cwe2stix

Before you begin

We host a full web API that includes all objects created by cwe2stix, CTIButler.

Overview

A command line tool that turns MITRE CWEs into STIX 2.1 Objects.

CWEs are Common Weakness Enumerations (CWE's). CWE's are a community-developed list of software and hardware weakness types managed MITRE. They serve as a common language as a baseline for weakness identification, mitigation, and prevention efforts.

For example, CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

We had a requirement to have an up-to-date copy of MITRE CWEs in STIX 2.1 format, like already exists and maintained by MITRE for ATT&CK (e.g. Enterprise) and CAPEC on GitHub.

The code in this repository is a similar to the MITRE implementations for ATT&CK and CAPEC that;

1. Downloads latest CWE XML
2. Checks version of CWE XML
3. Converts them to STIX 2.1 Objects, if new version
4. Stores the STIX 2.1 Objects in the file store

Installing the script

To install cwe2stix;

# clone the latest code
git clone https://github.com/muchdogesec/cwe2stix
# create a venv
cd cwe2stix
python3 -m venv cwe2stix-venv
source cwe2stix-venv/bin/activate
# install requirements
pip3 install -r requirements.txt

Running the script

python3 cwe2stix.py --version <CWE VERSION NUMBER>

• --version (optional): by default the script will download the latest available CWE file from the CWE website. If you want a specific version, you can pass the --version flag. e.g. --version 4.13. Note, only versions >= 4.5 are currently supported by this script.

For example, to download the 4.15 version of CWEs;

python3 cwe2stix.py --version 4.16

If no --version passed, the latest CWE file located at https://cwe.mitre.org/data/xml/cwec_latest.xml.zip will be downloaded.

On each script run, the objects and bundle will be removed (if difference detected in version), and regenerated.

To handle versions, on the first run a CWE_VERSION file is created, listing the version of CWEs in the stix2_objects directory. On subsequent runs, this version value will changes based on the version of CWEs converted.

Mapping information

Data download

MITRE maintain an XML file with the full CWE definitions here. This appears to be the best machine readable format to use based on the other alternatives MITRE use to distribute this data (HTML and PDF).

This XML file is what cwe2stix uses to generate the STIX objects.

Source

Identity / Marking Definition / Extension Definition

• Identity: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/identity/dogesec.json
• Marking Definition: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/marking-definition/cwe2stix.json
• Extension Definition: https://raw.githubusercontent.com/muchdogesec/stix2extensions/main/extension-definitions/sdos/weakness.json

Weakness

The key object to represent CWEs is a Weakness (this is a custom STIX objects):

{
    "type": "weakness",
    "spec_version": "2.1",
    "id": "weakness--<UUIDV5 GENERATION LOGIC>",
    "name": "<CWE NAME>",
    "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
    "created": "<Weaknesses.Weakness.Submission_Date>",
    "modified": "<Weaknesses.Weakness.Modification_Date> (latest date)",
    "description": "<Weaknesses.Weakness.Description> <Weaknesses.Weakness.Extended_Description>",
	"modes_of_introduction": ["Modes_Of_Introduction.Introduction.Phase"],
	"likelihood_of_exploit": "Likelihood_Of_Exploit",
	"common_consequences": ["Common_Consequences.Consequence.Scope"],
	"detection_methods": ["Detection_Methods.Detection_Method.Method"],
    "revoked": "<true IF CWE NAME contains DEPRECATED:",
    "external_references": [
        {
         	"source_name": "cwe",
          	"external_id": "CWE-<CWE ID>",
          	"url": "http://cwe.mitre.org/data/definitions/<CWE ID>.html"
        },
        {
         	"source_name": "<External_Reference.author>, <External_Reference.author>",
          	"description": "<External_Reference.title>",
          	"url": "<External_Reference.URL>",
            "external_id": "<Weaknesses.Weakness.External_Reference_ID>",
        },
        {
         	"source_name": "<Weaknesses.Weakness.Taxonomy_Mappings.Taxonomy_Name>",
          	"external_id": "<Weaknesses.Weakness.Taxonomy_Mappings.Entry_ID>",
          	"description": "<Weaknesses.Weakness.Taxonomy_Mappings.Entry_Name>"
        },
        {
         	"source_name": "capec",
          	"external_id": "CAPEC-<Weaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern>",
          	"url": "https://capec.mitre.org/data/definitions/<Weaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern>.html"
        }
    ],
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
        "marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
    ],
    "extensions": {
        "<IMPORTED EXTENSION DEFINITION>": {
            "extension_type": "new-sdo"
        }
    }
}

Note, the created field relies on you importing versions in order. Usually this is a non-issue, but if you plan on backfilling data, YOU MUST import them in order (earliest first).

