"""Canonical CWE registry shared by pipeline, Advisor, UI payloads, and tests.""" from __future__ import annotations from dataclasses import dataclass from typing import Any @dataclass(frozen=True) class CwePatternMeta: cwe_id: str owasp_category: str severity: str weakness_family: str evidence_type: str = "code_scan" DEFAULT_PATTERN_META = CwePatternMeta( cwe_id="CWE-unknown", owasp_category="A03:2021-Injection", severity="MEDIUM", weakness_family="unknown", ) SEVERITY_RANK = {"CRITICAL": 4, "HIGH": 3, "MEDIUM": 2, "LOW": 1, "UNKNOWN": 0} def _family_for_cwe(cwe_id: str) -> str: family_by_cwe = { "CWE-22": "path_traversal", "CWE-78": "command_injection", "CWE-79": "xss", "CWE-89": "sql_injection", "CWE-90": "ldap_injection", "CWE-94": "code_injection", "CWE-98": "file_inclusion", "CWE-119": "memory_safety", "CWE-120": "memory_safety", "CWE-134": "format_string", "CWE-190": "integer_overflow", "CWE-248": "exception_handling", "CWE-327": "weak_crypto", "CWE-362": "race_condition", "CWE-377": "temporary_file", "CWE-415": "memory_safety", "CWE-416": "memory_safety", "CWE-434": "file_upload", "CWE-476": "null_dereference", "CWE-502": "unsafe_deserialization", "CWE-611": "xxe", "CWE-798": "hardcoded_secret", "CWE-917": "expression_injection", "CWE-918": "ssrf", "CWE-943": "nosql_injection", "CWE-1321": "prototype_pollution", "CWE-1333": "redos", "CWE-915": "mass_assignment", } return family_by_cwe.get(cwe_id, "code_weakness") def _meta(cwe_id: str, owasp_category: str, severity: str) -> CwePatternMeta: return CwePatternMeta( cwe_id=cwe_id, owasp_category=owasp_category, severity=severity, weakness_family=_family_for_cwe(cwe_id), ) PATTERN_CWE_REGISTRY: dict[str, CwePatternMeta] = { "SQL_INJECTION": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "SQL_CONCAT": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "SQL_CONCAT_PHP": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "SQL_FORMAT_RUST": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "SQL_INJECT_CS": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "SQL_STATEMENT": _meta("CWE-89", "A03:2021-Injection", "CRITICAL"), "TAINT_SUPERGLOBAL": _meta("CWE-89", "A03:2021-Injection", "HIGH"), "CMD_INJECTION": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "COMMAND_INJECTION": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "CMD_RUST": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "FFI_SYSTEM": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "DANGEROUS_ALIAS_PY": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "SUBPROCESS_SHELL_ALIAS_PY": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "OPEN_PIPE": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "SHELL_EXEC": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "CHILD_PROCESS": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "CMD_INJECTION_CS": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "CMD_UNSAFE": _meta("CWE-78", "A03:2021-Injection", "CRITICAL"), "CMD_PATTERN": _meta("CWE-78", "A03:2021-Injection", "HIGH"), "INNERHTML_XSS": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "REFLECTED_XSS_JS": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "XSS": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "XSS_ECHO_PHP": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "XSS_CS": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "TEMPLATE_UNESCAPED": _meta("CWE-79", "A