Top25 2022, 2023 EDA¶

Overview

This section outlines the Top25 dataset.

See the CWE Top 25 Methodology for context on how the Top25 was created.

Introduction¶

The Top 25 dataset contains

where a mapping is one row with one CWE per CVE.

There may be multiple rows with the same CVE to reflect multiple CWEs mapped to that CVE.

242 Unique CWE entries (including these that are not CWEs):

481 Unique CWE entries (including these that are not CWEs):

Observations

Comparing CWE word clouds, some things are clear

The Top 25 dataset contains double the number of unique CWEs compared to prior to remapping.
The mappings are more fine grained

The number of unique CWEs per CVE is approximately the same for 2022, 2023.

Distribution of counts of CWEs per CVE after Top 25 remapping i.e. how many CVEs have 1 vs 2 vs 3... CWEs per (REQ_COVERAGE_MULTIPLE_CWES)?

Observations

The number of unique CWEs per CVE is approximately the same for 2022, 2023.

Distribution of counts of CVEs per CWEs i.e. how many CVE examples per CWE do we have per (REQ_COVERAGE_MIN_ENTRIES_PER_CWE)?

Tip

Observations

The Top 50 CWEs by count, account for 77.6% of all CVEs.

~210 CWEs of ~480 have less than 5 CVEs.

some CWE Pillars have very few CVEs assigned e.g.

The CWE Pillars with most CVEs assigned are