We host a full web API that includes all objects created by cwe2stix, CTIButler.
A command line tool that turns MITRE CWEs into STIX 2.1 Objects.
CWEs are Common Weakness Enumerations (CWE's). CWE's are a community-developed list of software and hardware weakness types managed MITRE. They serve as a common language as a baseline for weakness identification, mitigation, and prevention efforts.
For example, CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
We had a requirement to have an up-to-date copy of MITRE CWEs in STIX 2.1 format, like already exists and maintained by MITRE for ATT&CK (e.g. Enterprise) and CAPEC on GitHub.
The code in this repository is a similar to the MITRE implementations for ATT&CK and CAPEC that;
- Downloads latest CWE XML
- Checks version of CWE XML
- Converts them to STIX 2.1 Objects, if new version
- Stores the STIX 2.1 Objects in the file store
To install cwe2stix;
# clone the latest code
git clone https://github.com/muchdogesec/cwe2stix
# create a venv
cd cwe2stix
python3 -m venv cwe2stix-venv
source cwe2stix-venv/bin/activate
# install requirements
pip3 install -r requirements.txtpython3 cwe2stix.py --version <CWE VERSION NUMBER>--version(optional): by default the script will download the latest available CWE file from the CWE website. If you want a specific version, you can pass the--versionflag. e.g.--version 4.13. Note, only versions >= 4.5 are currently supported by this script.
For example, to download the 4.15 version of CWEs;
python3 cwe2stix.py --version 4.16If no --version passed, the latest CWE file located at https://cwe.mitre.org/data/xml/cwec_latest.xml.zip will be downloaded.
On each script run, the objects and bundle will be removed (if difference detected in version), and regenerated.
To handle versions, on the first run a CWE_VERSION file is created, listing the version of CWEs in the stix2_objects directory. On subsequent runs, this version value will changes based on the version of CWEs converted.
MITRE maintain an XML file with the full CWE definitions here. This appears to be the best machine readable format to use based on the other alternatives MITRE use to distribute this data (HTML and PDF).
This XML file is what cwe2stix uses to generate the STIX objects.
- Identity: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/identity/dogesec.json
- Marking Definition: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/marking-definition/cwe2stix.json
- Extension Definition: https://raw.githubusercontent.com/muchdogesec/stix2extensions/main/extension-definitions/sdos/weakness.json
The key object to represent CWEs is a Weakness (this is a custom STIX objects):
{
"type": "weakness",
"spec_version": "2.1",
"id": "weakness--<UUIDV5 GENERATION LOGIC>",
"name": "<CWE NAME>",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"created": "<Weaknesses.Weakness.Submission_Date>",
"modified": "<Weaknesses.Weakness.Modification_Date> (latest date)",
"description": "<Weaknesses.Weakness.Description> <Weaknesses.Weakness.Extended_Description>",
"modes_of_introduction": ["Modes_Of_Introduction.Introduction.Phase"],
"likelihood_of_exploit": "Likelihood_Of_Exploit",
"common_consequences": ["Common_Consequences.Consequence.Scope"],
"detection_methods": ["Detection_Methods.Detection_Method.Method"],
"revoked": "<true IF CWE NAME contains DEPRECATED:",
"external_references": [
{
"source_name": "cwe",
"external_id": "CWE-<CWE ID>",
"url": "http://cwe.mitre.org/data/definitions/<CWE ID>.html"
},
{
"source_name": "<External_Reference.author>, <External_Reference.author>",
"description": "<External_Reference.title>",
"url": "<External_Reference.URL>",
"external_id": "<Weaknesses.Weakness.External_Reference_ID>",
},
{
"source_name": "<Weaknesses.Weakness.Taxonomy_Mappings.Taxonomy_Name>",
"external_id": "<Weaknesses.Weakness.Taxonomy_Mappings.Entry_ID>",
"description": "<Weaknesses.Weakness.Taxonomy_Mappings.Entry_Name>"
},
{
"source_name": "capec",
"external_id": "CAPEC-<Weaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern>",
"url": "https://capec.mitre.org/data/definitions/<Weaknesses.Weakness.Related_Attack_Patterns.Related_Attack_Pattern>.html"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
],
"extensions": {
"<IMPORTED EXTENSION DEFINITION>": {
"extension_type": "new-sdo"
}
}
}Note, the created field relies on you importing versions in order. Usually this is a non-issue, but if you plan on backfilling data, YOU MUST import them in order (earliest first).
