Skip to content

Add curated CWE fallback mappings and coverage for issue #472#823

Open
Bornunique911 wants to merge 4 commits intoOWASP:mainfrom
Bornunique911:feature/issue-472-cwe-mapping
Open

Add curated CWE fallback mappings and coverage for issue #472#823
Bornunique911 wants to merge 4 commits intoOWASP:mainfrom
Bornunique911:feature/issue-472-cwe-mapping

Conversation

@Bornunique911
Copy link

@Bornunique911 Bornunique911 commented Mar 23, 2026
edited
Loading

Problem

Issue #472 asks how OpenCRE can map more of CWE in a way that is practical and maintainable.

The current gap is twofold:

  • some CWE entries should inherit a CRE mapping through related CWE relationships, but that mapping is not always available during the same import pass
  • other CWE entries have no direct mapping even when they clearly belong to a high-confidence family such as injection or XXE

Solution

This branch narrows the implementation to CWE-only behavior and introduces a deterministic mapping strategy with two parts.

1. Related-CWE inheritance

The importer now:

  • collects related weakness IDs during CWE import
  • builds the imported CWE entries first
  • repeatedly propagates CRE links through related CWE relationships until no new links are added

This allows a newly imported CWE to inherit mappings from another newly imported related CWE in the same run.

2. Curated fallback mappings

This branch adds a curated fallback mapping file:

  • application/utils/external_project_parsers/data/cwe_fallback_mappings.json

The importer loads this file and applies fallback CRE mappings only when a CWE still has no CRE link after normal and inherited linking.

This keeps the behavior:

  • explicit
  • reviewable
  • easy to extend without hardcoding every rule directly in parser logic

3. Local refresh support

This branch also adds:

  • scripts/update-cwe.sh

This is a local helper for refreshing CWE data from the latest MITRE feed into an existing OpenCRE SQLite cache.

Scope

In scope

  • CWE importer behavior
  • curated CWE fallback mapping data
  • focused parser tests for inheritance and fallback behavior
  • local CWE refresh script

Files Changed

  • application/utils/external_project_parsers/parsers/cwe.py
  • application/utils/external_project_parsers/data/cwe_fallback_mappings.json
  • application/tests/cwe_parser_test.py
  • scripts/update-cwe.sh

Testing

Executed:

./venv/bin/python -m pytest application/tests/cwe_parser_test.py -q

@Bornunique911 Bornunique911 reopened this Mar 23, 2026
Bornunique911
Bornunique911 commented Mar 24, 2026
View reviewed changes
Copy link
Author

@Bornunique911 Bornunique911 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting kind reviews and feedback for this feature from : @northdpole , @Pa04rth , @robvanderveer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Bornunique911