Skip to content

Implementing 6.2.23 Usage of Deprecated CWE#695

Draft
konradweiss wants to merge 4 commits into
csaf-rs:mainfrom
Fraunhofer-AISEC:feature/6.2.23-deprecated-cwe
Draft

Implementing 6.2.23 Usage of Deprecated CWE#695
konradweiss wants to merge 4 commits into
csaf-rs:mainfrom
Fraunhofer-AISEC:feature/6.2.23-deprecated-cwe

Conversation

@konradweiss

@konradweiss konradweiss commented Jun 23, 2026

Copy link
Copy Markdown

In this PR i checked whether the CWE is deprecated by checkign if the CWE name starts with the string "DEPRECATED:". I saw no status field in the pulled CWE data, so the string comparison was the best solution I could come up with. Is there a better one?

I decided to check in the CWE description of the document before looking into the pulled CWE descriptions of the respective version. This is fully optional, and I also checked that the test cases are properly run if omitting the check for deprecation in the CWEs mentioned under vulnerability.

Note that if the version is not mentioned in the vulnerabilities CWEs i skipped the check with continue.

@konradweiss konradweiss requested a review from a team as a code owner June 23, 2026 10:48
@konradweiss konradweiss marked this pull request as draft June 23, 2026 10:58
@konradweiss

Copy link
Copy Markdown
Author

Closes #309

@konradweiss konradweiss changed the title Implementing deprecation check 6.2.23 Implementing 6.2.23 Usage of Deprecated CWE Jun 23, 2026
@aschierl-xitaso

Copy link
Copy Markdown
Contributor

I think, looking for DEPRECATED: in the title is not sufficient, for example CWE 1.10 contains CWE 218 with title DEPRECATED (Duplicate): Failure to provide confidentiality for stored data.

Feel free to extend the extraction process (scripts/update/update_all_cwe.sh / scripts/update/convert-cwe-to-csv.xslt) to also extract further required fields, e.g. the Status field. In the future, once we have collected the data needed for all test, we will probably move the data and extraction process to https://github.com/csaf-rs/cwe and also add a rust crate providing the data - but for now, having the required data as CSV files (and thus knowing what data is needed) should be sufficient.

@konradweiss

Copy link
Copy Markdown
Author

I think, looking for DEPRECATED: in the title is not sufficient, for example CWE 1.10 contains CWE 218 with title DEPRECATED (Duplicate): Failure to provide confidentiality for stored data.

Feel free to extend the extraction process (scripts/update/update_all_cwe.sh / scripts/update/convert-cwe-to-csv.xslt) to also extract further required fields, e.g. the Status field. In the future, once we have collected the data needed for all test, we will probably move the data and extraction process to https://github.com/csaf-rs/cwe and also add a rust crate providing the data - but for now, having the required data as CSV files (and thus knowing what data is needed) should be sufficient.

Thanks, I will further look into that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants