CWSS Scoring in CWRAF
Common Weakness Scoring System (CWSS) provides a mechanism for scoring weaknesses in a consistent, flexible, open manner, which accommodates the expression of the context for the various business domains or vignettes. It is independent of CWRAF. However, CWRAF takes advantage of CWSS' flexibility in order to define vignette-specific ways of customizing CWSS scores through Technical Impact Scorecards.
Scoring Weakness Findings Using Vignettes
One important use case for CWSS is to support the automatic scoring of findings that are generated from an automated code scanner or other tool. CWSS is independent of CWRAF; its Impact factor defines discrete values such as "High" and "Low."
However, vignettes can be used to customize CWSS scores that are generated for tool findings. The Impact factor can be quantified using methods that have been previously described.
Automatically Building Custom Top-N Lists
Using CWRAF, an organization can pre-select which CWE entries are of greatest interest, that is, they can create their own custom Top-N list. For example, a vignette that is centered around a product search capability for an e-Commerce web site might be composed of a database, web client and server, and a mobile application.
A set of relevant CWE entries could be selected as follows:
The process of creating a custom Top-N list involves several steps.
The previous approach can be simplified as:
More information is available — Please select a different filter.