tools/cwe_database.py

# tools/cwe_database.py
# MITRE CWE 離線資料庫 — ThreatHunter 可信佐證來源
#
# 來源：MITRE CWE v4.14（https://cwe.mitre.org/）
# 注意：此檔案內容來自 MITRE 官方定義，非 LLM 生成
# 更新日期：2026-04-21
#
# 用途：
#   當 Security Guard 偵測到 code pattern 時，
#   引用此資料庫提供官方定義、NIST 嚴重性、OWASP 對應、修復建議
#   以及代表性 CVE（同類弱點真實被利用案例）。
#
# 重要免責聲明：
#   代表性 CVE 不代表用戶的程式碼「就是」該 CVE，
#   而是「同類弱點被利用的真實案例」，用於說明風險嚴重性。

from __future__ import annotations

import logging
from typing import Any

logger = logging.getLogger("ThreatHunter.cwe_database")

# ══════════════════════════════════════════════════════════════════
# MITRE CWE 資料庫
# 欄位說明：
#   name            : CWE 短名稱
#   full_name       : MITRE 官方完整名稱
#   source          : 資料來源版本
#   nist_severity   : NIST 評定嚴重等級
#   cvss_base       : 典型 CVSS v3.1 基礎分數（來自 NVD 統計）
#   owasp_2021      : OWASP Top 10 2021 對應
#   cwe_url         : MITRE 官方 URL
#   description     : 官方定義摘要（英文，MITRE 原文）
#   remediation_en  : 英文修復建議
#   remediation_zh  : 中文修復建議
#   representative_cves : 代表性 CVE（真實案例，非用戶程式碼的直接映射）
# ══════════════════════════════════════════════════════════════════

CWE_DATABASE: dict[str, dict[str, Any]] = {

    # ── 注入類 (Injection) ────────────────────────────────────────

    "CWE-89": {
        "name": "SQL Injection",
        "full_name": "Improper Neutralization of Special Elements used in an SQL Command",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.1,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/89.html",
        "description": (
            "Without sufficient removal or quoting of SQL syntax in user-controllable inputs, "
            "the generated SQL query can cause those inputs to be interpreted as SQL instead of "
            "ordinary user data. This can be used to alter query logic to bypass authentication, "
            "retrieve, modify, or delete data."
        ),
        "remediation_en": "Use parameterized queries (prepared statements). Never concatenate user input into SQL strings.",
        "remediation_zh": "使用參數化查詢（Prepared Statements）。絕不將用戶輸入直接拼接進 SQL 字串。",
        "representative_cves": [
            {"id": "CVE-2023-23752", "cvss": 7.5, "vendor": "Joomla", "year": 2023,
             "note": "Improper access checks allow SQL injection via URL parameter"},
            {"id": "CVE-2022-21661", "cvss": 7.5, "vendor": "WordPress", "year": 2022,
             "note": "SQL injection via WP_Query in core component"},
            {"id": "CVE-2023-40028", "cvss": 8.8, "vendor": "Ghost CMS", "year": 2023,
             "note": "SQL injection leading to data exposure"},
        ],
    },

    "CWE-78": {
        "name": "OS Command Injection",
        "full_name": "Improper Neutralization of Special Elements used in an OS Command",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/78.html",
        "description": (
            "The product constructs all or part of an OS command using externally-influenced input "
            "but does not neutralize elements that can modify the intended OS command, allowing "
            "attackers to execute arbitrary commands with the privileges of the vulnerable process."
        ),
        "remediation_en": "Avoid shell execution functions. Use language APIs that accept argument arrays (not strings).",
        "remediation_zh": "避免使用 shell 執行函式。改用語言 API 並以陣列方式傳遞參數（不使用字串拼接）。",
        "representative_cves": [
            {"id": "CVE-2021-44228", "cvss": 10.0, "vendor": "Apache Log4j", "year": 2021,
             "note": "JNDI injection leading to Remote Code Execution (Log4Shell)"},
            {"id": "CVE-2022-33891", "cvss": 8.8, "vendor": "Apache Spark", "year": 2022,
             "note": "Shell injection via HTTP query parameter"},
            {"id": "CVE-2023-44487", "cvss": 7.5, "vendor": "Multiple HTTP servers", "year": 2023,
             "note": "HTTP/2 Rapid Reset Attack enabling code execution"},
        ],
    },

