{"id":19883635,"url":"https://github.com/muchdogesec/cwe2stix","last_synced_at":"2025-05-02T14:33:53.335Z","repository":{"id":247971114,"uuid":"809652688","full_name":"muchdogesec/cwe2stix","owner":"muchdogesec","description":"A command line tool that turns MITRE CWEs into STIX 2.1 Objects.","archived":false,"fork":false,"pushed_at":"2024-10-28T09:49:05.000Z","size":355,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-28T12:53:38.203Z","etag":null,"topics":["mitre-cwe","stix2","stix2-extensions"],"latest_commit_sha":null,"homepage":"https://www.dogesec.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muchdogesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-03T07:32:56.000Z","updated_at":"2024-10-28T09:49:09.000Z","dependencies_parsed_at":"2024-10-28T11:19:40.286Z","dependency_job_id":"b894041a-29dc-4d69-9333-20aeffbb94aa","html_url":"https://github.com/muchdogesec/cwe2stix","commit_stats":null,"previous_names":["muchdogesec/cwe2stix"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fcwe2stix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fcwe2stix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fcwe2stix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fcwe2stix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muchdogesec","download_url":"https://codeload.github.com/muchdogesec/cwe2stix/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224316387,"owners_count":17291244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mitre-cwe","stix2","stix2-extensions"],"created_at":"2024-11-12T17:21:42.585Z","updated_at":"2025-05-02T14:33:53.320Z","avatar_url":"https://github.com/muchdogesec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cwe2stix\n\n## Before you begin\n\nWe host a full web API that includes all objects created by cwe2stix, [CTIButler](https://www.ctibutler.com/).\n\n## Overview\n\n![](docs/cwe2stix.png)\n\nA command line tool that turns MITRE CWEs into STIX 2.1 Objects.\n\nCWEs are [Common Weakness Enumerations (CWE's)](https://cwe.mitre.org/). CWE's are a community-developed list of software and hardware weakness types managed MITRE. They serve as a common language as a baseline for weakness identification, mitigation, and prevention efforts.\n\nFor example, [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html).\n\nWe had a requirement to have an up-to-date copy of MITRE CWEs in STIX 2.1 format, like already exists and maintained by MITRE for ATT\u0026CK (e.g. [Enterprise](https://github.com/mitre/cti/tree/master/enterprise-attack)) and [CAPEC](https://github.com/mitre/cti/tree/master/capec/2.1) on GitHub.\n\nThe code in this repository is a similar to the MITRE implementations for ATT\u0026CK and CAPEC that;\n\n1. Downloads latest CWE XML\n2. Checks version of CWE XML\n3. Converts them to STIX 2.1 Objects, if new version\n4. Stores the STIX 2.1 Objects in the file store\n\n## tl;dr\n\n[![cwe2stix](https://img.youtube.com/vi/HWRa8kLad80/0.jpg)](https://www.youtube.com/watch?v=HWRa8kLad80)\n\n[Watch the demo](https://www.youtube.com/watch?v=HWRa8kLad80).\n\n## Installing the script\n\nTo install cwe2stix;\n\n```shell\n# clone the latest code\ngit clone https://github.com/muchdogesec/cwe2stix\n# create a venv\ncd cwe2stix\npython3 -m venv cwe2stix-venv\nsource cwe2stix-venv/bin/activate\n# install requirements\npip3 install -r requirements.txt\n```\n\n## Running the script\n\n```shell\npython3 cwe2stix.py --version \u003cCWE VERSION NUMBER\u003e\n```\n\n* `--version` (optional): by default the script will download the latest available CWE file from the CWE website. If you want a specific version, you can pass the `--version` flag. e.g. `--version 4.13`. Note, only versions \u003e= 4.5 are currently supported by this script.\n\nFor example, to download the 4.15 version of CWEs;\n\n```shell\npython3 cwe2stix.py --version 4.16\n```\n\nIf no `--version` passed, the latest CWE file located at `https://cwe.mitre.org/data/xml/cwec_latest.xml.zip` will be downloaded.\n\nOn each script run, the objects and bundle will be removed (if difference detected in version), and regenerated.\n\nTo handle versions, on the first run a `CWE_VERSION` file is created, listing the version of CWEs in the `stix2_objects` directory. On subsequent runs, this version value will changes based on the version of CWEs converted.