Secure Product Metrics
This page shows various metrics for the products developed and maintained by the Secure Stage.
We are actively supporting Common Weakness Enumeration (CWE) as a standard vulnerability classification system and a common language to discuss software weaknesses.
Using CWE as a foundation has several advantages:
- CWE is a comprehensive and well-documented system and can be considered as a de-facto standard for discussing software weaknesses.
- CWE provides mappings to other vulnerability and classification systems and/or rankins (such as OWASP Top 10).
- CWE provides a stable ontology: definitions can be added but existing definitions do not change (unlike OWASP rankings).
CWE is a hierarchical system with an ontology that is organized in a tree structure where a parent CWE is more general than its child; a child CWE captures a vulnerability in more specific terms than its parent.
In contrast to CWE, OWASP Top 10 provides a risk ranking of the most critical security vulnerabilities. The 10 risk categories change on a regular basis.
The table below shows the mapping between OWASP categories and their CWE counterparts. Note that the table includes transitive CWE mappings which are all the CWE mappings that are listed on the OWASP Top10 website including their child-CWEs.
Below you can find the OWASP and CWE coverage for different secure products. All charts that are displayed below are powered by live anonymized vulnerability data from our security scans. These are vulnerabilities we are actively identifying in real-world customer usage of our security scanning tools.
OWASP Top 10 2021 Coverage
The chart below depicts the CWEs that map to the OWASP Top 10 2021. All of these CWEs are detected by GitLab’s SAST/DAST and Dependency Scanning capabilities.
CWE Coverage
SAST
The table below shows the combined Common Weakness Enumerator (CWE) findings reported by our SAST analyzers on projects hosted on gitlab.com
Below you can find a list of which CWEs are detected by each analyzer:
eslint
flawfinder
gosec
nodejs-scan
semgrep
spotbugs
DAST
The table below shows the combined Common Weakness Enumerator (CWE) findings reported by our DAST analyzers on projects hosted on gitlab.com
GitLab Advisory Database for Dependency Scanning
Statistical information about advisories for dependency scanning is available on the GitLab Landing Page for Dependency Scanning Advisories.
bed28b7f
)