A security engineer is triaging a Dependabot alert and wants to understand the weakness category behind the vulnerability so the team can search for the same coding mistake elsewhere in their own first-party code. The GitHub Advisory Database entry lists a CVE identifier, a CWE, and a CVSS score. Which of these is designed to classify the underlying type of software weakness rather than to identify a specific reported instance or rate its severity?
- AThe CVE identifier, because it groups together every vulnerability that shares the same root cause across all affected products.
- BThe CVSS score, because its base, temporal, and environmental metrics together decompose the flaw into the weakness category that produced it.
- CThe CVE identifier, because each CVE is issued per weakness type so that one CVE maps to exactly one CWE category.
- DThe CWE, because it names the general class of software weakness, such as improper input neutralisation, that the specific vulnerability is an instance of. Correct
Why A is wrong: This is tempting because a CVE is the most prominent identifier on the advisory, but a CVE names one specific publicly disclosed vulnerability in a particular product, not a reusable category of weakness shared across products.
Why B is wrong: CVSS base metrics describe exploitability and impact characteristics to produce a severity number; they rate how serious a flaw is and never classify the type of weakness behind it.
Why C is wrong: A CVE is issued per disclosed vulnerability, not per weakness type, and a single advisory can map a CVE to one or more CWEs, so the CVE is not the categorising framework here.
Why D is correct: CWE (Common Weakness Enumeration) is a hierarchy of weakness types, so it gives the engineer a category like SQL injection or path traversal that they can use to hunt for the same flaw pattern across their own code.