What are the CWEs from the Common Weakness Enumeration related to software supply chain issues?
- Dependency Management:
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- CWE-494: Download of Code Without Integrity Check
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
- CWE-937: Using Components with Known Vulnerabilities
- CWE-1104: Use of Unmaintained Third Party Components
- CWE-940: Improper Verification of Source of a Communication Channel
- Build Process:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CWE-506: Embedded Malicious Code
- CWE-912: Hidden Functionality
- Crypto and Secrets
- CWE-347: Improper Verification of Cryptographic Signature
- CWE-354: Improper Validation of Integrity Check Value
- CWE-798: Use of Hard-coded Credentials
- CWE-311: Missing Encryption of Sensitive Data
- CWE-326: Inadequate Encryption Strength
- Update Mechanisms:
- CWE-441: Unintended Proxy or Intermediary
- CWE-494: Download of Code Without Integrity Check
- CWE-799: Improper Control of Interaction Frequency
- Repository Security:
- CWE-284: Improper Access Control
- CWE-287: Improper Authentication
- CWE-522: Insufficiently Protected Credentials
- Configuration Management:
- CWE-16: Configuration
- CWE-520: .NET Misconfiguration: Use of Impersonation