CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Compatibility > CWE-Compatible Products and Services  
ID

Name of Your Organization:

Denim Group, Ltd.

Web Site:

http://www.denimgroup.com

Compatible Capability:

ThreadFix

Capability home page:

http://www.denimgroup.com/threadfix

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Additional information on ThreadFix can be found at: http://www.denimgroup.com/threadfix/

ThreadFix is freely available under the Mozilla 2.0 Public License (MPL); download the software at: http://code.google.com/p/threadfix/

Mapping Questions

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

http://code.google.com/p/threadfix/wiki/ThreadfixVulnerabilityFormat ThreadFix version 1.1 uses CWE 2.4, published February 12, 2013.

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Updates to ThreadFix’s CWE capability mappings occur with each product release, which typically includes two major releases per year.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):

New product releases typically occur on a semi-annual basis, and include updates to CWE Identifiers. Since CWE Identifiers hyperlink back to the MITRE website, updated content is accessible whenever MITRE publishes updates.

Documentation Questions

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

http://code.google.com/p/threadfix/wiki/ThreadfixVulnerabilityFormat

http://code.google.com/p/threadfix/wiki/CommonWeaknessEnumeration

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):

http://code.google.com/p/threadfix/wiki/CommonWeaknessEnumeration

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):

This URL explains how to navigate the ThreadFix UI as it relates to/references the CWE-ID, and provides a hyperlink back to the associated mapping on MITRE’s website: http://code.google.com/p/threadfix/wiki/CommonWeaknessEnumeration

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

ThreadFix documentation does not provide an index.

Type-Specific Capability Questions

Tool Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

The following step-by-step information can also be found online at: http://code.google.com/p/threadfix/wiki/CommonWeaknessEnumeration

Identified vulnerabilities are mapped to CWE Identifiers. Associated CWE Identifiers are listed prominently at the top of the "Vulnerability Details" page, referencing the CWE-ID name CWE-ID number and a hyperlink back to the associated identifier on MITRE’s website.

  1. From the applications page, select a single vulnerability.
    Finding Tasks Using CWE Identifiers 1
  2. Click on the CWE Entry URL to navigate to the to the associated CWE Identifier on MITRE’s website.
    Finding Tasks Using CWE Identifiers 2

Filtering vulnerability data is a feature of ThreadFix. Users can filter many criteria including CWE Identifier.

  1. On the application page, click the ‘Show Filters’ link
    Finding Tasks Using CWE Identifiers 3
  2. Type in the CWE-ID number, click the ‘Filter’ link.
    Finding Tasks Using CWE Identifiers 4
  3. Only the results associated that specific CWE-ID will be displayed below.
    Finding Tasks Using CWE Identifiers 5

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

CWE-IDs can be found in the ‘Vulnerability Progress by Type’ report

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

https://code.google.com/p/threadfix/wiki/CommonWeaknessEnumeration

A complete listing of the CWE Identifiers supported by ThreadFix v1.1 (and the current set of integrated scanners) can be found by viewing the latest version of the CWE 2.4. ThreadFix allows for manual entry of vulnerabilities, allowing for complete coverage/support of all CWE Identifiers found in the latest version of the CWE 2.4.

Online Capability Questions

FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):

For detailed example, please see answer to CR_A.2.1.

FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CWE Identifiers for the individual security elements in the report (required):

Please see answer to CR_A.2.2.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE Identifiers that the owner claims the online capability’s repository covers (required):

Please see answer to CR_A.2.3.

ONLINE CAPABILITY ELEMENT TO CWE IDENTIFIER MAPPING <CR_A.4.5>

If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CWE Identifier(s), otherwise enter N/A (required):

Identified vulnerabilities are mapped back to a CWE Identifier. The associated CWE identified is listed prominently at the top of the "Vulnerability Details" page, referencing the CWE-ID and provides a hyperlink back to the associated mapping on MITRE’s website.

Media Questions

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

Users can export reports in ThreadFix to the following formats: HTML, CSV, and PDF. The CWE-ID can be found in the ‘Vulnerability Progress by Type’ report.

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

Associated CWE Identifiers are listed prominently at the top of the "Vulnerability Details" page, referencing the CWE-ID and providing a hyperlink back to the associated mapping on MITRE’s website.

Graphical User Interface (GUI) Questions

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):

For detailed example, please see answer to CR_A.2.1.

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):

For detailed example, please see answer to CR_A.2.1.

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

Users can export reports in ThreadFix to the following formats: HTML, CSV, and PDF. The CWE-ID can be found in the ‘Vulnerability Progress by Type’ report.

Questions for Signature

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Brian Mather

Title: Product Manager

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Brian Mather

Title: Product Manager

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Brian Mather

Title: Product Manager

Page Last Updated: April 02, 2018