BOMnipotent - SBOM and CSAF Distribution

The first Weichwerke Heidrich Software open source Rust crate can now be found on crates.io !

Amomg other things, BOMnipotent aims to be a CSAF provider according to the OASIS standard . This involves running several consistency checks on every parsed document. One of these checks involves CWEs.

The Common Weakness Enumeration (CWE) Catalog is a list of software and hardware weaknesses maintained by MITRE. It is not to be confused with the Common Vulnerability Enumeration (CVE) : While a weakness can be understood as a type of error a program could make, a vulnerability is an implementation that actually makes it.

A CWE appearing in a CSAF document contains an ID and a name. The consistency check requires them to both correspond to the same, existing weakness. How should this be implemented? Should the code make a request to the MITRE website for every single CWE it encounters?

Luckily, the total number of around a thousand existing CWEs is not unfathomably large, and the catalog is updated on a timescale of months. MITRE itself recommends to maintain a local mirror. I did, in form of a Rust crate I called “cwenum”.

As its centerpiece, this crate has a large enum containing all currently maintained CWEs. Anyone who has ever worked with Rust knows how empowering it is to have such an object at hand. The crate offers several feature flags to implement additional, optional behaviour like to-and-from string conversions, (de)serialization, or an iterator to loop through all elements. It is published under the permissive MIT license , meaning that if you would like to use it, you’ll have to do nothing but to include it.

This tiny crate transforms the CWE consistency check, which might have been a cumbersone operation requiring network access, to a local access taking nanoseconds.