vendor comments for overall claim each CWE can be covered by one or more "rules" comment for each rule allows vendors to explain what they look for in more detail vendor may or may not have ID's Strength/accuracy of the covered rules to the CWE entry. unique identifier of the CWE being covered name of the CWE being covered (included for better readability) Optional comments for the entire set of claims. all claims are made against a specific version of CWE all claims are specific to a specific vendor all claims are specific to a specific named tool set all claims are specific to a specific tool set version a URI that contains more details, or a human-friendly version of this coverage claim claims are made as of a date (NOT IN THE FUTURE!) all claims are made against a specific type of language all claims are made against a specific language Archetype_Type contains values for the Archetype of the system described by the vignette The CWE entry exactly covers the same weakness(es) as the given rule set. The CWE entry covers more concepts than the given rule set, but there are not any more precise matches available. For example, a rule set might detect resource consumption for a resource that is not specifically covered by CWE. The CWE entry is more specific than the weakness reported by the given rule set, but the entry's parent(s) are not appropriate matches. This might indicate a difference in perspective between CWE and the capability providing the coverage mapping. It could also include a single rule that covers multiple CWE entries (which might imply that there would be multiple claims for a single rule/ruleset). The CWE entry is only a partial match with the weakness reported by the given rule set, but the entry is the closest available match. The CWE entry is not covered by any rule set. The provider is not required to include information about uncovered CWEs. There is no CWE entry available that closely matches the weakness reported by the given rule set, but the provider believes that a CWE entry should exist for the reported weakness. The associated CWE_ID should be 0. The rule/ruleset is not applicable to CWE, i.e., it is not necessarily about a weakness. This could include rulesets related to coding style conformance, informational messages about the scan, etc. The associated CWE_ID should be -1. The provider is not required to include information about non-applicable rules. The match accuracy is unknown. Typically this would be used by a third party who is creating a coverage claim and does not have insight into the technology. No other CWE match accuracy type is applicable.