Reply to post: And CWE?

Congress wants CVE stability, China wants your LinkedIn details, and Adobe wants you to patch Creative Cloud

Anonymous Coward
Anonymous Coward

And CWE?

From a developer point of view, the CWE system (also managed by MITRE) is more important as it shows the common failure modes that lead to CVEs.

However, that one could do with some restructuring. There are different "views" into the data and the way they structure it makes it more complicated than it should be.

For example, there are a load of CWEs allocated to buffer (array bounds) related issues - 119 "Improper Restriction of Operations within the Bounds of a Memory Buffer", 121 "Stack-based Buffer Overflow", 122 "Heap-based Buffer Overflow", 124 "Buffer Underwrite", ... 129 "Improper Validation of Array Index", 131 "Incorrect Calculation of Buffer Size". These all come back to "array bounds violation" and, from the point of view of software, you don't really care where/how it happened, you just want to make sure it doesn't happen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020