From 24c6dcb7466dab3b875ded0cebaeb16900a7d05a Mon Sep 17 00:00:00 2001 From: Niklas Date: Fri, 20 Oct 2023 17:24:23 +0200 Subject: [PATCH] Bump CWE dictionary to v4.12 (#859) Signed-off-by: nscuro --- .../org/hyades/common/cwe/CweDefinitions.java | 34 ++++++++++++++++--- scripts/generate-cwe-definitions.py | 10 +++--- 2 files changed, 34 insertions(+), 10 deletions(-) mode change 100644 => 100755 scripts/generate-cwe-definitions.py diff --git a/commons/src/main/java/org/hyades/common/cwe/CweDefinitions.java b/commons/src/main/java/org/hyades/common/cwe/CweDefinitions.java index 6506490c0..34c024544 100644 --- a/commons/src/main/java/org/hyades/common/cwe/CweDefinitions.java +++ b/commons/src/main/java/org/hyades/common/cwe/CweDefinitions.java @@ -1,11 +1,10 @@ package org.hyades.common.cwe; import jakarta.annotation.Generated; - import java.util.HashMap; import java.util.Map; -@Generated(value = "generate-cwe-definitions.py", date = "2023-01-19T23:20:12.459921+00:00") +@Generated(value = "generate-cwe-definitions.py", date = "2023-10-19T14:14:49.874019+00:00") final class CweDefinitions { static final Map DEFINITIONS = new HashMap<>(); @@ -163,6 +162,28 @@ final class CweDefinitions { DEFINITIONS.put(1383, "ICS Operations (\u0026 Maintenance): Compliance/Conformance with Regulatory Requirements"); DEFINITIONS.put(1388, "Physical Access Issues and Concerns"); DEFINITIONS.put(139, "DEPRECATED: General Special Element Problems"); + DEFINITIONS.put(1396, "Comprehensive Categorization: Access Control"); + DEFINITIONS.put(1397, "Comprehensive Categorization: Comparison"); + DEFINITIONS.put(1398, "Comprehensive Categorization: Component Interaction"); + DEFINITIONS.put(1399, "Comprehensive Categorization: Memory Safety"); + DEFINITIONS.put(1401, "Comprehensive Categorization: Concurrency"); + DEFINITIONS.put(1402, "Comprehensive Categorization: Encryption"); + DEFINITIONS.put(1403, "Comprehensive Categorization: Exposed Resource"); + DEFINITIONS.put(1404, "Comprehensive Categorization: File Handling"); + DEFINITIONS.put(1405, "Comprehensive Categorization: Improper Check or Handling of Exceptional Conditions"); + DEFINITIONS.put(1406, "Comprehensive Categorization: Improper Input Validation"); + DEFINITIONS.put(1407, "Comprehensive Categorization: Improper Neutralization"); + DEFINITIONS.put(1408, "Comprehensive Categorization: Incorrect Calculation"); + DEFINITIONS.put(1409, "Comprehensive Categorization: Injection"); + DEFINITIONS.put(1410, "Comprehensive Categorization: Insufficient Control Flow Management"); + DEFINITIONS.put(1411, "Comprehensive Categorization: Insufficient Verification of Data Authenticity"); + DEFINITIONS.put(1412, "Comprehensive Categorization: Poor Coding Practices"); + DEFINITIONS.put(1413, "Comprehensive Categorization: Protection Mechanism Failure"); + DEFINITIONS.put(1414, "Comprehensive Categorization: Randomness"); + DEFINITIONS.put(1415, "Comprehensive Categorization: Resource Control"); + DEFINITIONS.put(1416, "Comprehensive Categorization: Resource Lifecycle Management"); + DEFINITIONS.put(1417, "Comprehensive Categorization: Sensitive Information Exposure"); + DEFINITIONS.put(1418, "Comprehensive Categorization: Violation of Secure Design Principles"); DEFINITIONS.put(16, "Configuration"); DEFINITIONS.put(169, "DEPRECATED: Technology-Specific Special Elements"); DEFINITIONS.put(17, "DEPRECATED: Code"); @@ -635,7 +656,7 @@ final class CweDefinitions { DEFINITIONS.put(1321, "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"); DEFINITIONS.put(1322, "Use of Blocking Code in Single-threaded, Non-blocking Context"); DEFINITIONS.put(1323, "Improper Management of Sensitive Trace Data"); - DEFINITIONS.put(1324, "Sensitive Information Accessible by Physical Probing of JTAG Interface"); + DEFINITIONS.put(1324, "DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface"); DEFINITIONS.put(1325, "Improperly Controlled Sequential Memory Allocation"); DEFINITIONS.put(1326, "Missing Immutable Root of Trust in