add post on CWEs (#50)

Author: monperrus

cwe-software-supplu-chain.md

@@ -0,0 +1,39 @@
+---
+title: Software suply chain CWEs
+---
+
+What are the CWEs from the [Common Weakness Enumeration](https://cwe.mitre.org/) related to software supply chain issues?
+
+1. Dependency Management:
+- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
+- CWE-494: Download of Code Without Integrity Check
+- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
+- CWE-937: Using Components with Known Vulnerabilities
+- CWE-1104: Use of Unmaintained Third Party Components
+- CWE-940: Improper Verification of Source of a Communication Channel
+
+2. Build Process:
+- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+- CWE-506: Embedded Malicious Code
+- CWE-912: Hidden Functionality
+
+3. Crypto and Secrets
+- CWE-347: Improper Verification of Cryptographic Signature
+- CWE-354: Improper Validation of Integrity Check Value
+- CWE-798: Use of Hard-coded Credentials
+- CWE-311: Missing Encryption of Sensitive Data
+- CWE-326: Inadequate Encryption Strength
+
+4. Update Mechanisms:
+- CWE-441: Unintended Proxy or Intermediary
+- CWE-494: Download of Code Without Integrity Check
+- CWE-799: Improper Control of Interaction Frequency
+
+5. Repository Security:
+- CWE-284: Improper Access Control
+- CWE-287: Improper Authentication
+- CWE-522: Insufficiently Protected Credentials
+
+6. Configuration Management:
+- CWE-16: Configuration
+- CWE-520: .NET Misconfiguration: Use of Impersonation

index.md

@@ -84,6 +84,7 @@ See [https://github.com/chains-project/](https://github.com/orgs/chains-project/
 - [Software supply chain attacks on crypto infrastructure](software-supply-chain-attacks-crypto.md)
 - [NIX and the supply chain, debrief of NixCon 2022](nixcon-2022.md)
 - [SBOMs for your GitHub Releases](sbom-github.md)
+- [Software suply chain CWEs](cwe-software-supplu-chain.md)
 
 ## Team