To generate the id, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and CWE-ID. e.g. CWE-102 = ad5b3e38-fdf2-5c97-90da-30dad0f1f016 = weakness--ad5b3e38-fdf2-5c97-90da-30dad0f1f016

Relationships

Inside each weakness ID is also a property Weaknesses.Related_Weaknesses. For example, for CWE-521;

<Related_Weaknesses>
    <Related_Weakness Nature="ChildOf" CWE_ID="1391" View_ID="1000" Ordinal="Primary"/>
    <Related_Weakness Nature="ChildOf" CWE_ID="287" View_ID="1003" Ordinal="Primary"/>
</Related_Weaknesses>

cwe2stix models these using STIX 2.1 Relationship Objects as follows;

{
 	"type": "relationship",
 	"spec_version": "2.1",
 	"id": "relationship--<UUIDV5 GENERATION LOGIC>",
 	"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
 	"created": "<CREATED TIME OF MOST RECENT CWE OBJECT IN PAIR>",
 	"modified": "<CREATED TIME OF MOST RECENT CWE OBJECT IN PAIR>",
 	"relationship_type": "<Related_Weakness Nature>",
 	"source_ref": "weakness--<CURRENT WEAKNESS>",
 	"target_ref": "weakness--<Weaknesses.Weakness.Related_Weaknesses.Related_Weakness.CWE_ID>",
    "description": "<CURRENT WEAKNESS name> is a <Related_Weakness Nature> of <Weaknesses.Weakness.Related_Weaknesses.Related_Weakness.name>",
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
        "marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
    ],
}

To generate the id of the SRO, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and <Related_Weakness Nature>+SOURCE_CWEID+TARGET_CWEID.

e.g. CanPrecede+CWE-1423+CWE-1102 = 7a612ea9-a08b-54bd-9e21-570509ba5d25 = relationship--7a612ea9-a08b-54bd-9e21-570509ba5d25

Grouping (category)

The CWE XML also contains category entries. e.g.

<Category ID="1020" Name="Verify Message Integrity" Status="Draft">
         <Summary>Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.</Summary>
         <Relationships>
            <Has_Member CWE_ID="353" View_ID="1008"/>
            <Has_Member CWE_ID="354" View_ID="1008"/>
            <Has_Member CWE_ID="390" View_ID="1008"/>
            <Has_Member CWE_ID="391" View_ID="1008"/>
            <Has_Member CWE_ID="494" View_ID="1008"/>
            <Has_Member CWE_ID="565" View_ID="1008"/>
            <Has_Member CWE_ID="649" View_ID="1008"/>
            <Has_Member CWE_ID="707" View_ID="1008"/>
            <Has_Member CWE_ID="755" View_ID="1008"/>
            <Has_Member CWE_ID="924" View_ID="1008"/>
         </Relationships>
         <References>
            <Reference External_Reference_ID="REF-9"/>
            <Reference External_Reference_ID="REF-10" Section="pages 69 - 78"/>
         </References>
         <Mapping_Notes>
            <Usage>Prohibited</Usage>
            <Rationale>This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.</Rationale>
            <Comments>See member weaknesses of this category.</Comments>
            <Reasons>
               <Reason Type="Category"/>
            </Reasons>
         </Mapping_Notes>
         <Content_History>
            <Submission>
               <Submission_Name>Joanna C.S. Santos, Mehdi Mirakhorli</Submission_Name>
               <Submission_Date>2017-06-22</Submission_Date>
               <Submission_Version>2.12</Submission_Version>
               <Submission_ReleaseDate>2017-11-08</Submission_ReleaseDate>
               <Submission_Comment>Provided the