Add support for CWE

[pombredanne]

We decided early to keep the data set we track as minimal... but adding CWE would be a great addition. This can be a fairly involved issue since many importers may need to be updated.

[ziadhany]

Can we use a library like this https://github.com/Julian-Nash/cwe to get a CWE by ID and add another JSON field in the model?

[Hritik14]

CWE could be used for categorization of vulnerabilities. Later on, we might be able to find a mapping between OWSAP top 10 -> CWE, this can be used to prioritize vulnerabilities for the downstream.

To implement CWE (categorization) support a system similar to currently implemented ScoringSystem could be used.

See:

• https://owasp.org/www-project-top-ten/
• https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
• https://cwe.mitre.org/cwss/cwss_v1.0.1.html#B.4 [More scoring methods]
• https://nvd.nist.gov/vuln/cvmap/report/4834
• https://cwe.mitre.org/data/definitions/1026.html

(via: https://github.com/nexB/vulnerablecode/wiki/WeeklyMeetings#meeting-on-tuesday-2022-04-26-at-1000-utc)

[ziadhany]

I think we have a compressed CSV file containing the fields of the desired Weaknesses related to CWE VIEW: Software Development.
https://cwe.mitre.org/data/definitions/699.html

https://cwe.mitre.org/data/csv/699.csv.zip

[pombredanne]

The main #782 is now merged
These are is a follow up!

• Add CWE support in all importers  #1093
• Add CWE support in the API #1094

Closing now. Thanks!