To generate the id, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and CWE-ID. e.g. CWE-102 = ad5b3e38-fdf2-5c97-90da-30dad0f1f016 = weakness--ad5b3e38-fdf2-5c97-90da-30dad0f1f016
Inside each weakness ID is also a property Weaknesses.Related_Weaknesses. For example, for CWE-521;
<Related_Weaknesses>
<Related_Weakness Nature="ChildOf" CWE_ID="1391" View_ID="1000" Ordinal="Primary"/>
<Related_Weakness Nature="ChildOf" CWE_ID="287" View_ID="1003" Ordinal="Primary"/>
</Related_Weaknesses>cwe2stix models these using STIX 2.1 Relationship Objects as follows;
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--<UUIDV5 GENERATION LOGIC>",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"created": "<CREATED TIME OF MOST RECENT CWE OBJECT IN PAIR>",
"modified": "<CREATED TIME OF MOST RECENT CWE OBJECT IN PAIR>",
"relationship_type": "<Related_Weakness Nature>",
"source_ref": "weakness--<CURRENT WEAKNESS>",
"target_ref": "weakness--<Weaknesses.Weakness.Related_Weaknesses.Related_Weakness.CWE_ID>",
"description": "<CURRENT WEAKNESS name> is a <Related_Weakness Nature> of <Weaknesses.Weakness.Related_Weaknesses.Related_Weakness.name>",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
],
}To generate the id of the SRO, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and <Related_Weakness Nature>+SOURCE_CWEID+TARGET_CWEID.
e.g. CanPrecede+CWE-1423+CWE-1102 = 7a612ea9-a08b-54bd-9e21-570509ba5d25 = relationship--7a612ea9-a08b-54bd-9e21-570509ba5d25
The CWE XML also contains category entries. e.g.
<Category ID="1020" Name="Verify Message Integrity" Status="Draft">
<Summary>Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.</Summary>
<Relationships>
<Has_Member CWE_ID="353" View_ID="1008"/>
<Has_Member CWE_ID="354" View_ID="1008"/>
<Has_Member CWE_ID="390" View_ID="1008"/>
<Has_Member CWE_ID="391" View_ID="1008"/>
<Has_Member CWE_ID="494" View_ID="1008"/>
<Has_Member CWE_ID="565" View_ID="1008"/>
<Has_Member CWE_ID="649" View_ID="1008"/>
<Has_Member CWE_ID="707" View_ID="1008"/>
<Has_Member CWE_ID="755" View_ID="1008"/>
<Has_Member CWE_ID="924" View_ID="1008"/>
</Relationships>
<References>
<Reference External_Reference_ID="REF-9"/>
<Reference External_Reference_ID="REF-10" Section="pages 69 - 78"/>
</References>
<Mapping_Notes>
<Usage>Prohibited</Usage>
<Rationale>This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.</Rationale>
<Comments>See member weaknesses of this category.</Comments>
<Reasons>
<Reason Type="Category"/>
</Reasons>
</Mapping_Notes>
<Content_History>
<Submission>
<Submission_Name>Joanna C.S. Santos, Mehdi Mirakhorli</Submission_Name>
<Submission_Date>2017-06-22</Submission_Date>
<Submission_Version>2.12</Submission_Version>
<Submission_ReleaseDate>2017-11-08</Submission_ReleaseDate>
<Submission_Comment>Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view.</Submission_Comment>
</Submission>
<Modification>
<Modification_Name>CWE Content Team</Modification_Name>
<Modification_Organization>MITRE</Modification_Organization>
<Modification_Date>2023-04-27</Modification_Date>
<Modification_Comment>updated Mapping_Notes</Modification_Comment>
</Modification>
<Modification>
<Modification_Name>CWE Content Team</Modification_Name>
<Modification_Organization>MITRE</Modification_Organization>
<Modification_Date>2023-06-29</Modification_Date>
<Modification_Comment>updated Mapping_Notes</Modification_Comment>
</Modification>
</Content_History>
</Category>Grouping SDOs are also used to represent CWE Categories (e.g. OWASP Top Ten 2004).
Grouping SDOs are modelled from CWE entries as follows
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--<UUIDV5 LOGIC>",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"created": "<Content_History.Submission_Date>",
"modified": "<Modification.Modificaton Date> (latest)",
"name": "<CATEGORY.NAME>",
"description": "<CATEGORY.SUMMARY>",
"context": "unspecified",
"external_references": [
{
"source_name": "cwe_category",
"external_id": "<CWE CATEGORY ID>"
},
{
"source_name": "<External_Reference.author>, <External_Reference.author>",
"description": "<External_Reference.title>",
"url": "<External_Reference.URL>",
"external_id": "<Weaknesses.Weakness.External_Reference_ID>",
},
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
],
"object_refs": [
"<STIX IDs OF ALL CWEs LISTED IN CATEGORY.Relationships>"
]
}To generate the id of the SDO, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and name field, e.g. SFP Primary Cluster: Malware = 0523bdc3-24d8-5634-9353-14def9f5cfcf = grouping--0523bdc3-24d8-5634-9353-14def9f5cfcf
To demonstrate the object_refs payload, in example for category 1020 above, the object_refs list would contain the STIX vulnerability IDs for; CWE_ID="353" CWE_ID="354" CWE_ID="390" CWE_ID="391" CWE_ID="494" CWE_ID="565 CWE_ID="649" CWE_ID="707" CWE_ID="755" CWE_ID="924".
