|

Computer Security

»

CWE Research List

CWE 1.0 to be released Tuesday, September 9, 2008

View: New views

3 Messages — Rating Filter: Alert me

	CWE 1.0 to be released Tuesday, September 9, 2008 by Steven M. Christey-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message All, We will be releasing CWE 1.0 on Tuesday, September 9. While we had a goal for everything to be finished by the end of August, we want CWE 1.0 to be as stable as possible, especially with respect to the schema. Ironing out the issues with the schema has taken more time than we wanted, plus we have added a number of new elements. During our interactions with various community members over the summer, we've realized that it would be best for us to write a number of white papers, as well as creating some new views. These were somewhat unexpected additions that came in July and August, so this introduced more work than we had originally expected. We didn't want to release CWE 1.0 too early, only to make some more changes soon after we released it because it was incomplete. So we've slipped in our schedule, but the quality will be higher. This is our biggest release to date, and we believe that it will be worth the wait. Thank you for your patience. - Steve
	RE: CWE 1.0 to be released Tuesday, September 9, 2008 by paulslewis66 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello, May I ask if CWE references will be included within the XML CVE feeds in a similar way the searchable database is? many thanks Paul S Lewis
	RE: CWE 1.0 to be released Tuesday, September 9, 2008 by Steven M. Christey-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, 9 Sep 2008, paulslewis66 wrote: > May I ask if CWE references will be included within the XML CVE feeds in > a similar way the searchable database is? We do not track CWE references within CVE. You're probably talking about NIST's NVD (nvd.nist.gov), which is an extension of CVE. NVD has been mapping to CWE on individual pages, but it is not yet included in their downloads. However, NVD has stated that they will start including CWE names in the downloads within a matter of weeks. For those who were not aware of NVD's use of CWE, see: http://nvd.nist.gov/cwe.cfm The current selection of CWE identifiers used in NVD faces many of the same issues that have been brought up by Information-technology Promotion Agency, Japan (IPA), specifically that sometimes you can't assign CWE identifiers when you are dealing with incomplete third-party vulnerability information. We are aware of this limitation and hope to address it in the coming months. - Steve