« Return to Thread: Some asking about CWE.
Some asking about CWE.
by Tadashi Yamagishi
::
Rate this Message:
Dear CWE group,
I am Tadashi Yamagishi
in Information-technology Promotion Agency, Japan (IPA).
We(IPA) have Vulnerability Countermeasure
Information Database (JVN iPedia) for Japanese IT user.
http://jvndb.jvn.jp/index_en.html
JVN iPedia adapted CVSS(Common Vulnerability Scoring System) last year.
The next step, I think that JVN iPedia need CWE.
I am studying CWE draft 9 now.
I have three questions about CWE.
Question1:About Hierarchy diagram.
I made CWE-635(Weaknesses Used by NVD) a hierarchy diagram
referring to cwe_classification_tree.pdf.
The hierarchy diagram is appended.
cwe_classification_tree.pdf shows the following.
CWE-20 is a child of CWE-19.
CWE-22 is a child of CWE-21.
CWE-134 is a child of CWE-133.
However, CWE-1000(Natural Hierarchy) shows another parents.
I am confused. Are two or more parents permitted in CWE ?
I think that cwe_classification_tree.pdf and CWE-1000
are comprehensible when it is the same.
Question2:About the classification of Dos( Denial of Service ).
DoS is not classified in CWE.
How do you classify it when the cause of the DoS is not understood
in the vulnerability report?
Question3:About XSS vulnerabilities.
There are lots of XSS vulnerabilities
by the UTF-7 encoded string problems in Japan.
for example:
CVE - CVE-2008-1468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1468
JVNDB-2008-000018 - JVN iPedia
http://jvndb.jvn.jp/contents/en/2008/JVNDB-2008-000018.html
CVE - CVE-2008-2168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2168
CVE - CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
I want to classify the detail of XSS.
Can I choose a CWE-ID more detail than CWE-79
about XSS(UTF-7 encoded string problems)?
I look forward to your reply.
Sincerely yours,
Tadashi Yamagishi
IT Security Center (ISEC)
Information-technology Promotion Agency, Japan (IPA)
E-mail: t-yamagi@...
I am Tadashi Yamagishi
in Information-technology Promotion Agency, Japan (IPA).
We(IPA) have Vulnerability Countermeasure
Information Database (JVN iPedia) for Japanese IT user.
http://jvndb.jvn.jp/index_en.html
JVN iPedia adapted CVSS(Common Vulnerability Scoring System) last year.
The next step, I think that JVN iPedia need CWE.
I am studying CWE draft 9 now.
I have three questions about CWE.
Question1:About Hierarchy diagram.
I made CWE-635(Weaknesses Used by NVD) a hierarchy diagram
referring to cwe_classification_tree.pdf.
The hierarchy diagram is appended.
cwe_classification_tree.pdf shows the following.
CWE-20 is a child of CWE-19.
CWE-22 is a child of CWE-21.
CWE-134 is a child of CWE-133.
However, CWE-1000(Natural Hierarchy) shows another parents.
I am confused. Are two or more parents permitted in CWE ?
I think that cwe_classification_tree.pdf and CWE-1000
are comprehensible when it is the same.
Question2:About the classification of Dos( Denial of Service ).
DoS is not classified in CWE.
How do you classify it when the cause of the DoS is not understood
in the vulnerability report?
Question3:About XSS vulnerabilities.
There are lots of XSS vulnerabilities
by the UTF-7 encoded string problems in Japan.
for example:
CVE - CVE-2008-1468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1468
JVNDB-2008-000018 - JVN iPedia
http://jvndb.jvn.jp/contents/en/2008/JVNDB-2008-000018.html
CVE - CVE-2008-2168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2168
CVE - CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
I want to classify the detail of XSS.
Can I choose a CWE-ID more detail than CWE-79
about XSS(UTF-7 encoded string problems)?
I look forward to your reply.
Sincerely yours,
Tadashi Yamagishi
IT Security Center (ISEC)
Information-technology Promotion Agency, Japan (IPA)
E-mail: t-yamagi@...
CWE_635.PNG (17K) « Return to Thread: Some asking about CWE.
| Free embeddable forum powered by Nabble | Forum Help |
