- External Submissions Review Phases
Each submission needs to be reviewed by the CWE team to determine if it is suitable for being included as new CWE content. The External Submission review process can be thought of in 4 different stages: Initial Submission, Detailed Submission, Content Generation, and Publication. These stages, as well as the more granular phases within each stage are described in detail below.
An external submitter either provides a name, short description of the weakness, one or more references, and suggested relationships for a new CWE submission or provides modification information to modify and existing CWE. The CWE Team works with the submitter to ensure that the initial submission does not have any submission problems that would prevent it from being integrated into CWE content.
The CWE Team receives an initial submission from the web submission server and creates an internal submission tracking file. Submissions in this phase will typically not be pushed to the CDR to ensure that the information provided is suitable for public release.
The CWE Team notifies the original submitter that the initial submission has been received. At this stage the submission will be moved to the CDR, where a GitHub issue tracker will be created for the submission and the internal submission tracking file will be pushed.
A member of the CWE Team performs an initial review of the submission, going through each potential submission problem and scope exclusion to ensure there are no issues. Any identified submission problem will be added to the submission tracking file and also indicated as a label to the CDR issue tracker.
Members of the CWE Team work with the submitter to resolve any identified submission problems. This discussion will happen as comments under the submission's CDR issue tracker.
The CWE Team rejects the initial submission and notifies the submitter.
The CWE Team accepts the initial submission and notifies the submitter.
If the initial submission is accepted, then the CWE Team asks the submitter to provide full details for the submission, including over 10 different fields that will make the basis of a new CWE entry, such as potential mitigations, common consequences, demonstrative code examples, and others. The CWE Team works with the submitter to ensure that the detailed submission has appropriate, correct details.
The CWE Team asks the submitter to provide full details for their submission. Currently, this is done by posting a comment to the CDR issue tracker. The submitter can then move that comment to a text editor of their choice, add the details inline, and reply with the updated information as a new comment to the CDR issue tracker.
The submitter has provided the full submission details, but they have not yet been reviewed by the CWE team.
The CWE Team reviews the full submission details, ensures that all requested details are provided, and performs a quality check on each field within the submission.
If necessary, the CWE Team works directly with the submitter to resolve any gaps or identified quality concerns.
The CWE Team accepts the full, detailed submission.
At this stage, all relevant details should have been provided. The CWE Team prepares the content for inclusion in the next CWE version, whether as a new CWE entry, a modification to an existing entry/entries, or both. The CWE Team works with the submitter and/or the community to address any small errors or omissions that might not have been addressed during earlier stages.
The CWE Team begins to integrate appropriate details into its internal repository of CWE content, which is used to generate new CWE versions.
For any new entry/entries, the CWE Team assigns a CWE identifier and translates the full submission's content into XML format.
For any entry/entries requiring modification, the CWE Team integrates any modifications into XML format.
The CWE Team performs final coordination with the submitter before the content is published, such as confirming credits to the submitter, final review of the changes, etc.
The changes are included in a new CWE version, whether as a new CWE entry, a modification to an existing entry/entries, or both.
The CWE changes and/or new entries are published in a new CWE version.
The CWE Team notifies the submitter of the publication and determines if any additional changes are necessary.
The CWE Team closes the external submission, and no more action is necessary. Any future changes, if needed, would apply to the relevant CWE entry/entries.