\n\n## Mapping information\n\n### Data download\n\n[MITRE maintain an XML file with the full CWE definitions here](https://cwe.mitre.org/data/downloads.html). This appears to be the best machine readable format to use based on the other alternatives MITRE use to distribute this data (HTML and PDF).\n\nThis XML file is what cwe2stix uses to generate the STIX objects.\n\nA high-level overview of the way the STIX objects are linked can be viewed here;\n\nhttps://miro.com/app/board/uXjVKpOg6bM=/\n\n### Identity / Marking Definition / Extension Definition\n\n* Identity: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/identity/cwe2stix.json\n* Marking Definition: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/marking-definition/cwe2stix.json\n* Extension Definition: https://raw.githubusercontent.com/muchdogesec/stix2extensions/main/extension-definitions/sdos/weakness.json\n\n### Weakness\n\nThe key object to represent CWEs is a Weakness (this is a custom STIX objects):\n\n```json\n{\n    \"type\": \"weakness\",\n    \"spec_version\": \"2.1\",\n    \"id\": \"weakness--\u003cUUIDV5 GENERATION LOGIC\u003e\",\n    \"name\": \"\u003cCWE NAME\u003e\",\n    \"created_by_ref\": \"\u003cIMPORTED IDENTITY OBJECT\u003e\",\n    \"created\": \"\u003cWeaknesses.Weakness.Submission_Date\u003e\",\n    \"modified\": \"\u003cWeaknesses.Weakness.Modification_Date\u003e (latest date)\",\n    \"description\": \"\u003cWeaknesses.Weakness.Description\u003e \u003cWeaknesses.Weakness.Extended_Description\u003e\",\n\t\"modes_of_introduction\": [\"Modes_Of_Introduction.Introduction.Phase\"],\n\t\"likelihood_of_exploit\": \"Likelihood_Of_Exploit\",\n\t\"common_consequences\": [\"Common_Consequences.Consequence.Scope\"],\n\t\"detection_methods\": [\"Detection_Methods.Detection_Method.Method\"],\n    \"revoked\": \"\u003ctrue IF CWE NAME contains DEPRECATED:\",\n    \"external_references\": [\n        {\n         \t\"source_name\": \"cwe\",\n          \t\"external_id\": \"CWE-\u003cCWE ID\u003e\",\n          \t\"url\": \"http://cwe.mitre.org/data/definitions/\u003cCWE ID\u003e.html\"\n        },\n        {\n         \t\"source_name\": \"\u003cExternal_Reference.author\u003e, \u003cExternal_Reference.author\u003e\",\n          \t\"description\": \"\u003cExternal_Reference.title\u003e\",\n          \t\"url\": \"\u003cExternal_Reference.URL\u003e\",\n            \"external_id\": \"\u003cWeaknesses.Weakness.External_Reference_ID\u003e\",\n        },\n        {\n         \t\"source_name\": \"\u003cWeaknesses.Weakness.Taxonomy_Mappings.Taxonomy_Name\u003e\",\n          \t\"external_id\": \"\u003cWeaknesses.Weakness.Taxonomy_Mappings.Entry_ID\u003e\",\n          \t\"description\": \"\u003cWeaknesses.Weakness.Taxonomy_Mappings.Entry_Name\u003e\"\n        },\n        {\n         \t\"source_name\": \"capec\",\n          \t\"external_id\": \"CAPEC-\u003cWeaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern\u003e\",\n          \t\"url\": \"https://capec.mitre.org/data/definitions/\u003cWeaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern\u003e.html\"\n        }\n    ],\n    \"object_marking_refs\": [\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n        \"\u003cIMPORTED MARKING DEFINITION OBJECT\u003e\"\n    ],\n    \"extensions\": {\n        \"\u003cIMPORTED EXTENSION DEFINITION\u003e\": {\n            \"extension_type\": \"new-sdo\"\n        }\n    }\n}\n```\n\nNote, the `created` field relies on you importing versions in order. Usually this is a non-issue, but if you plan on backfilling data, YOU MUST import them in order (earliest first).\n\nTo generate the id, a UUIDv5 is generated using the namespace `d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b` and CWE-ID. e.g. CWE-102 = `ad5b3e38-fdf2-5c97-90da-30dad0f1f016` = `weakness--ad5b3e38-fdf2-5c97-90da-30dad0f1f016`\n\n### Relationships\n\nInside each weakness ID is also a property `Weaknesses.Related_Weaknesses`. For example, for CWE-521;\n\n```xml\n\u003cRelated_Weaknesses\u003e\n    \u003cRelated_Weakness Nature=\"ChildOf\" CWE_ID=\"1391\" View_ID=\"1000\" Ordinal=\"Primary\"/\u003e\n    \u003cRelated_Weakness Nature=\"ChildOf\" CWE_ID=\"287\" View_ID=\"1003\" Ordinal=\"Primary\"/\u003e\n\u003c/Related_Weaknesses\u003e\n```\n\ncwe2stix models these using [STIX 2.1 Relationship Objects](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cqhkqvhnlgfh) as follows;\n\n```json\n{\n \t\"type\": \"relationship\",\n \t\"spec_version\": \"2.1\",\n \t\"id\": \"relationship--\u003cUUIDV5 GENERATION LOGIC\u003e\",\n \t\"created_by_ref\": \"\u003cIMPORTED IDENTITY OBJECT\u003e\",\n \t\"created\": \"\u003cCREATED TIME OF MOST RECENT CWE OBJECT IN PAIR\u003e\",\n \t\"modified\": \"\u003cCREATED TIME OF MOST RECENT CWE OBJECT IN PAIR\u003e\",\n \t\"relationship_type\": \"\u003cRelated_Weakness Nature\u003e\",\n \t\"source_ref\": \"weakness--\u003cCURRENT WEAKNESS\u003e\",\n \t\"target_ref\": \"weakness--\u003cWeaknesses.Weakness.Related_Weaknesses.Related_Weakness.CWE_ID\u003e\",\n    \"description\": \"\u003cCURRENT WEAKNESS name\u003e is a \u003cRelated_Weakness Nature\u003e of \u003cWeaknesses.Weakness.Related_Weaknesses.Related_Weakness.name\u003e\",\n    \"object_marking_refs\": [\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n        \"\u003cIMPORTED MARKING DEFINITION OBJECT\u003e\"\n    ],\n}\n```\n\nTo generate the id of the SRO, a UUIDv5 is generated using the namespace `d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b` and `\u003cRelated_Weakness Nature\u003e+SOURCE_CWEID+TARGET_CWEID`.\n\ne.g. `CanPrecede+CWE-1423+CWE-1102` = `7a612ea9-a08b-54bd-9e21-570509ba5d25` = `relationship--7a612ea9-a08b-54bd-9e21-570509ba5d25`\n\n### Grouping\n\nThe CWE XML also contains category entries. e.g.\n\n```xml\n\u003cCategory ID=\"1020\" Name=\"Verify Message Integrity\" Status=\"Draft\"\u003e\n         \u003cSummary\u003eWeaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.\u003c/Summary\u003e\n         \u003cRelationships\u003e\n            \u003cHas_Member CWE_ID=\"353\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"354\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"390\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"391\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"494\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"565\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"649\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"707\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"755\" View_ID=\"1008\"/\u003e\n            \u003cHas_Member CWE_ID=\"924\" View_ID=\"1008\"/\u003e\n         \u003c/Relationships\u003e\n         \u003cReferences\u003e\n            \u003cReference External_Reference_ID=\"REF-9\"/\u003e\n            \u003cReference External_Reference_ID=\"REF-10\" Section=\"pages 69 - 78\"/\u003e\n         \u003c/References\u003e\n         \u003cMapping_Notes\u003e\n            \u003cUsage\u003eProhibited\u003c/Usage\u003e\n            \u003cRationale\u003eThis entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.\u003c/Rationale\u003e\n            \u003cComments\u003eSee member weaknesses of this category.\u003c/Comments\u003e\n            \u003cReasons\u003e\n               \u003cReason Type=\"Category\"/\u003e\n            \u003c/Reasons\u003e\n         \u003c/Mapping_Notes\u003e\n         \u003cContent_History\u003e\n            \u003cSubmission\u003e\n               \u003cSubmission_Name\u003eJoanna C.S. Santos, Mehdi Mirakhorli\u003c/Submission_Name\u003e\n               \u003cSubmission_Date\u003e2017-06-22\u003c/Submission_Date\u003e\n               \u003cSubmission_Version\u003e2.12\u003c/Submission_Version\u003e\n               \u003cSubmission_ReleaseDate\u003e2017-11-08\u003c/Submission_ReleaseDate\u003e\n               \u003cSubmission_Comment\u003eProvided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view.\u003c/Submission_Comment\u003e\n            \u003c/Submission\u003e\n                \u003cModification\u003e\n                    \u003cModification_Name\u003eCWE Content Team\u003c/Modification_Name\u003e\n                    \u003cModification_Organization\u003eMITRE\u003c/Modification_Organization\u003e\n                    \u003cModification_Date\u003e2023-04-27\u003c/Modification_Date\u003e\n                    \u003cModification_Comment\u003eupdated Mapping_Notes\u003c/Modification_Comment\u003e\n                \u003c/Modification\u003e\n                \u003cModification\u003e\n                    \u003cModification_Name\u003eCWE Content Team\u003c/Modification_Name\u003e\n                    \u003cModification_Organization\u003eMITRE\u003c/Modification_Organization\u003e\n                    \u003cModification_Date\u003e2023-06-29\u003c/Modification_Date\u003e\n                    \u003cModification_Comment\u003eupdated Mapping_Notes\u003c/Modification_Comment\u003e\n                \u003c/Modification\u003e\n         \u003c/Content_History\u003e\n      \u003c/Category\u003e\n```\n\nGrouping SDOs are also used to represent CWE Categories (e.g. OWASP Top Ten 2004).