    "CWE-77": {
        "name": "Command Injection",
        "full_name": "Improper Neutralization of Special Elements used in a Command",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/77.html",
        "description": "The product constructs a command using externally-influenced input without proper neutralization.",
        "remediation_en": "Validate and whitelist all input. Use safe APIs instead of direct command execution.",
        "remediation_zh": "驗證並白名單化所有輸入。使用安全 API 替代直接命令執行。",
        "representative_cves": [
            {"id": "CVE-2021-44228", "cvss": 10.0, "vendor": "Apache Log4j", "year": 2021,
             "note": "Command injection via JNDI lookup"},
        ],
    },

    "CWE-79": {
        "name": "Cross-Site Scripting (XSS)",
        "full_name": "Improper Neutralization of Input During Web Page Generation",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 6.1,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/79.html",
        "description": (
            "The product does not neutralize or incorrectly neutralizes user-controllable input "
            "before it is placed in output that is used as a web page that is served to other users."
        ),
        "remediation_en": "Encode all output. Use Content Security Policy (CSP). Use framework's built-in escaping.",
        "remediation_zh": "對所有輸出進行 HTML 編碼。啟用 CSP。使用框架內建的 escape 機制。",
        "representative_cves": [
            {"id": "CVE-2023-32235", "cvss": 6.1, "vendor": "WordPress Plugin", "year": 2023,
             "note": "Reflected XSS via unescaped URL parameter"},
            {"id": "CVE-2022-40082", "cvss": 5.4, "vendor": "Multiple CMS", "year": 2022,
             "note": "Stored XSS via input field"},
        ],
    },

    "CWE-80": {
        "name": "Basic XSS (Improper HTML Encoding)",
        "full_name": "Improper Neutralization of Script-Related HTML Tags in a Web Page",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 5.4,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/80.html",
        "description": "The product does not neutralize or incorrectly neutralizes script tags in user input.",
        "remediation_en": "HTML-encode all user output using htmlspecialchars() or equivalent.",
        "remediation_zh": "使用 htmlspecialchars() 或同等函式對所有用戶輸出進行 HTML 編碼。",
        "representative_cves": [
            {"id": "CVE-2023-32235", "cvss": 6.1, "vendor": "WordPress Plugin", "year": 2023,
             "note": "Script injection via unencoded output"},
        ],
    },

    "CWE-94": {
        "name": "Code Injection",
        "full_name": "Improper Control of Generation of Code",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/94.html",
        "description": "User input is interpreted as executable code by the application.",
        "remediation_en": "Never use eval() or equivalent with user input. Use safe alternatives (JSON.parse, predefined mappings).",
        "remediation_zh": "絕不對用戶輸入使用 eval()。使用安全替代（JSON.parse、預定義映射）。",
        "representative_cves": [
            {"id": "CVE-2021-41773", "cvss": 7.5, "vendor": "Apache HTTP Server", "year": 2021,
             "note": "Path traversal + code injection in CGI"},
        ],
    },

    "CWE-95": {
        "name": "Dynamic Code Evaluation (eval Injection)",
        "full_name": "Improper Neutralization of Directives in Dynamically Evaluated Code",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/95.html",
        "description": (
            "The software receives input from an upstream component, but it does not neutralize "
            "codes in the input before using it as part of a dynamically-evaluated code."
        ),
        "remediation_en": "Remove all uses of eval() with dynamic input. Use JSON.parse() for data, or a switch/map for logic.",
        "remediation_zh": "移除所有對動態輸入的 eval() 使用。資料改用 JSON.parse()，邏輯改用 switch/map。",
        "representative_cves": [
            {"id": "CVE-2023-29017", "cvss": 10.0, "vendor": "vm2 (Node.js sandbox)", "year": 2023,
             "note": "Sandbox escape via eval injection leading to RCE"},
            {"id": "CVE-2021-22911", "cvss": 9.8, "vendor": "Rocket.Chat", "year": 2021,
             "note": "Server-side eval injection leading to RCE"},
        ],
    },

