Fixing Invalid CVE-CWE Mappings in the NVD

Presented by Şevval Şimşek

Abstract

(from the paper)

Accurate root cause analysis plays a key role for developing mitigation strategies and understanding attack paths. Many security analysis tools rely on threat databases to accurately report information related to vulnerabilities, such as root cause weaknesses or affected platforms. However, these databases are not entirely correct, with many instances of missing or erroneous information linked to vulnerabilities. This paper presents a method for automated correction of invalid Common Weakness Enumeration (CWE) mappings of Common Vulnerability and Exposure (CVE) entries in the National Vulnerability Database (NVD), which can also be applied to other threat databases.

We systematically investigate the prevalence of incorrect or missing root-cause mappings, revealing that more than half of CVEs are linked to invalid or insufficiently detailed CWEs, particularly those categorized as Prohibited or Discouraged.Through a longitudinal analysis of the NVD, we detect trends in manual updates to CVE-CWE mappings and show how these can inform predictions for future corrections. We develop and present FixV2W, an automated correction method that uses a Knowledge Graph embedding model to predict and rank best-fitting CWE matches for correcting previously invalid CVE-CWE mappings. We evaluate FixV2W using invalid mappings that were subsequently corrected by the NVD. Notably, focusing on the top-10 ranked answers for correcting prohibited mappings, we show that FixV2W finds the correct CWE in 65% of the cases, and a candidate within the same branch as the correct CWE in 93% of the cases. Moreover, most of the correct mappings appear at the first or second ranks.

Reference