CWE Mapping — Mapping findings to MITRE CWE
CWE (Common Weakness Enumeration) is the MITRE taxonomy of software weaknesses. Decoder attaches a CWE ID where applicable so findings are comparable across tools and reports.
What it is
Standard ID (e.g. CWE-798) attached to a finding to describe the weakness class.
Why it's useful
Stable vocabulary across SAST tools, easy mapping to OWASP Top 10 and compliance frameworks.
How Decoder implements it
Rules declare a cweId; the report renders it as a link to the MITRE entry.
When to use it
Compliance reporting, dedup across multiple scanners, training material.
When NOT to use it
Quick local triage — the severity badge is enough.
Practical example
A hardcoded credential lands as CWE-798; SQL injection as CWE-89.
FAQ
Glossary
- CWE
- Common Weakness Enumeration — MITRE's catalog of software weaknesses.
- MITRE
- Non-profit that maintains CWE, CVE, and ATT&CK.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Severity tells you what to fix first. Decoder normalises every finding into Critical / High / Medium / Low using signal strength, exploitability, and project context.
SAST inspects source code to find security weaknesses before runtime. Decoder ships SAST as a free, no-key feature across 20+ languages.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.