In some cases related weakness do not exist, as the CWE record does not exist in the dataset. For example, Category 1001 has a referenced Weakness ID="227", however, there is no CWE-227 in the CWE dictionary.
<Category ID="1001" Name="SFP Secondary Cluster: Use of an Improper API" Status="Incomplete">
<Summary>This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).</Summary>
<Relationships>
<Has_Member CWE_ID="111" View_ID="888"/>
<Has_Member CWE_ID="227" View_ID="888"/>
<Has_Member CWE_ID="242" View_ID="888"/>If a reference to a Vulnerability that does not exist (e.g. Weakness ID="227") is made, the entry is ignored in the Grouping object_refs dictionary.
<View ID="1450" Name="Weaknesses in OWASP Top Ten RC1 (2025)" Type="Graph" Status="Incomplete">
<Objective>CWE entries in this view (graph) are associated with the first release candidate (RC1) of the OWASP Top Ten, as released in 2025.</Objective>
<Audience>
<Stakeholder>
<Type>Software Developers</Type>
<Description>This view outlines the most important issues as identified by the OWASP Top Ten (2025 RC1), providing a good starting point for web application developers who want to code more securely.</Description>
</Stakeholder>
<Stakeholder>
<Type>Product Customers</Type>
<Description>This view outlines the most important issues as identified by the OWASP Top Ten (2025 RC1), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code.</Description>
</Stakeholder>
<Stakeholder>
<Type>Educators</Type>
<Description>Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.</Description>
</Stakeholder>
</Audience>
<Members>
<Has_Member CWE_ID="1436" View_ID="1450"/>
<Has_Member CWE_ID="1437" View_ID="1450"/>
<Has_Member CWE_ID="1438" View_ID="1450"/>
<Has_Member CWE_ID="1439" View_ID="1450"/>
<Has_Member CWE_ID="1440" View_ID="1450"/>
<Has_Member CWE_ID="1441" View_ID="1450"/>
<Has_Member CWE_ID="1442" View_ID="1450"/>
<Has_Member CWE_ID="1443" View_ID="1450"/>
<Has_Member CWE_ID="1444" View_ID="1450"/>
<Has_Member CWE_ID="1445" View_ID="1450"/>
</Members>
<References>
<Reference External_Reference_ID="REF-1500"/>
</References>
<Mapping_Notes>
<Usage>Prohibited</Usage>
<Rationale>This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.</Rationale>
<Comments>Use this View or other Views to search and navigate for the appropriate weakness.</Comments>
<Reasons>
<Reason Type="View"/>
</Reasons>
</Mapping_Notes>
<Notes>
<Note Type="Maintenance">As of CWE 4.19, the relationships in this view were pulled directly from the CWE mappings cited in the 2025 OWASP Top Ten RC1. These mappings include categories and high-level weaknesses. One mapping to a deprecated entry was removed. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself.</Note>
</Notes>
<Content_History>
<Submission>
<Submission_Name>CWE Content Team</Submission_Name>
<Submission_Organization>MITRE</Submission_Organization>
<Submission_Date>2024-12-01</Submission_Date>
<Submission_Version>4.19</Submission_Version>
<Submission_ReleaseDate>2025-12-11</Submission_ReleaseDate>
</Submission>
</Content_History>
</View>Views group categories. We should model them as STIX Grouping objects..
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--<UUIDV5 LOGIC>",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"created": "<Content_History.Submission_Date>",
"modified": "<Modification.Modificaton Date> (latest)",
"name": "<VIEW.NAME>",
"description": "<Objective>",
"context": "unspecified",
"external_references": [
{
"source_name": "cwe_category",
"external_id": "<VIEW ID>"
},
{
"source_name": "<External_Reference.author>, <External_Reference.author>",
"description": "<External_Reference.title>",
"url": "<External_Reference.URL>",
"external_id": "<Weaknesses.Weakness.External_Reference_ID>",
},
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b"
],
"object_refs": [
"<STIX IDs OF ALL GROUPINGS LISTED IN Members>"
]
}To generate the id of the SDO, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and name field as the value
cwe2stix also creates a STIX 2.1 Bundle JSON object containing all the other STIX 2.1 Objects created at each run. The Bundle takes the format;
{
"type": "bundle",
"id": "bundle--<UUIDV5 GENERATION LOGIC>",
"objects": [
"<ALL STIX JSON OBJECTS>"
]
}To generate the id of the SRO, a UUIDv5 is generated using the namespace d91de5c9-2d85-5cc9-97c0-c5ec8deb1a4b and a md5 hash of all objects sorted in the bundle.
Unlike the other STIX Objects, this means on every update a new bundle ID will be generated if any difference in objects or properties is observed.
Download all data by running;
sh utilities/download_all.sh- To generate STIX 2.1 Objects: stix2 Python Lib
- The STIX 2.1 specification: STIX 2.1 docs
- MITRE CWE site