feat(cwe): update CWE dictionary

[MaineK00n]

What did you implement:

update CWE dictionary.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

report

$ vuls report -format-full-text
// ...
+-------------------+----------------------------------------------------------------------------------------+
| CVE-2020-35501    | UNFIXED                                                                                |
+-------------------+----------------------------------------------------------------------------------------+
| Max Score         | 3.9 LOW (ubuntu)                                                                       |
| redhat_api        | 3.4/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N LOW                                   |
| ubuntu            | 0.1-3.9 LOW                                                                            |
| Summary           | kernel: audit not logging access to syscall open_by_handle_at for users with           |
|                   | CAP_DAC_READ_SEARCH capability                                                         |
| Mitigation        | https://access.redhat.com/security/cve/CVE-2020-35501                                  |
| Primary Src       | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-35501                           |
| Affected Pkg      | linux-image-5.13.0-39-generic-5.13.0-39.44~20.04.1 -> Not fixed yet                    |
| Confidence        | 100 / OvalMatch                                                                        |
| CWE               | [OWASP(2017) Top5] CWE-284: Improper Access Control (redhat_api)                       |
| CWE               | [OWASP(2021) Top1] CWE-284: Improper Access Control (redhat_api)                       |
| CWE               | https://cwe.mitre.org/data/definitions/CWE-284.html                                    |
| OWASP(2017) Top10 | https://github.com/OWASP/Top10/blob/master/2017/en/0xa5-broken-access-control.md       |
| OWASP(2021) Top10 | https://github.com/OWASP/Top10/blob/master/2021/docs/A01_2021-Broken_Access_Control.md |
+-------------------+----------------------------------------------------------------------------------------+
// ...
+------------------------+----------------------------------------------------------------------------------+
| CVE-2021-20203         | UNFIXED                                                                          |
+------------------------+----------------------------------------------------------------------------------+
| Max Score              | 3.2 LOW (redhat_api)                                                             |
| redhat_api             | 3.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L LOW                             |
| nvd                    | 3.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L LOW                             |
| jvn                    | 3.2/CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L LOW                             |
| nvd                    | 2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P LOW                                               |
| jvn                    | 2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P LOW                                               |
| Summary                | An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for  |
|                        | versions up to v5.2.0. It may occur if a guest was to supply invalid values for  |
|                        | rx/tx queue size or other NIC parameters. A privileged guest user may use this   |
|                        | flaw to crash the QEMU process on the host resulting in DoS scenario.            |
| Primary Src            | https://nvd.nist.gov/vuln/detail/CVE-2021-20203                                  |
| Patch                  | https://bugs.launchpad.net/qemu/+bug/1913873                                     |
| Patch                  | https://bugzilla.redhat.com/show_bug.cgi?id=1922441                              |
| Affected Pkg           | qemu-1:4.2-3ubuntu6.21 -> open                                                   |
| Confidence             | 100 / UbuntuAPIMatch                                                             |
| CWE                    | [CWE(2019) Top8] CWE-190: Integer Overflow or Wraparound (redhat_api)            |
| CWE                    | [CWE(2020) Top11] CWE-190: Integer Overflow or Wraparound (redhat_api)           |
| CWE                    | [CWE(2021) Top12] CWE-190: Integer Overflow or Wraparound (redhat_api)           |
| CWE                    | [CWE/SANS(2010) Top17]  CWE-190: Integer Overflow or Wraparound (redhat_api)     |
| CWE                    | [CWE/SANS(2011) Top24]  CWE-190: Integer Overflow or Wraparound (redhat_api)     |
| CWE                    | [CWE/SANS(latest) Top8]  CWE-190: Integer Overflow or Wraparound (redhat_api)    |
| CWE                    | https://cwe.mitre.org/data/definitions/CWE-190.html                              |
| InTheWild              | https://bugs.launchpad.net/qemu/+bug/1913873                                     |
| CWE(2019) Top25        | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html                     |
| CWE(2020) Top25        | https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html                     |
| CWE(2021) Top25        | https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html                     |
| SANS/CWE(2010) Top25   | https://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.html                |
| SANS/CWE(2011) Top25   | https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html                |
| SANS/CWE(latest) Top25 | https://www.sans.org/top25-software-errors/                                      |
+------------------------+----------------------------------------------------------------------------------+
// ...

scan result

before

"cweDict": {
    "200": {
        "en": {
            "cweID": "200",
            "name": "Information Exposure",
            "description": "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.",
            "extendedDescription": ""
        },
        "owaspTopTen2017": "",
        "cweTopTwentyfive2019": "4",
        "sansTopTwentyfive": ""
    },

after

"cweDict": {
    "200": {
        "en": {
            "cweID": "200",
            "name": "Exposure of Sensitive Information to an Unauthorized Actor",
            "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
            "extendedDescription": ""
        },
        "owaspTopTens": {
            "2021": "1"
        },
        "cweTopTwentyfives": {
            "2019": "4",
            "2020": "7",
            "2021": "20"
        },
        "sansTopTwentyfives": {
            "latest": "4"
        }
    },

Checklist:

You don't have to satisfy all of the following.

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES

Reference