure to provide confidentiality for stored data.
Feel free to extend the extraction process (scripts/update/update_all_cwe.sh / scripts/update/convert-cwe-to-csv.xslt) to also extract further required fields, e.g. the Status field. In the future, once we have collected the data needed for all test, we will probably move the data and extraction process to https://github.com/csaf-rs/cwe and also add a rust crate providing the data - but for now, having the required data as CSV files (and thus knowing what data is needed) should be sufficient.
I think, looking for DEPRECATED: in the title is not sufficient, for example CWE 1.10 contains CWE 218 with title DEPRECATED (Duplicate): Failure to provide confidentiality for stored data.
Feel free to extend the extraction process (scripts/update/update_all_cwe.sh / scripts/update/convert-cwe-to-csv.xslt) to also extract further required fields, e.g. the Status field. In the future, once we have collected the data needed for all test, we will probably move the data and extraction process to https://github.com/csaf-rs/cwe and also add a rust crate providing the data - but for now, having the required data as CSV files (and thus knowing what data is needed) should be sufficient.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In this PR i checked whether the CWE is deprecated by checkign if the CWE name starts with the string "DEPRECATED:". I saw no status field in the pulled CWE data, so the string comparison was the best solution I could come up with. Is there a better one?
I decided to check in the CWE description of the document before looking into the pulled CWE descriptions of the respective version. This is fully optional, and I also checked that the test cases are properly run if omitting the check for deprecation in the CWEs mentioned under vulnerability.
Note that if the version is not mentioned in the vulnerabilities CWEs i skipped the check with
continue.