Issue 538: Add CWE Object

[Apocrathia]

#538

• Added CWE object type to schema
• Configured Vulnerability object to accept CWE or CVE object
• Removed CWE field from CVE object (this can still be determined from an external lookup of the CVE object if needed.)

[irakledibm]

I agree adding cwe object to vulnerability; However, cwe info shouldn't be removed from CVE object. Malware object contains list of CVEs and cwe information has to be associated with CVE object. In CVE object cwe_uid and cwe_url attributes can be replaced with new CWE object.

[Apocrathia]

cwe info shouldn't be removed from CVE object. Malware object contains list of CVEs and cwe information has to be associated with CVE object.

That's valid. Good call. CWE fields restored in CVE object.
a0d8d71

[floydtree]

You would need to add a cwe object in the dictionary for this to work correctly. For reference check definition of cve object in the dictionary.
Currently, if you run a local server instance, you should see the following error message -
Warning: 16:46:23.154 [warning] 'Vulnerability Details' uses undefined attribute: cwe: %{_source: :vulnerability, requirement: "recommended"}

Also, I would highly recommend, running a local instance of the OCSF server and checking if the desired schema changes are accurately reflected in the browser.

[pagbabian-splunk]

@Apocrathia I can add cwe to the dictionary if it helps to get this PR approved and merged.

[irakledibm]

Any progress with this item?

[rafaelpereyra]

Hello, commenting on this closed issue trying to understand why this was closed.

I'm working on ingesting some security tool output into OCSF and CWE is definitely useful without a CVE, but this is required for vulnerability detail object.

The only other option I can see is using finding detail, but CWE details will be hidden in the supporting_data field.