    "CWE-98": {
        "name": "PHP File Inclusion",
        "full_name": "Improper Control of Filename for Include/Require Statement in PHP",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/98.html",
        "description": (
            "The PHP application receives input from an upstream component, but does not restrict "
            "or incorrectly restricts the input before its use in a require, include, or similar "
            "statement, allowing the web server to include and execute unintended PHP files."
        ),
        "remediation_en": "Use a strict whitelist of allowed filenames. Never use user input directly in include/require.",
        "remediation_zh": "使用嚴格白名單限制允許的檔案名稱。絕不將用戶輸入直接傳入 include/require。",
        "representative_cves": [
            {"id": "CVE-2023-23752", "cvss": 7.5, "vendor": "Joomla", "year": 2023,
             "note": "Improper access check leading to Local File Inclusion"},
            {"id": "CVE-2021-39165", "cvss": 9.8, "vendor": "Cachet", "year": 2021,
             "note": "Remote File Inclusion via template engine"},
        ],
    },

    "CWE-90": {
        "name": "LDAP Injection",
        "full_name": "Improper Neutralization of Special Elements used in an LDAP Query",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.5,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/90.html",
        "description": "User-supplied input is incorporated into LDAP queries without sufficient sanitization.",
        "remediation_en": "Escape all special LDAP characters. Use parameterized LDAP queries.",
        "remediation_zh": "對所有特殊 LDAP 字元進行轉義。使用參數化 LDAP 查詢。",
        "representative_cves": [
            {"id": "CVE-2021-40539", "cvss": 9.8, "vendor": "ManageEngine", "year": 2021,
             "note": "LDAP injection enabling authentication bypass"},
        ],
    },

    "CWE-611": {
        "name": "XML External Entity (XXE)",
        "full_name": "Improper Restriction of XML External Entity Reference",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.6,
        "owasp_2021": "A05:2021 – Security Misconfiguration",
        "cwe_url": "https://cwe.mitre.org/data/definitions/611.html",
        "description": (
            "The software processes an XML document that can contain XML entities with URIs that "
            "resolve to documents outside of the intended sphere of control, causing the product "
            "to embed incorrect documents into its output."
        ),
        "remediation_en": "Disable external entity processing in XML parser. Use allowlist of allowed entities.",
        "remediation_zh": "停用 XML 解析器的外部實體處理。使用允許的實體白名單。",
        "representative_cves": [
            {"id": "CVE-2021-44228", "cvss": 10.0, "vendor": "Apache Log4j", "year": 2021,
             "note": "XXE via JNDI lookup in log messages"},
            {"id": "CVE-2022-21363", "cvss": 7.0, "vendor": "MySQL Connector/J", "year": 2022,
             "note": "XXE in XML data processing"},
        ],
    },

    # ── 路徑與文件操作 ────────────────────────────────────────────

    "CWE-22": {
        "name": "Path Traversal",
        "full_name": "Improper Limitation of a Pathname to a Restricted Directory",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.5,
        "owasp_2021": "A01:2021 – Broken Access Control",
        "cwe_url": "https://cwe.mitre.org/data/definitions/22.html",
        "description": (
            "The software uses external input to construct a pathname that is intended to identify "
            "a file or directory located underneath a restricted parent directory, but does not "
            "properly neutralize special elements within the pathname that can cause it to resolve "
            "to a location outside of that directory."
        ),
        "remediation_en": "Canonicalize paths before validation. Validate against a strict whitelist of allowed paths.",
        "remediation_zh": "在驗證前正規化路徑。使用嚴格白名單驗證允許的路徑。",
        "representative_cves": [
            {"id": "CVE-2021-41773", "cvss": 7.5, "vendor": "Apache HTTP Server", "year": 2021,
             "note": "Path traversal allowing arbitrary file read"},
            {"id": "CVE-2022-22965", "cvss": 9.8, "vendor": "Spring Framework", "year": 2022,
             "note": "Spring4Shell: path traversal leading to RCE"},
        ],
    },

