Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Documents > CVE → CWE Mapping Guidance - Quick Tips  

CVE CWE Mapping Guidance - Quick Tips

Before You Start

  1. Try to frame your perspective of the vulnerability to its underlying weakness
  2. Become familiar with key terms in CWE's glossary so that you can be sure you are interpreting CWE names correctly
  3. Familiarize yourself with key views (CWE-1003, CWE-699, CWE-1194, and CWE-1000), and determine which ones seem to match your needs the best
  4. If new to CWE mapping, view CWE-1003 might be a good starting point, as it contains a usable subset of the most commonly-encountered CWE entries
  5. Become familiar with the top-level CWEs in your preferred view
  6. Understand how to navigate up and down the view hierarchies, whether on the view entry’s page; relationships on weakness pages; or visual PDFs – one may be a better fit for your efforts

When You Are Ready

  1. The keyword search on the CWE website can help you quickly find potential entries, regardless of their level of abstraction
  2. Always map to Weakness entries, not Categories
  3. Map to the lowest-level CWE entry that you can. Weakness abstraction levels, from highest to lowest, are: Pillar, Class, Base, and Variant
  4. Verify your mapping with a team member with different skills and experience than you
  5. If you find an entry similar but not quite what you are looking for, then examine its relationships with parents, children, siblings, etc.
Page Last Updated: March 25, 2021