-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CWE-PoC list file #376
Conversation
This CSV file contains a list of CWEs which may result in a PoC value for "state of exploitation" because "the vulnerability has a well-known method of exploitation." It contains links to potential exploit tools. It also contains CWEs which could not be PoCs as well as some reasoning behind this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me.
I expect there are places where folks could quibble with whether a tool is "easy enough" to use to exploit any instance of one of the CWEs listed. But I think this is a considered and well-formed place for us to have detailed conversations about that question if anyone would like to raise those questions in the details. In some sense, if anyone has questions about how to map data for State of Exploitation at that level of detail, I'll be quite pleased.
Thanks very much for putting this together!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great addition, thanks for the help!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved this into a folder just for housekeeping. No changes to the csv from @koscinv
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the interest of avoiding a follow-on issue to update the docs, I went ahead and added the CSV to the exploitation page and did a light revision to the page to make it fit in.
This CSV file contains a list of CWEs which may result in a PoC value for "state of exploitation" because "the vulnerability has a well-known method of exploitation." It contains links to some exploit tools for those CWEs that indicate a potential PoC. It also contains CWEs which could not be PoCs as well as reasoning behind them. All CWEs in this list have been found to map to CVEs.
Potentially closes #158