\n\nGrouping SDOs are modelled from CWE entries as follows\n\n```json\n{\n    \"type\": \"grouping\",\n    \"spec_version\": \"2.1\",\n    \"id\": \"grouping--\u003cUUIDV5 LOGIC\u003e\",\n    \"created_by_ref\": \"\u003cIMPORTED IDENTITY OBJECT\u003e\",\n    \"created\": \"\u003cContent_History.Submission_Date\u003e\",\n    \"modified\": \"\u003cModification.Modificaton Date\u003e (latest)\",\n    \"name\": \"\u003cCATEGORY.NAME\u003e\",\n    \"description\": \"\u003cCATEGORY.SUMMARY\u003e\",\n    \"context\": \"unspecified\",\n    \"external_references\": [\n        {\n            \"source_name\": \"cwe_category\",\n            \"external_id\": \"\u003cCWE CATEGORY ID\u003e\"\n        },\n        {\n            \"source_name\": \"\u003cExternal_Reference.author\u003e, \u003cExternal_Reference.author\u003e\",\n            \"description\": \"\u003cExternal_Reference.title\u003e\",\n            \"url\": \"\u003cExternal_Reference.URL\u003e\",\n            \"external_id\": \"\u003cWeaknesses.Weakness.External_Reference_ID\u003e\",\n        },\n    ],\n    \"object_marking_refs\": [\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n        \"\u003cIMPORTED MARKING DEFINITION OBJECT\u003e\"\n    ],\n    \"object_refs\": [\n        \"\u003cSTIX IDs OF ALL CWEs LISTED IN CATEGORY.Relationships\u003e\"\n    ]\n}\n```\n\nTo generate the id of the SDO, a UUIDv5 is generated using the namespace `d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b` and `name` field, e.g. `SFP Primary Cluster: Malware` = `0523bdc3-24d8-5634-9353-14def9f5cfcf` = `grouping--0523bdc3-24d8-5634-9353-14def9f5cfcf`\n\nTo demonstrate the `object_refs` payload, in example for category 1020 above, the `object_refs` list would contain the STIX vulnerability IDs for; CWE_ID=\"353\" CWE_ID=\"354\" CWE_ID=\"390\" CWE_ID=\"391\" CWE_ID=\"494\" CWE_ID=\"565 CWE_ID=\"649\" CWE_ID=\"707\" CWE_ID=\"755\" CWE_ID=\"924\".\n\nIn some cases related weakness do not exist, as the CWE record does not exist in the dataset. For example, Category 1001 has a referenced `Weakness ID=\"227\"`, however, there is no CWE-227 in the CWE dictionary. \n\n```xml\n      \u003cCategory ID=\"1001\" Name=\"SFP Secondary Cluster: Use of an Improper API\" Status=\"Incomplete\"\u003e\n         \u003cSummary\u003eThis category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).\u003c/Summary\u003e\n         \u003cRelationships\u003e\n            \u003cHas_Member CWE_ID=\"111\" View_ID=\"888\"/\u003e\n            \u003cHas_Member CWE_ID=\"227\" View_ID=\"888\"/\u003e\n            \u003cHas_Member CWE_ID=\"242\" View_ID=\"888\"/\u003e\n```\n\nIf a reference to a Vulnerability that does not exist (e.g. Weakness ID=\"227\") is made, the entry is ignored in the Grouping `object_refs` dictionary.\n\n### Bundle\n\ncwe2stix also creates a STIX 2.1 Bundle JSON object containing all the other STIX 2.1 Objects created at each run. The Bundle takes the format;\n\n```json\n{\n    \"type\": \"bundle\",\n    \"id\": \"bundle--\u003cUUIDV5 GENERATION LOGIC\u003e\",\n    \"objects\": [\n   \t\t\"\u003cALL STIX JSON OBJECTS\u003e\"\n    ]\n}\n```\n\nTo generate the id of the SRO, a UUIDv5 is generated using the namespace `d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b` and a md5 hash of all objects sorted in the bundle.\n\nUnlike the other STIX Objects, this means on every update a new bundle ID will be generated if any difference in objects or properties is observed.\n\n## Quickstart\n\nDownload all data by running;\n\n```shell\nsh utilities/download_all.sh\n```\n\n## Useful supporting tools\n\n* To generate STIX 2.1 Objects: [stix2 Python Lib](https://stix2.readthedocs.io/en/latest/)\n* The STIX 2.1 specification: [STIX 2.1 docs](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)\n* [MITRE CWE site](https://cwe.mitre.org/)\n\n## Support\n\n[Minimal support provided via the DOGESEC community](https://community.dogesec.com/).\n\n## License\n\n[Apache 2.0](/LICENSE).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fcwe2stix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuchdogesec%2Fcwe2stix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fcwe2stix/lists"}