03:2021-Injection", "HIGH"), "EVAL_EXEC": _meta("CWE-94", "A03:2021-Injection", "CRITICAL"), "EVAL_USAGE": _meta("CWE-94", "A03:2021-Injection", "CRITICAL"), "EVAL_INJECTION": _meta("CWE-94", "A03:2021-Injection", "CRITICAL"), "CODE_INJECTION": _meta("CWE-94", "A03:2021-Injection", "CRITICAL"), "FILE_INCLUDE": _meta("CWE-98", "A03:2021-Injection", "HIGH"), "FILE_INCLUSION": _meta("CWE-98", "A03:2021-Injection", "HIGH"), "SSRF_RISK": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF_VARIABLE": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF_PHP": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF_GO": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF_JAVA": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "SSRF_JS": _meta("CWE-918", "A10:2021-Server-Side Request Forgery", "HIGH"), "PICKLE_UNSAFE": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "YAML_UNSAFE": _meta("CWE-502", "A08:2021-Software and Data Integrity", "HIGH"), "UNSERIALIZE_PHP": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "DESERIALIZATION": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "INSECURE_DESERIALIZATION": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "DESERIALIZE_UNSAFE": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "DESERIALIZE_UNSAFE_CS": _meta("CWE-502", "A08:2021-Software and Data Integrity", "CRITICAL"), "HARDCODED_SECRET": _meta("CWE-798", "A07:2021-Identification and Authentication Failures", "HIGH"), "HARDCODED_CREDENTIALS": _meta("CWE-798", "A07:2021-Identification and Authentication Failures", "HIGH"), "PATH_TRAVERSAL": _meta("CWE-22", "A01:2021-Broken Access Control", "HIGH"), "PATH_TRAVERSAL_PHP": _meta("CWE-22", "A01:2021-Broken Access Control", "HIGH"), "PATH_TRAVERSAL_JAVA": _meta("CWE-22", "A01:2021-Broken Access Control", "HIGH"), "PATH_TRAVERSAL_JS": _meta("CWE-22", "A01:2021-Broken Access Control", "HIGH"), "PATH_TRAVERSAL_CS": _meta("CWE-22", "A01:2021-Broken Access Control", "HIGH"), "XXE": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "XXE_ENTITY": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "XXE_FACTORY": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "XXE_PHP": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "XXE_CS": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "XXE_FAULT": _meta("CWE-611", "A05:2021-Security Misconfiguration", "HIGH"), "LDAP_INJECTION": _meta("CWE-90", "A03:2021-Injection", "HIGH"), "LDAP_INJECT_CS": _meta("CWE-90", "A03:2021-Injection", "HIGH"), "PROTOTYPE_POLLUTION": _meta("CWE-1321", "A03:2021-Injection", "CRITICAL"), "NOSQL_INJECTION": _meta("CWE-943", "A03:2021-Injection", "HIGH"), "LOG4SHELL_JNDI": _meta("CWE-917", "A09:2021-Security Logging and Monitoring", "CRITICAL"), "LOG_INJECTION_JAVA": _meta("CWE-917", "A09:2021-Security Logging and Monitoring", "CRITICAL"), "BUFFER_OVERFLOW": _meta("CWE-120", "A06:2021-Vulnerable Components", "CRITICAL"), "GETS_UNSAFE": _meta("CWE-242", "A06:2021-Vulnerable Components", "HIGH"), "DOUBLE_FREE_C": _meta("CWE-415", "A06:2021-Vulnerable Components", "CRITICAL"), "INTEGER_OVERFLOW_C": _meta("CWE-190", "A06:2021-Vulnerable Components", "HIGH"), "TMPNAM_UNSAFE": _meta("CWE-377", "A06:2021-Vulnerable Components", "HIGH"), "FORMAT_STRING": _meta("CWE-134", "A03:2021-Injection", "HIGH"), "UNSAFE_BLOCK": _meta("CWE-119", "A06:2021-Vulnerable Components", "HIGH"), "RAW_PTR": _meta("CWE-119", "A06:2021-Vulnerable