Common Weakness Enumeration

CWE Glossary Definition

Schema Differences between CWE Draft 7 and Draft 8

Schema Differences between CWE Draft 7 and Draft 8

Draft 7 Schema File: cwe_taxonomy_schema_v2.9.xsd -> Draft 8 Schema File: cwe_taxonomy_schema_v2.10.xsd

• All fields are now more thoroughly documented.
• Changed the Description field to have two new subelements which will now house the descriptive text: "Description_Summary" and "Extended_Description". Description_Summary is intended to provide a brief but clear description of the weakness while the Extended_Description should provide extra details and additional insight into the weakness.
• Added the element "Detection_Factor" in order to provide information on factors which might make a weakness more difficult to detect.
• Added the Related_Attack_Patterns element and its children in order to create 0 or more mappings between any individual weakness and CAPEC entries.
• Added the White_Box_Definition and Black_Box_Definition elements.

• Removed the element Common_Methods_of_Exploitation since it was rarely used in the current XML and it has been replaced for the most part by mappings to CAPEC.
• Removed potential taxonomy name "Anonymous 1" since it isn't used anywhere and an Anonymous tag already exists.

• Changed the "Vulnerability_Taxonomy" structure to "CWE_Collection" since CWE is more of a dictionary than a taxonomy and any given instance of an XML document with this schema will be a subset, or Collection, of CWE entries. Also changed the "Taxonomy_Name" attribute to "Collection_Name" for the same reasons.
• Changed "Taxonomy_Node" to "CWE_Element" since we are creating more of a dictionary than a taxonomy.
• Changed AffectedResource tag to Affected_Resource for consistency with other fields.
• Changed name of the "Reference" tag inside of Demonstrative_Example to "Demonstrative_Example_Reference" in order to create uniqueness in element names in the schema.
• Changed name of the "Reference", "Description" and "Link" tags inside of Observed_Example to "Observed_Example_Reference", "Observed_Example_Description", and "Observed_Example_Link" in order to create uniqueness in element names in the schema and improve clarity.
• Changed the "id" attribute on the Reference element to Reference_ID in order to improve clarity.
• Changed Taxonomy_Name attribute in Source_Taxonomy element to Source_Taxonomy_Name in order to create uniqueness in schema fields.
• Changed Taxonomy_Name attribute in Taxonomy_Mapping element to Mapped_Taxonomy_Name in order to create uniqueness in schema fields.
• Changed the "Type" attribute on the Taxonomy_Node / CWE_Element elements to "Role" and changed the potential values from Vulnerability_Category, Vulnerability_Type, View, Metadata_field, and Node_Alias to Category, Type, Variant, Grouping, Deprecated, and View. This will allow for a more flexible way to identify the role the entry plays in the CWE tree and it eliminates the potential values we weren't using, namely Metadata_field and Node_Alias.

• Changed the minimum occurrence of Common_Consequence elements inside of the Common_Consequences element from 0 to 1.
• Changed the minimum occurrences of the "Reference" tag inside of the "References" element from 0 to 1 since it doesn't make any sense to have a "References" element without any references inside.
• Changed the minimum occurrences of the Node_Relationship element from 0 to 1 since all entries have to be related to something.
• Changed the minimum occurrences of the Relationship_Type element from 0 to 1 since every relationship should have a type.
• Changed the minimum occurrences of the "Platform" tag inside of the "Applicable_Platforms" element from 0 to 1 since it doesn't make any sense to have a "Applicable_Platforms" element without any Platforms inside.

• Changed the layout of Demonstrative_Example such that all examples for any individual weakness will fall inside of one Demonstrative_Example tag instead of sometimes including multiple examples in one tag and using individual Demonstrative_Examlpe tags other times. This will help to regulate the conformity with which examples are laid out and presented. Also made Example_Code a necessary subelement of Demonstrative Example.
• Changed potential Relationship_Type values ResultantFrom and ResultsIn to CanBeResultantFrom and CanResultIn respectively. Added potential values Requires and CanContributeTo to handle composite weaknesses in the future.