    "CWE-73": {
        "name": "External Control of File Name or Path",
        "full_name": "External Control of File Name or Path",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.5,
        "owasp_2021": "A01:2021 – Broken Access Control",
        "cwe_url": "https://cwe.mitre.org/data/definitions/73.html",
        "description": "The software allows user input to control or influence paths used in filesystem operations.",
        "remediation_en": "Use a whitelist of allowed filenames. Sanitize directory separator characters.",
        "remediation_zh": "使用允許的檔案名稱白名單。過濾目錄分隔字元。",
        "representative_cves": [
            {"id": "CVE-2021-41773", "cvss": 7.5, "vendor": "Apache HTTP Server", "year": 2021,
             "note": "File path control leading to arbitrary file access"},
        ],
    },

    "CWE-134": {
        "name": "Uncontrolled Format String",
        "full_name": "Use of Externally-Controlled Format String",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.1,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/134.html",
        "description": "User input is used as a format string in functions like printf, allowing memory read/write.",
        "remediation_en": "Always use a literal format string. Never pass user input directly as the format argument.",
        "remediation_zh": "永遠使用字面格式字串。絕不將用戶輸入直接作為格式參數傳入。",
        "representative_cves": [
            {"id": "CVE-2021-3156", "cvss": 7.8, "vendor": "sudo", "year": 2021,
             "note": "Heap-based buffer overflow via format string (Baron Samedit)"},
        ],
    },

    # ── 反序列化與程式完整性 ──────────────────────────────────────

    "CWE-502": {
        "name": "Deserialization of Untrusted Data",
        "full_name": "Deserialization of Untrusted Data",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A08:2021 – Software and Data Integrity Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/502.html",
        "description": (
            "The application deserializes untrusted data without sufficiently verifying that the "
            "resulting data will be valid, allowing attackers to control the state or flow of "
            "execution, and potentially execute arbitrary code."
        ),
        "remediation_en": "Use safe data formats (JSON). Implement class allowlisting. Sign serialized data.",
        "remediation_zh": "使用安全的資料格式（JSON）。實作類別白名單。對序列化資料進行簽名。",
        "representative_cves": [
            {"id": "CVE-2018-2628", "cvss": 9.8, "vendor": "Oracle WebLogic", "year": 2018,
             "note": "Java deserialization RCE via T3 protocol"},
            {"id": "CVE-2017-9248", "cvss": 9.8, "vendor": "Telerik UI", "year": 2017,
             "note": ".NET deserialization leading to RCE"},
            {"id": "CVE-2022-22947", "cvss": 10.0, "vendor": "Spring Cloud Gateway", "year": 2022,
             "note": "Code injection via SPEL in actuator endpoint"},
        ],
    },

    "CWE-494": {
        "name": "Download of Code Without Integrity Check",
        "full_name": "Download of Code Without Integrity Check",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.1,
        "owasp_2021": "A08:2021 – Software and Data Integrity Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/494.html",
        "description": "The product downloads source code or an executable from a remote location without verifying its integrity.",
        "remediation_en": "Verify checksums/signatures before execution. Use HTTPS. Pin dependency versions.",
        "remediation_zh": "執行前驗證校驗和/簽名。使用 HTTPS。鎖定依賴版本。",
        "representative_cves": [
            {"id": "CVE-2022-3602", "cvss": 7.5, "vendor": "OpenSSL", "year": 2022,
             "note": "Certificate verification bypass enabling MitM"},
        ],
    },

    # ── 敏感資料暴露 ──────────────────────────────────────────────

    "CWE-312": {
        "name": "Cleartext Storage of Sensitive Information",
        "full_name": "Cleartext Storage of Sensitive Information",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 5.5,
        "owasp_2021": "A02:2021 – Cryptographic Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/312.html",
        "description": "Sensitive information (passwords, keys, PII) is stored in cleartext.",
        "remediation_en": "Encrypt sensitive data at rest. Use hardware security modules for keys.",
        "remediation_zh": "加密靜態敏感資料。使用硬體安全模組管理金鑰。",
        "representative_cves": [
            {"id": "CVE-2023-27163", "cvss": 7.5, "vendor": "request-baskets", "year": 2023,
             "note": "SSRF exposing internal credentials in cleartext"},
        ],
    },

