DAST - CWE replacements

Vulnerability research has determined that some DAST checks require CWE updates. The checks are currently organized by CWE identifier, which complicates the change. Additionally, browserker will also need to be updated as using CWE to identify the check also happens in that project.

When making these changes, it will be important to verify it will not impact vulnerability management by causing duplicate vulnerabilities to be created (on for the old CWE, and one for the new CWE).

Context - https://gitlab.com/gitlab-org/gitlab/-/issues/482024#note_2097895584

DAST Repo - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/

DAST Findings:

CWE-200
- id: "200.1" - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/checks/200/200.1.yaml?ref_type=heads
  - Replacement CWE - CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-287
- id: "287.1" - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/checks/287/287.1.yaml?ref_type=heads
  - Replacement CWE - CWE-1390: Weak Authentication
- id: "287.2" - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/checks/287/287.2.yaml?ref_type=heads
  - Replacement CWE -
    - CWE-1390: Weak Authentication OR
    - CWE-328: Use of Weak Hash
CWE-693
- id: "693.1" - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/checks/693/693.1.yaml?ref_type=heads
  - Replacement CWE - CWE-358: Improperly Implemented Security Check for Standard
CWE-74
- id: "74.1" - https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/checks/74/74.1.yaml?ref_type=heads
  - Replacement CWE - CWE-91: XML Injection (aka Blind XPath Injection)

cc: @mhenriksen @dabeles

Edited Sep 19, 2024 by Michael Eddington