CWE-1003: Hierarchical Connections and Classification of Vulnerabilities

The graph displayed here contains CWE entries that can be utilized to classify possible vulnerabilities in sources that handle public, third-party vulnerability information like the National Vulnerability Database (NVD). It is important to note that this graph is intentionally not comprehensive, as it only includes a select number of frequently observed weaknesses. The purpose of this limitation is to enhance usability for humans. To achieve simplicity, this graph follows a simplified hierarchy with two levels, rather than the more intricate and category-focused navigation of the complete CWE collection.

The graph provided illustrates the hierarchical connections between weaknesses of differing abstraction levels. At the highest level, weaknesses are organized into categories and pillars. Categories, although they are not technically considered weaknesses themselves, serve as special entries within the Common Weakness Enumeration (CWE) used to group weaknesses with similar characteristics. Pillars, on the other hand, represent weaknesses described in the most general and abstract manner. Below these top-level entries, weaknesses exist at various levels of abstraction. Classes are still highly abstract and are typically independent of any specific programming language or technology. Base level weaknesses, on the other hand, offer a more specific and detailed type of weakness. Variants, on the lowest level of abstraction, describe weaknesses limited to a particular language or technology. Additionally, a chain refers to a sequence of weaknesses that must occur consecutively in order to exploit a vulnerability. Conversely, a composite involves a combination of weaknesses that must all be present simultaneously to exploit a vulnerability.