    "CWE-200": {
        "name": "Exposure of Sensitive Information",
        "full_name": "Exposure of Sensitive Information to an Unauthorized Actor",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 5.3,
        "owasp_2021": "A02:2021 – Cryptographic Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/200.html",
        "description": "The product exposes sensitive information to an actor that is not explicitly authorized to access it.",
        "remediation_en": "Apply least-privilege principle. Audit error messages and logs for sensitive data leakage.",
        "remediation_zh": "應用最小權限原則。審核錯誤訊息和日誌中的敏感資料洩漏。",
        "representative_cves": [
            {"id": "CVE-2023-23752", "cvss": 7.5, "vendor": "Joomla", "year": 2023,
             "note": "Unauthorized information disclosure via REST API"},
        ],
    },

    "CWE-798": {
        "name": "Use of Hard-coded Credentials",
        "full_name": "Use of Hard-coded Credentials",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A07:2021 – Identification and Authentication Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/798.html",
        "description": "The software contains hard-coded credentials such as passwords or cryptographic keys.",
        "remediation_en": "Remove all hard-coded credentials. Use environment variables or secret management systems.",
        "remediation_zh": "移除所有硬編碼憑證。改用環境變數或密鑰管理系統（Vault、AWS Secrets Manager 等）。",
        "representative_cves": [
            {"id": "CVE-2022-29303", "cvss": 9.8, "vendor": "SolarView Compact", "year": 2022,
             "note": "Hard-coded credentials enabling backdoor access"},
            {"id": "CVE-2021-20090", "cvss": 9.8, "vendor": "Buffalo Router", "year": 2021,
             "note": "Hard-coded admin credentials"},
        ],
    },

    # ── 加密弱點 ──────────────────────────────────────────────────

    "CWE-326": {
        "name": "Inadequate Encryption Strength",
        "full_name": "Inadequate Encryption Strength",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 5.9,
        "owasp_2021": "A02:2021 – Cryptographic Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/326.html",
        "description": "The software stores or transmits sensitive data using an algorithm that is insufficiently strong given current conditions.",
        "remediation_en": "Use AES-256 for symmetric encryption. Use RSA-2048+ or ECC P-256+ for asymmetric. Avoid MD5, SHA-1, DES.",
        "remediation_zh": "對稱加密使用 AES-256。非對稱使用 RSA-2048+ 或 ECC P-256+。避免 MD5、SHA-1、DES。",
        "representative_cves": [
            {"id": "CVE-2022-3602", "cvss": 7.5, "vendor": "OpenSSL", "year": 2022,
             "note": "Inadequate certificate verification"},
        ],
    },

    "CWE-295": {
        "name": "Improper Certificate Validation",
        "full_name": "Improper Certificate Validation",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.4,
        "owasp_2021": "A02:2021 – Cryptographic Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/295.html",
        "description": "The software does not validate, or incorrectly validates, a certificate.",
        "remediation_en": "Enable full certificate chain validation. Pin certificates for high-value connections.",
        "remediation_zh": "啟用完整的憑證鏈驗證。對高價值連線使用憑證鎖定（Certificate Pinning）。",
        "representative_cves": [
            {"id": "CVE-2021-3449", "cvss": 5.9, "vendor": "OpenSSL", "year": 2021,
             "note": "NULL pointer dereference during certificate validation"},
        ],
    },

