Add curated CWE fallback mappings and coverage for issue #472

[Bornunique911]

Problem

Issue #472 asks how OpenCRE can map more of CWE in a way that is practical and maintainable.

The current gap is twofold:

• some CWE entries should inherit a CRE mapping through related CWE relationships, but that mapping is not always available during the same import pass
• other CWE entries have no direct mapping even when they clearly belong to a high-confidence family such as injection or XXE

Solution

This branch narrows the implementation to CWE-only behavior and introduces a deterministic mapping strategy with two parts.

1. Related-CWE inheritance

The importer now:

• collects related weakness IDs during CWE import
• builds the imported CWE entries first
• repeatedly propagates CRE links through related CWE relationships until no new links are added

This allows a newly imported CWE to inherit mappings from another newly imported related CWE in the same run.

2. Curated fallback mappings

This branch adds a curated fallback mapping file:

• application/utils/external_project_parsers/data/cwe_fallback_mappings.json

The importer loads this file and applies fallback CRE mappings only when a CWE still has no CRE link after normal and inherited linking.

This keeps the behavior:

• explicit
• reviewable
• easy to extend without hardcoding every rule directly in parser logic

3. Local refresh support

This branch also adds:

• scripts/update-cwe.sh

This is a local helper for refreshing CWE data from the latest MITRE feed into an existing OpenCRE SQLite cache.

Scope

In scope

• CWE importer behavior
• curated CWE fallback mapping data
• focused parser tests for inheritance and fallback behavior
• local CWE refresh script

Files Changed

• application/utils/external_project_parsers/parsers/cwe.py
• application/utils/external_project_parsers/data/cwe_fallback_mappings.json
• application/tests/cwe_parser_test.py
• scripts/update-cwe.sh

Testing

Executed:

./venv/bin/python -m pytest application/tests/cwe_parser_test.py -q

[Bornunique911]

Requesting kind reviews and feedback for this feature from : @northdpole , @Pa04rth , @robvanderveer

[Bornunique911]

Fix 1 :

In this release, I have mapped all the CWE's from the official MITRE's CWE website (https://cwe.mitre.org/data/downloads.html).

Fix 2 :

If we now search for the term injection, CWE-652 is listed and is mapped with Improper Neutralization of Data within XQuery Expression ('XQuery Injection') which was not present in the earlier releases.

Before :

After :

Necessary scripts useful for updating the latest CWE's and getting an idea of how much data is being utilized by the database locally :

I have also added necessary scripts :

1. to run the application locally. (run-local.sh)
2. to show the database stats based on how much data is being utilized locally by the database. (show-db-stats.sh)
3. to update latest CWE's from the official website. (update-cwe.sh)

[Bornunique911]

Requesting kind reviews and feedback for this feature from : @northdpole , @Pa04rth , @robvanderveer .

[Bornunique911]

Hi @robvanderveer , @northdpole and @Pa04rth , can you guys please review it and provide a suitable feedback for it so that if there is any changes to make I will make it?