Extract and add CWE IDs from CVE problem-types (google#4167)

Mritunjay09 · web-flow · commit bde844c11590 · 2025-10-20T16:29:22.000+11:00
Closes google#4159 Introduces the attachCWEs function to extract CWE IDs from both CNA and ADP problem-types in CVE5 records and store them in the Vulnerability's DatabaseSpecific field. Also updates the ProblemTypes struct to include a CWEID field for more accurate parsing. - Updated ProblemTypes struct to include `CweID` field to match CVE5 JSON schema. - Updated attachCWEs() function to store both CWE ID and human-readable description.
diff --git a/vulnfeeds/cvelist2osv/converter.go b/vulnfeeds/cvelist2osv/converter.go
@@ -76,6 +76,36 @@ func extractConversionMetrics(cve cves.CVE5, refs []osvschema.Reference, metrics
 	// TODO(jesslowe): Add more analysis based on ADP containers, CVSS, KEV, CWE, etc.
 }
 
+// attachCWEs extracts and adds CWE IDs from the CVE5 problem-types
+func attachCWEs(v *vulns.Vulnerability, cna cves.CNA, metrics *ConversionMetrics) {
+	var cwes []string
+
+	for _, pt := range cna.ProblemTypes {
+		for _, desc := range pt.Descriptions {
+			if desc.CWEID == "" {
+				continue
+			}
+			cwes = append(cwes, desc.CWEID)
+		}
+	}
+	if len(cwes) == 0 {
+		return
+	}
+
+	// Sort and remove duplicates
+	slices.Sort(cwes)
+	cwes = slices.Compact(cwes)
+
+	if v.DatabaseSpecific == nil {
+		v.DatabaseSpecific = make(map[string]any)
+	}
+
+	// Add CWEs to DatabaseSpecific for consistency with GHSA schema.
+	v.DatabaseSpecific["cwe_ids"] = cwes
+
+	metrics.AddNote("Extracted CWEIDs: %v", cwes)
+}
+
 // FromCVE5 creates a `vulns.Vulnerability` object from a `cves.CVE5` object.
 // It populates the main fields of the OSV record, including ID, summary, details,
 // references, timestamps, severity, and version information.
@@ -136,7 +166,8 @@ func FromCVE5(cve cves.CVE5, refs []cves.Reference, metrics *ConversionMetrics)
 		}
 	}
 
-	// TODO(jesslowe@): Add CWEs.
+	// attachCWEs extract and adds the cwes from the CVE5 Problem-types
+	attachCWEs(&v, cve.Containers.CNA, metrics)
 
 	return &v
 }
diff --git a/vulnfeeds/cvelist2osv/converter_test.go b/vulnfeeds/cvelist2osv/converter_test.go
@@ -213,7 +213,7 @@ func TestFromCVE5(t *testing.T) {
 					Details:          "An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.",
 					Aliases:          nil,
 					Related:          nil,
-					DatabaseSpecific: nil,
+					DatabaseSpecific: map[string]any{"cwe_ids": []string{"CWE-1220"}},
 					References: []osvschema.Reference{
 						{Type: "ARTICLE", URL: "https://hackerone.com/reports/2972576"},
 						{Type: "EVIDENCE", URL: "https://hackerone.com/reports/2972576"},
@@ -254,7 +254,7 @@ func TestFromCVE5(t *testing.T) {
 							Score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
 						},
 					},
-					DatabaseSpecific: nil,
+					DatabaseSpecific: map[string]any{"cwe_ids": []string{"CWE-770"}},
 				},
 			},
 		},
diff --git a/vulnfeeds/cves/cve.go b/vulnfeeds/cves/cve.go
@@ -26,6 +26,7 @@ const (
 
 type ProblemTypes []struct {
 	Descriptions []struct {
+		CWEID       string `json:"cweId,omitempty"`
 		Type        string `json:"type,omitempty"`
 		Lang        string `json:"lang,omitempty"`
 		Description string `json:"description,omitempty"`