    # ── 存取控制 ──────────────────────────────────────────────────

    "CWE-862": {
        "name": "Missing Authorization",
        "full_name": "Missing Authorization",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.8,
        "owasp_2021": "A01:2021 – Broken Access Control",
        "cwe_url": "https://cwe.mitre.org/data/definitions/862.html",
        "description": "The software does not perform an authorization check when an actor attempts to access a resource or perform an action.",
        "remediation_en": "Implement authorization checks on every endpoint. Use deny-by-default policy.",
        "remediation_zh": "在每個端點實作授權檢查。使用預設拒絕策略。",
        "representative_cves": [
            {"id": "CVE-2023-23752", "cvss": 7.5, "vendor": "Joomla", "year": 2023,
             "note": "Missing authorization allowing data access"},
            {"id": "CVE-2022-27096", "cvss": 8.8, "vendor": "Multiple Web Apps", "year": 2022,
             "note": "Broken access control leading to privilege escalation"},
        ],
    },

    "CWE-287": {
        "name": "Improper Authentication",
        "full_name": "Improper Authentication",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A07:2021 – Identification and Authentication Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/287.html",
        "description": "When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.",
        "remediation_en": "Use strong multi-factor authentication. Validate session tokens properly.",
        "remediation_zh": "使用強多因素認證。正確驗證 Session Token。",
        "representative_cves": [
            {"id": "CVE-2022-35405", "cvss": 9.8, "vendor": "Zoho ManageEngine", "year": 2022,
             "note": "Authentication bypass via improper validation"},
        ],
    },

    "CWE-306": {
        "name": "Missing Authentication for Critical Function",
        "full_name": "Missing Authentication for Critical Function",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A07:2021 – Identification and Authentication Failures",
        "cwe_url": "https://cwe.mitre.org/data/definitions/306.html",
        "description": "The software does not perform any authentication for functionality that requires a provable user identity.",
        "remediation_en": "Require authentication for all sensitive operations. Implement zero-trust model.",
        "remediation_zh": "所有敏感操作都要求認證。實作零信任模型。",
        "representative_cves": [
            {"id": "CVE-2021-20090", "cvss": 9.8, "vendor": "Buffalo Network Device", "year": 2021,
             "note": "Authentication bypass allowing unauthorized access"},
        ],
    },

    # ── 開放重定向與 SSRF ─────────────────────────────────────────

    "CWE-601": {
        "name": "Open Redirect",
        "full_name": "URL Redirection to Untrusted Site",
        "source": "MITRE CWE v4.14",
        "nist_severity": "MEDIUM",
        "cvss_base": 6.1,
        "owasp_2021": "A01:2021 – Broken Access Control",
        "cwe_url": "https://cwe.mitre.org/data/definitions/601.html",
        "description": "The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.",
        "remediation_en": "Use a whitelist of allowed redirect URLs. Avoid using user input in redirect destinations.",
        "remediation_zh": "使用允許的重定向 URL 白名單。避免在重定向目標中使用用戶輸入。",
        "representative_cves": [
            {"id": "CVE-2023-33246", "cvss": 7.5, "vendor": "Apache RocketMQ", "year": 2023,
             "note": "Open redirect enabling phishing attacks"},
        ],
    },

    "CWE-918": {
        "name": "Server-Side Request Forgery (SSRF)",
        "full_name": "Server-Side Request Forgery (SSRF)",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.6,
        "owasp_2021": "A10:2021 – Server-Side Request Forgery",
        "cwe_url": "https://cwe.mitre.org/data/definitions/918.html",
        "description": "The server can be induced to make requests to unintended locations, including internal network services.",
        "remediation_en": "Validate and whitelist URLs. Block access to internal IP ranges. Disable unnecessary URL schemes.",
        "remediation_zh": "驗證並白名單化 URL。封鎖對內部 IP 範圍的存取。停用不必要的 URL 協定。",
        "representative_cves": [
            {"id": "CVE-2023-27163", "cvss": 7.5, "vendor": "request-baskets", "year": 2023,
             "note": "SSRF allowing internal network access"},
            {"id": "CVE-2019-8451", "cvss": 6.8, "vendor": "Jira", "year": 2019,
             "note": "SSRF via IconUriServlet endpoint"},
        ],
    },

