RE: SARIF & CWE

This is great! The team has generated preliminary 4.3 and 4.4 versions of the CWE standard below, which could be useful as a starting specification. The team has also produced candidate standards for OWASP 4.02, NIST SP800-53 (v4 and v5) and NIST SP800-63B.

https://github.com/sarif-standard/taxonomies

Figuring out a long-term contribution/hosting story for SARIF taxonomies would be a great agenda item for the TC.

MCF

From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Paul Anderson
Sent: Wednesday, May 19, 2021 4:50 AM
To: OASIS SARIF TC Discussion List <sarif@lists.oasis-open.org>
Subject: [EXTERNAL] [sarif] SARIF & CWE

I had a CWE board meeting yesterday where the topic of the CWE taxonomy as expressed in SARIF was discussed.

Alex Hoole (of Microfocus) supported the idea of CWE taking ownership of the official version.

It was suggested that Mitre automatically generate the SARIF directly from their internal database, so that it would be available synchronously as new versions come out. Alec Summers (the Mitre guy who now runs this) promised to talk to his team to understand the feasibility and effort of doing this, and report back.

I also put out a call for interested parties to join the SARIF group. No bites yet.

Finally, note that there is a new version of CWE expected in mid July.

-Paul

Paul Anderson, VP of Engineering, GrammaTech, Inc.

531 Esty St., Ithaca, NY 14850

Tel: +1 607 273-7340 x118; https://www.grammatech.com

The information contained in this e-mail and any attachments from GrammaTech, Inc may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

sarif message