Get CWEs
Retrieves a list of CWE weaknesses.
Required Permissions
Requires the MEMBER role or higher.
HTTP Request
GET /api/sonar/cwes
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
https://HOSTNAME/api/sonar/cwes?offset=0&limit=20
Request Parameters
| Key | Required | Type | Description | Note |
|---|---|---|---|---|
| offset | X | 32-bit integer | Number of items to skip | Default: 0 |
| limit | X | 32-bit integer | Maximum number of items | Min 0, max 1000. Default: 20 |
| keywords | X | String | Search keyword | Searches id, name, and description fields |
| type | X | String | CWE type | One of weakness, category, view (default: weakness) |
Success Response
{
"total_count": 943,
"cwes": [
{
"id": "CWE-5",
"name": "J2EE Misconfiguration: Data Transmission Without Encryption",
"status": "Draft",
"type": "Weakness",
"mapping_notes": {
"usage": "Allowed",
"reasons": "Acceptable-Use",
"rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.",
"comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction."
},
"abstraction": null,
"structure": null,
"description": "Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.",
"extended_description": null,
"likelihood_of_exploit": null,
"datas": {
"notes": {
"note": [
{
"type": "Other",
"_text": "\n <xhtml:p>If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed:</xhtml:p>\n\n <xhtml:ul>\n \n <xhtml:li>A user manually enters URL and types \"HTTP\" rather than \"HTTPS\".</xhtml:li>\n \n <xhtml:li>Attackers intentionally send a user to an insecure URL.</xhtml:li>\n \n <xhtml:li>A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)</xhtml:li>\n \n</xhtml:ul>\n\n "
}
]
},
"references": {
"reference": [
{
"external_reference_id": "REF-6"
}
]
},
"content_history": {
"previous_entry_name": [
{
"date": "2008-04-11",
"_text": "J2EE Misconfiguration: Insecure Transport"
}
],
"submission": {
"submission_date": "2006-07-19",
"submission_releasedate": "2006-07-19",
"submission_version": "Draft 3",
"submission_name": "7 Pernicious Kingdoms"
},
"modification": [
{
"modification_organization": "Cigital",
"modification_name": "Eric Dalci",
"modification_comment": "updated Time_of_Introduction",
"modification_date": "2008-07-01"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships, Other_Notes, Taxonomy_Mappings",
"modification_date": "2008-09-08"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Other_Notes",
"modification_date": "2011-03-29"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Common_Consequences",
"modification_date": "2011-06-01"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships",
"modification_date": "2012-05-11"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Potential_Mitigations",
"modification_date": "2012-10-30"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships",
"modification_date": "2014-07-30"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Common_Consequences, Description",
"modification_date": "2017-11-08"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated References, Relationships",
"modification_date": "2020-02-24"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Potential_Mitigations",
"modification_date": "2023-01-31"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships",
"modification_date": "2023-04-27"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Mapping_Notes",
"modification_date": "2023-06-29"
}
]
},
"applicable_platforms": {
"language": [
{
"prevalence": "Undetermined",
"name": "Java"
}
]
},
"potential_mitigations": {
"mitigation": [
{
"phase": [
"System Configuration"
],
"description": "The product configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages."
}
]
},
"common_consequences": {
"consequence": [
{
"scope": [
"Confidentiality"
],
"impact": [
"Read Application Data"
]
},
{
"scope": [
"Integrity"
],
"impact": [
"Modify Application Data"
]
}
]
},
"taxonomy_mappings": {
"taxonomy_mapping": [
{
"entry_name": "J2EE Misconfiguration: Insecure Transport",
"taxonomy_name": "7 Pernicious Kingdoms"
}
]
},
"modes_of_introduction": {
"introduction": [
{
"phase": "Implementation"
},
{
"phase": "Operation"
}
]
}
},
"created": "2006-07-19",
"updated": "2023-06-29"
}
]
}
Error Responses
When offset or limit is not an integer
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'offset' parameter should be int type"
}
When offset or limit is negative
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'offset' must be greater than or equal to 0."
}
When limit exceeds maximum value
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'limit' must be less than or equal to 1000."
}
When type value is invalid
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "type should be one of Weakness, Category, View"
}