    # ── 記憶體與資源問題 ──────────────────────────────────────────

    "CWE-119": {
        "name": "Buffer Overflow",
        "full_name": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/119.html",
        "description": "The software performs operations on a memory buffer but can read from or write to a memory location outside of its intended bounds.",
        "remediation_en": "Use memory-safe languages. Enable stack canaries, ASLR, and NX. Use bounds-checked functions.",
        "remediation_zh": "使用記憶體安全語言。啟用棧金絲雀、ASLR 和 NX。使用有邊界檢查的函式。",
        "representative_cves": [
            {"id": "CVE-2022-3602", "cvss": 7.5, "vendor": "OpenSSL", "year": 2022,
             "note": "Buffer overflow in X.509 certificate verification"},
        ],
    },

    "CWE-120": {
        "name": "Classic Buffer Overflow",
        "full_name": "Buffer Copy without Checking Size of Input",
        "source": "MITRE CWE v4.14",
        "nist_severity": "CRITICAL",
        "cvss_base": 9.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/120.html",
        "description": "The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.",
        "remediation_en": "Use strncpy/strncat with explicit size limits. Prefer C++ std::string or Rust.",
        "remediation_zh": "使用帶大小限制的 strncpy/strncat。優先使用 C++ std::string 或 Rust。",
        "representative_cves": [
            {"id": "CVE-2021-3156", "cvss": 7.8, "vendor": "sudo", "year": 2021,
             "note": "Heap-based buffer overflow (Baron Samedit)"},
        ],
    },

    "CWE-416": {
        "name": "Use After Free",
        "full_name": "Use After Free",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.8,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/416.html",
        "description": "The software references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code.",
        "remediation_en": "Set pointers to NULL after freeing. Use smart pointers in C++. Use memory-safe languages.",
        "remediation_zh": "釋放後將指標設為 NULL。在 C++ 中使用智慧指標。優先考慮記憶體安全語言。",
        "representative_cves": [
            {"id": "CVE-2022-0185", "cvss": 8.4, "vendor": "Linux Kernel", "year": 2022,
             "note": "Use-after-free in filesystem context leading to privilege escalation"},
        ],
    },

    "CWE-400": {
        "name": "Uncontrolled Resource Consumption (ReDoS/DoS)",
        "full_name": "Uncontrolled Resource Consumption",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.5,
        "owasp_2021": "A04:2021 – Insecure Design",
        "cwe_url": "https://cwe.mitre.org/data/definitions/400.html",
        "description": "The software does not properly control the allocation and maintenance of a limited resource, allowing attackers to cause denial of service via resource exhaustion.",
        "remediation_en": "Implement rate limiting. Audit regex for exponential backtracking. Set resource limits.",
        "remediation_zh": "實作速率限制。審核正則表達式是否有指數回溯。設置資源限制。",
        "representative_cves": [
            {"id": "CVE-2023-28155", "cvss": 7.5, "vendor": "Node.js request", "year": 2023,
             "note": "ReDoS via specially crafted URL"},
        ],
    },

    "CWE-1333": {
        "name": "Inefficient Regular Expression Complexity (ReDoS)",
        "full_name": "Inefficient Regular Expression Complexity",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 7.5,
        "owasp_2021": "A04:2021 – Insecure Design",
        "cwe_url": "https://cwe.mitre.org/data/definitions/1333.html",
        "description": "The product uses a regular expression with an inefficient, exponential worst-case computational complexity that consumes excessive CPU cycles.",
        "remediation_en": "Audit regex for catastrophic backtracking. Use linear-time regex engines. Enforce timeouts.",
        "remediation_zh": "審核正則表達式的災難性回溯問題。使用線性時間正則引擎。強制設置超時。",
        "representative_cves": [
            {"id": "CVE-2022-24999", "cvss": 7.5, "vendor": "qs (npm)", "year": 2022,
             "note": "ReDoS in query string parsing"},
        ],
    },

