The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Automatically check feeds and web slices for updates software#
The Software Assurance Metrics and Tool EvaluationĪccess of Resource Using Incompatible Type ('Type Confusion') NVD is using CWE as a classification mechanism that differentiates CVEs by the type of vulnerability they represent.
For a better understanding of how the standards link together please visit: The cross section of CWEs used by NVD is listed below each CWE listed links to a detailed description hosted by MITRE. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. Clicking the image to the right will open an enlarged version for viewing. The image to the right represents a portion of the overall CWE structure, the red boxes represent the CWEs being used by NVD. ) provide a finer granularity and usually have fewer or no children CWEs.
CWEs at deeper levels in the structure (i.e.
) provide a broad overview of a vulnerability type and can have many children CWEs associated with them. CWEs located at higher levels of the structure (i.e. A detailed CWE list is currently available at the MITRE website this list provides a detailed definition for each individual CWE.Īll individual CWEs are held within a hierarchical structure that allows for multiple levels of abstraction. CWE is currently maintained by the MITRE Corporation. Each individual CWE represents a single vulnerability type. The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture.
0 kommentar(er)
