Common Weakness Enumeration

CWE Glossary Definition

Schema Differences between CWE Draft 8 and Draft 9

Schema Differences between CWE Draft 8 and Draft 9

Draft 8 Schema File: cwe_taxonomy_schema_v2.10.xsd -> Draft 9 Schema File: cwe_schema_v3.0.xsd

One of the primary goals of Draft 9 was to improve the schema to be more modular and to support new constructs like chains, views and composites. We have accomplished this by breaking down previously confounded, constricting constructs into more precise pieces and combining reused components into a single, modular piece.

In previous drafts, any structure that was issued a unique identifier was captured in a CWE_Element structure. For Draft 9, we have broken down the CWE_Element structure into a View structure for capturing views, a Weakness structure for capturing the actual weaknesses, a Category structure for capturing groups of weaknesses based on a single common attribute (formerly known as groupings in Draft 8), and a Compound_Element structure for capturing chains and composites. We have also replaced CWE_Collection with Weakness_Catalog. Where CWE_Collection used to be a structure containing one or more CWE_Elements, our new Weakness_Catalog structure contains a Views structure, a Categories structure, a Weaknesses structure and a Compound_Elements structure, each of which contains zero or more instances of a View, Category, Weakness or Compound_Element respectively. Weakness_Catalog also has that attribute Catalog_Name which has replaced Collection_Name, and we have added the attribute Catalog_Version for revision control purposes.

The majority of schema fields from previous drafts, which used to comprise the weaknesses, such as Demonstrative_Example, Potential_Mitigations, etc. have all been combined into the Common_Attributes structure. A Category structure is defined by a Category_ID attribute, a Category_Name attribute, a Category_Status attribute, and a Common_Attributes structure, containing all of the fields formerly used to describe weaknesses in previous drafts. A Weakness structure is defined by a Weakness_ID attribute, a Weakness_Name attribute, a Weakness_Abstraction attribute, a Weakness_Status attribute and the Common_Attributes structure. A Compound_Element structure is similarly defined by a Compound_Element_ID attribute, a Compound_Element_Name attribute, a Compound_Element_Abstraction attribute, a Compound_Element_Structure attribute, a Compound_Element_Status attribute, and a Common_Attributes structure. A View structure is defined by a View_Type element, a View_Audience element, a View Objective element, a View_Origin element and a View_Filter element as well as a View_ID attribute, a View_Name attribute and a View_Status attribute. It should be noted that the namespace for all ID assignments is the same. That is, all ID values are unique across all structures in CWE. Any ID issued to a Compound_Element cannot be issued to a Weakness as well and vice versa.

The final major change is the Node_Relationship structure. The Common_Attributes structure now contains a Relationships structure, which contains one or more Relationship entities. Each Relationship entity will function similarly to each Node_Relationship entity in previous drafts of CWE. What was formerly Related_Node is now Relationship_Target_ID. What was formerly Relationship_Type is now Relationship_Nature. Relationship_Type is still a required element; it is intended to indicate what type of structure this relationship is targeting, such as a Weakness or a Category. We also added the Relationship_Views structure and the Relationship_Chains structure to a Relationship. Relationship_Views is intended to replace the View attribute from previous drafts and contains one or more Relationship_View_ID elements. For every view in which a structure has a defined relationship, one of those Relationship_View_ID elements has to have the attribute "Ordinal=Primary" so that there is no ambiguity or repetition in the layout of any view. Similarly, the Relationship_Chains structure has zero or more Relationship_Chain_ID in order to identify the named Chain structures with which this relationship is associated.

For more information on the meaning of any of the structures, elements or attributes described above, please refer to the schema documentation on the website or as a downloadable PDF file.