    "CWE-1321": {
        "name": "Prototype Pollution",
        "full_name": "Improperly Controlled Modification of Object Prototype Attributes",
        "source": "MITRE CWE v4.14",
        "nist_severity": "HIGH",
        "cvss_base": 8.1,
        "owasp_2021": "A03:2021 – Injection",
        "cwe_url": "https://cwe.mitre.org/data/definitions/1321.html",
        "description": "Modifying the Object prototype in JavaScript can affect all objects, allowing attackers to inject malicious properties.",
        "remediation_en": "Use Object.create(null) for maps. Validate keys. Use hasOwnProperty checks.",
        "remediation_zh": "使用 Object.create(null) 作為映射。驗證鍵名。使用 hasOwnProperty 檢查。",
        "representative_cves": [
            {"id": "CVE-2022-37601", "cvss": 9.8, "vendor": "loader-utils (npm)", "year": 2022,
             "note": "Prototype pollution via webpack loader configuration"},
            {"id": "CVE-2021-23337", "cvss": 7.2, "vendor": "lodash", "year": 2021,
             "note": "Prototype pollution via merge/zipObjectDeep"},
        ],
    },

}

# ══════════════════════════════════════════════════════════════════
# 查詢函式
# ══════════════════════════════════════════════════════════════════

def get_cwe_info(cwe_id: str) -> dict | None:
    """
    查詢 CWE 官方資訊。

    Args:
        cwe_id: CWE 識別碼，例如 "CWE-89"

    Returns:
        CWE 資訊字典，若未找到則回傳 None
    """
    normalized = cwe_id.strip().upper()
    result = CWE_DATABASE.get(normalized)
    if result is None:
        logger.debug("[CWE_DB] CWE not found in database: %s", normalized)
    return result


def format_cwe_for_advisor(cwe_id: str, include_cves: bool = True) -> str:
    """
    格式化 CWE 資訊，供 Advisor 輸出使用。

    格式設計原則：
    - 明確標注來源（非 LLM 生成）
    - 包含 MITRE 官方定義、NIST 嚴重性、OWASP 對應
    - 可選：代表性 CVE（附免責聲明）

    Args:
        cwe_id: CWE 識別碼
        include_cves: 是否包含代表性 CVE

    Returns:
        格式化後的字串
    """
    info = get_cwe_info(cwe_id)
    if not info:
        return f"[{cwe_id}] No official data found in MITRE CWE v4.14 database"

    lines = [
        f"[{cwe_id}] {info['name']}",
        f"來源：{info.get('source', 'MITRE CWE')} | "
        f"NIST 嚴重性：{info.get('nist_severity', 'N/A')} | "
        f"CVSS Base：{info.get('cvss_base', 'N/A')}",
        f"OWASP：{info.get('owasp_2021', 'N/A')}",
        f"官方URL：{info.get('cwe_url', '')}",
        f"定義：{info.get('description', '')}",
        f"修復：{info.get('remediation_zh', info.get('remediation_en', 'N/A'))}",
    ]

    if include_cves:
        rep_cves = info.get("representative_cves", [])
        if rep_cves:
            lines.append(
                "代表性 CVE（同類弱點真實案例，非本程式碼的直接 CVE）："
            )
            for cve in rep_cves[:3]:  # 最多 3 個
                lines.append(
                    f"  → {cve['id']} | CVSS {cve['cvss']} | "
                    f"{cve.get('vendor', '')} ({cve.get('year', '')}) | "
                    f"{cve.get('note', '')}"
                )

    return "\n".join(lines)


def get_cwe_severity(cwe_id: str) -> str:
    """回傳 CWE 的 NIST 嚴重性等級（HIGH/CRITICAL/MEDIUM/LOW），未知則回傳 UNKNOWN"""
    info = get_cwe_info(cwe_id)
    return info.get("nist_severity", "UNKNOWN") if info else "UNKNOWN"


def get_representative_cves(cwe_id: str) -> list[dict]:
    """回傳 CWE 的代表性 CVE 列表（最多 3 個），未知則回傳空列表"""
    info = get_cwe_info(cwe_id)
    return info.get("representative_cves", [])[:3] if info else []


def list_covered_cwes() -> list[str]:
    """回傳資料庫中所有覆蓋的 CWE ID"""
    return sorted(CWE_DATABASE.keys())