Components", "HIGH"), "RAW_PTR_WRITE_RUST": _meta("CWE-119", "A06:2021-Vulnerable Components", "CRITICAL"), "OUT_OF_BOUNDS_PTR_RUST": _meta("CWE-119", "A06:2021-Vulnerable Components", "CRITICAL"), "NULL_PTR_RUST": _meta("CWE-476", "A06:2021-Vulnerable Components", "HIGH"), "NULL_DEREF_RUST": _meta("CWE-476", "A06:2021-Vulnerable Components", "HIGH"), "USE_AFTER_FREE": _meta("CWE-416", "A06:2021-Vulnerable Components", "CRITICAL"), "UAF_RUST": _meta("CWE-416", "A06:2021-Vulnerable Components", "CRITICAL"), "UAF_RUST_DEREF": _meta("CWE-416", "A06:2021-Vulnerable Components", "CRITICAL"), "UNWRAP_PANIC": _meta("CWE-248", "A05:2021-Security Misconfiguration", "MEDIUM"), "UNTRUSTED_UNWRAP_RUST": _meta("CWE-248", "A05:2021-Security Misconfiguration", "HIGH"), "UPLOAD_PHP": _meta("CWE-434", "A05:2021-Security Misconfiguration", "HIGH"), "CRYPTO_WEAK": _meta("CWE-327", "A02:2021-Cryptographic Failures", "HIGH"), "RACE_CONDITION_GO": _meta("CWE-362", "A04:2021-Insecure Design", "HIGH"), "MASS_ASSIGNMENT_JS": _meta("CWE-915", "A01:2021-Broken Access Control", "HIGH"), "REDOS_JS": _meta("CWE-1333", "A06:2021-Vulnerable Components", "MEDIUM"), "REDOS": _meta("CWE-1333", "A06:2021-Vulnerable Components", "MEDIUM"), } def severity_rank(severity: str | None) -> int: return SEVERITY_RANK.get(str(severity or "UNKNOWN").upper(), 0) def get_pattern_meta(pattern_type: str | None) -> CwePatternMeta: if not pattern_type: return DEFAULT_PATTERN_META return PATTERN_CWE_REGISTRY.get(str(pattern_type).upper(), DEFAULT_PATTERN_META) def pattern_type_to_cwe(pattern_type: str | None) -> str | None: meta = get_pattern_meta(pattern_type) if meta.cwe_id == DEFAULT_PATTERN_META.cwe_id: return None return meta.cwe_id def build_cwe_reference(cwe_id: str | None) -> dict[str, Any] | None: if not cwe_id or not str(cwe_id).startswith("CWE-"): return None normalized = str(cwe_id).upper() try: from tools.cwe_database import get_cwe_info except ImportError: info = None else: info = get_cwe_info(normalized) if not info: return { "id": normalized, "name": normalized, "source": "ThreatHunter CWE registry", "nist_severity": "UNKNOWN", "cvss_base": None, "owasp_2021": "", "cwe_url": f"https://cwe.mitre.org/data/definitions/{normalized.replace('CWE-', '')}.html", "description": "", "remediation_zh": "", "representative_cves": [], "disclaimer": ( "代表性 CVE 為同類弱點的真實被利用案例," "非本程式碼的直接 CVE 識別碼。" "用於說明此類弱點的風險嚴重性。" ), } return { "id": normalized, "name": info.get("name", normalized), "source": info.get("source", "MITRE CWE v4.14"), "nist_severity": info.get("nist_severity", "UNKNOWN"), "cvss_base": info.get("cvss_base", None), "owasp_2021": info.get("owasp_2021", ""), "cwe_url": info.get("cwe_url", f"https://cwe.mitre.org/data/definitions/{normalized.replace('CWE-', '')}.html"), "description": info.get("description", "")[:300], "remediation_zh": info.get("remediation_zh", info.get("remediation_en", "")), "representative_cves": info.get("representative_cves", [])[:3], "disclaimer": ( "代表性 CVE 為同類弱點的真實被利用案例," "非本程式碼的直接 CVE 識別碼。" "用於說明此類弱點的風險嚴重性。" ), } def registry_snapshot() -> dict[str, dict[str, str]]: return { pattern_type: { "cwe_id": meta.cwe_id, "owasp_category": meta.owasp_category, "severity": meta.severity, "weakness_family": meta.weakness_family, "evidence_type": meta.evidence_type, } for pattern_type, meta in sorted(PATTERN_CWE_REGISTRY.items()) }