Hardware"); DEFINITIONS.put(1327, "Binding to an Unrestricted IP Address"); @@ -655,7 +676,7 @@ final class CweDefinitions { DEFINITIONS.put(1342, "Information Exposure through Microarchitectural State after Transient Execution"); DEFINITIONS.put(135, "Incorrect Calculation of Multi-Byte String Length"); DEFINITIONS.put(1351, "Improper Handling of Hardware Behavior in Exceptionally Cold Environments"); - DEFINITIONS.put(1357, "Reliance on Uncontrolled Component"); + DEFINITIONS.put(1357, "Reliance on Insufficiently Trustworthy Component"); DEFINITIONS.put(138, "Improper Neutralization of Special Elements"); DEFINITIONS.put(1384, "Improper Handling of Physical or Environmental Conditions"); DEFINITIONS.put(1385, "Missing Origin Validation in WebSockets"); @@ -666,6 +687,7 @@ final class CweDefinitions { DEFINITIONS.put(1392, "Use of Default Credentials"); DEFINITIONS.put(1393, "Use of Default Password"); DEFINITIONS.put(1394, "Use of Default Cryptographic Key"); + DEFINITIONS.put(1395, "Dependency on Vulnerable Third-Party Component"); DEFINITIONS.put(14, "Compiler Removal of Code to Clear Buffers"); DEFINITIONS.put(140, "Improper Neutralization of Delimiters"); DEFINITIONS.put(141, "Improper Neutralization of Parameter/Argument Delimiters"); @@ -1044,7 +1066,7 @@ final class CweDefinitions { DEFINITIONS.put(523, "Unprotected Transport of Credentials"); DEFINITIONS.put(524, "Use of Cache Containing Sensitive Information"); DEFINITIONS.put(525, "Use of Web Browser Cache Containing Sensitive Information"); - DEFINITIONS.put(526, "Exposure of Sensitive Information Through Environmental Variables"); + DEFINITIONS.put(526, "Cleartext Storage of Sensitive Information in an Environment Variable"); DEFINITIONS.put(527, "Exposure of Version-Control Repository to an Unauthorized Control Sphere"); DEFINITIONS.put(528, "Exposure of Core Dump File to an Unauthorized Control Sphere"); DEFINITIONS.put(529, "Exposure of Access Control List Files to an Unauthorized Control Sphere"); @@ -1375,6 +1397,8 @@ final class CweDefinitions { DEFINITIONS.put(1350, "Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses"); DEFINITIONS.put(1358, "Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS"); DEFINITIONS.put(1387, "Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses"); + DEFINITIONS.put(1400, "Comprehensive Categorization for Software Assurance Trends"); + DEFINITIONS.put(1425, "Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses"); DEFINITIONS.put(2000, "Comprehensive CWE Dictionary"); DEFINITIONS.put(604, "Deprecated Entries"); DEFINITIONS.put(629, "Weaknesses in OWASP Top Ten (2007)"); diff --git a/scripts/generate-cwe-definitions.py b/scripts/generate-cwe-definitions.py old mode 100644 new mode 100755 index e3905454e..379c86396 --- a/scripts/generate-cwe-definitions.py +++ b/scripts/generate-cwe-definitions.py @@ -15,7 +15,7 @@ template = """package {{ package }}; -import javax.annotation.Generated; +import jakarta.annotation.Generated; import java.util.HashMap; import java.util.Map; @@ -38,20 +38,20 @@ if __name__ == "__main__": arg_parser = ArgumentParser() - arg_parser.add_argument("-p", "--package", default="org.hyades.resolver", help="Package name") + arg_parser.add_argument("-p", "--package", default="org.hyades.common.cwe", help="Package name") arg_parser.add_argument("-o", "--output", type=Path, required=True, help="Output file path") args = arg_parser.parse_args() with TemporaryFile(suffix=".zip") as tmp: - with requests.get("https://cwe.mitre.org/data/xml/cwec_latest.xml.zip") as res: + with requests.get("https://cwe.mitre.org/data/xml/cwec_v4.12.xml.zip") as res: tmp.write(res.content) tmp.seek(0) with zipfile.ZipFile(tmp) as zip: - with zip.open("cwec_v4.9.xml") as dict_file: + with zip.open("cwec_v4.12.xml") as dict_file: tree: ElementTree = parse_etree(dict_file) tree_root = tree.getroot() - namespaces = {"cwe": "http://cwe.mitre.org/cwe-6"} + namespaces = {"cwe": "http://cwe.mitre.org/cwe-7"} definitions: dict[int, str] = OrderedDict()