CWE element error

[dstrohl]

Version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771)
section 6.9

The words say:

« The vuln:CWE element MUST be present zero or one time in any vuln:Vulnerability and if present it contains the MITRE standard Common Weakness Enumeration (CWE) and this value MUST match the pattern documented in section 2.2.13 Vulnerability CWE Type Model. » [CSAF-6.9-1]

The Type model says:

Vulnerability measures given as defined in the Common Weakness Enumeration (CWE) model are expected to be in a specific form to enhance interoperability.
« Any CWE value MUST be completely matched by the following regular expression:
CWE-[1-9]\d{0,5}

Which would indicate an element looking like:

CWE-601


However the examples (examples 57 and 58) show:
URL Redirection to Untrusted Site ('Open Redirect')


Which indicates that there is an ID Attribute that must match the type model, and the contents of the element is the name of the CWE.

I'm not sure which is correct, but it should be one or the other.

[tschmidtb51]

This is also being addressed/changed in the current CSAF 2.0 Schema and CSAF 2.0 prose.