vendor comments for overall claim
each CWE can be covered by one or more
"rules" comment for each rule allows
vendors to explain what they look for in more
detail vendor may or may not have ID's
Strength/accuracy of the covered rules to
the CWE entry. unique identifier of the CWE being covered
name of the CWE being covered (included
for better readability) Optional comments for the entire set of claims.
all claims are made against a specific version of
CWEall claims are specific to a specific vendor all claims are specific to a specific named tool set
all claims are specific to a specific tool set version
a URI that contains more details, or a human-friendly version of
this coverage claim claims are made as of a date (NOT IN THE FUTURE!)
all claims are made against a specific type of
languageall claims are made against a specific languageArchetype_Type contains values for the Archetype of the system
described by the vignetteThe CWE entry exactly covers the same weakness(es) as the
given rule set.The CWE entry covers more concepts than the given rule set,
but there are not any more precise matches available. For example, a rule
set might detect resource consumption for a resource that is not
specifically covered by CWE. The CWE entry is more specific than the weakness reported by
the given rule set, but the entry's parent(s) are not appropriate matches.
This might indicate a difference in perspective between CWE and the
capability providing the coverage mapping. It could also include a single
rule that covers multiple CWE entries (which might imply that there would be
multiple claims for a single rule/ruleset).The CWE entry is only a partial match with the weakness
reported by the given rule set, but the entry is the closest available
match.The CWE entry is not covered by any rule set. The provider is
not required to include information about uncovered CWEs.There is no CWE entry available that closely matches the
weakness reported by the given rule set, but the provider believes that a
CWE entry should exist for the reported weakness. The associated CWE_ID
should be 0.The rule/ruleset is not applicable to CWE, i.e., it is not
necessarily about a weakness. This could include rulesets related to coding
style conformance, informational messages about the scan, etc. The
associated CWE_ID should be -1. The provider is not required to include
information about non-applicable rules.The match accuracy is unknown. Typically this would be used by
a third party who is creating a coverage claim and does not have insight
into the technology.No other CWE match accuracy type is
applicable.