CWE-1400: Comprehensive Categorization for Software Assurance Trends
This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown.
Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis.
Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Relationships
Type | # ID | Name | Abstraction | Structure | Status | |
---|---|---|---|---|---|---|
Category | CWE-1396 | Comprehensive Categorization: Access Control | Incomplete | |||
Category | CWE-1397 | Comprehensive Categorization: Comparison | Incomplete | |||
Category | CWE-1398 | Comprehensive Categorization: Component Interaction | Incomplete | |||
Category | CWE-1401 | Comprehensive Categorization: Concurrency | Incomplete | |||
Category | CWE-1402 | Comprehensive Categorization: Encryption | Incomplete | |||
Category | CWE-1403 | Comprehensive Categorization: Exposed Resource | Incomplete | |||
Category | CWE-1404 | Comprehensive Categorization: File Handling | Incomplete | |||
Category | CWE-1405 | Comprehensive Categorization: Improper Check or Handling of Exceptional Conditions | Incomplete | |||
Category | CWE-1406 | Comprehensive Categorization: Improper Input Validation | Incomplete | |||
Category | CWE-1407 | Comprehensive Categorization: Improper Neutralization | Incomplete | |||
Category | CWE-1408 | Comprehensive Categorization: Incorrect Calculation | Incomplete | |||
Category | CWE-1409 | Comprehensive Categorization: Injection | Incomplete | |||
Category | CWE-1410 | Comprehensive Categorization: Insufficient Control Flow Management | Incomplete | |||
Category | CWE-1411 | Comprehensive Categorization: Insufficient Verification of Data Authenticity | Incomplete | |||
Category | CWE-1399 | Comprehensive Categorization: Memory Safety | Incomplete | |||
Category | CWE-1412 | Comprehensive Categorization: Poor Coding Practices | Incomplete | |||
Category | CWE-1413 | Comprehensive Categorization: Protection Mechanism Failure | Incomplete | |||
Category | CWE-1414 | Comprehensive Categorization: Randomness | Incomplete | |||
Category | CWE-1415 | Comprehensive Categorization: Resource Control | Incomplete | |||
Category | CWE-1416 | Comprehensive Categorization: Resource Lifecycle Management | Incomplete | |||
Category | CWE-1417 | Comprehensive Categorization: Sensitive Information Exposure | Incomplete | |||
Category | CWE-1418 | Comprehensive Categorization: Violation of Secure Design Principles | Incomplete |