Duo VR - Update the CWE list with the quick wins

Release notes

Duo VR now supports two new CWE types - SQL injection and command injection. Those vulnerabilities, if found by SAST, can be automatically resolved by Duo, eliminating developer time.

Problem to solve

Duo VR must support an increasing number of vulnerability types in order to maintain momentum. Research indicates the two CWEs above are high-confidence and should be integrated into the existing workflows.

Requirements

• CWE-78 and CWE-89 both integrated into the Duo VR workflow, and work at parity with other supported CWEs.
• No other changes needed, only the db migration.

Previous Notes

This issue tracks updating the supported CWE list following the analysis done in Duo VR - Manual Assessment of Injection CWEs (#508107 - closed) • Adam Cohen, Meir Benayoun • 17.11 • At risk

This is pending for groupstatic analysis to provide guidance.

Reference: initial migration done in VR filtering: Backfill migration (#486530 - closed)