{
  "meta": {
    "slug": "owasp-web-2025-cwe",
    "frameworks": [
      "OWASP_Web_Top10_2025",
      "CWE"
    ],
    "labels": [
      "OWASP Top 10 Web 2025",
      "CWE"
    ],
    "authoritative": "MITRE OWASP-category \u2192 member CWEs",
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "OWASP_Web_Top10_2025",
      "b": "CWE"
    },
    "counts": {
      "pairs": 258,
      "rows": 516,
      "present_a_to_b": 258,
      "present_b_to_a": 206
    },
    "reliability": {
      "reverse_presence_pct": 79.8,
      "extent_rank_correlation": 0.666,
      "completeness_a_to_b_pct": 84.5,
      "completeness_b_to_a_pct": 0.5,
      "none_rate_a_to_b_pct": 0.0,
      "none_rate_b_to_a_pct": 20.2,
      "counterpart_coverage_a": {
        "mapped": 10,
        "universe": 10,
        "pct": 100.0
      },
      "counterpart_coverage_b": {
        "mapped": 253,
        "universe": null,
        "pct": null
      }
    },
    "abstraction": {
      "breadth_a_to_b": 25.8,
      "breadth_b_to_a": 1.01,
      "depth_a_to_b": 2.28,
      "depth_b_to_a": 1.0,
      "verdict": "OWASP_Web_Top10_2025 sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": null,
      "intrinsic_b": {
        "signal": "cwe_abstraction",
        "distribution": {
          "Variant": 56,
          "Base": 141,
          "Class": 50,
          "Pillar": 3,
          "Compound": 3
        }
      }
    },
    "diff": {
      "authoritative_pairs": 249,
      "agreement": 220,
      "conflict": 29,
      "addition": 38,
      "examples": {
        "conflict": [
          [
            "A01:2025",
            "CWE-377"
          ],
          [
            "A01:2025",
            "CWE-540"
          ],
          [
            "A01:2025",
            "CWE-615"
          ],
          [
            "A02:2025",
            "CWE-16"
          ],
          [
            "A02:2025",
            "CWE-315"
          ],
          [
            "A02:2025",
            "CWE-547"
          ],
          [
            "A03:2025",
            "CWE-1035"
          ],
          [
            "A03:2025",
            "CWE-447"
          ]
        ],
        "addition": [
          [
            "A01:2025",
            "CWE-1299"
          ],
          [
            "A01:2025",
            "CWE-37"
          ],
          [
            "A01:2025",
            "CWE-38"
          ],
          [
            "A01:2025",
            "CWE-39"
          ],
          [
            "A01:2025",
            "CWE-40"
          ],
          [
            "A01:2025",
            "CWE-57"
          ],
          [
            "A01:2025",
            "CWE-647"
          ],
          [
            "A02:2025",
            "CWE-1125"
          ]
        ]
      }
    },
    "ppt": null
  },
  "diff": {
    "authoritative_pairs": 249,
    "agreement": 220,
    "conflict": 29,
    "addition": 38,
    "examples": {
      "conflict": [
        [
          "A01:2025",
          "CWE-377"
        ],
        [
          "A01:2025",
          "CWE-540"
        ],
        [
          "A01:2025",
          "CWE-615"
        ],
        [
          "A02:2025",
          "CWE-16"
        ],
        [
          "A02:2025",
          "CWE-315"
        ],
        [
          "A02:2025",
          "CWE-547"
        ],
        [
          "A03:2025",
          "CWE-1035"
        ],
        [
          "A03:2025",
          "CWE-447"
        ]
      ],
      "addition": [
        [
          "A01:2025",
          "CWE-1299"
        ],
        [
          "A01:2025",
          "CWE-37"
        ],
        [
          "A01:2025",
          "CWE-38"
        ],
        [
          "A01:2025",
          "CWE-39"
        ],
        [
          "A01:2025",
          "CWE-40"
        ],
        [
          "A01:2025",
          "CWE-57"
        ],
        [
          "A01:2025",
          "CWE-647"
        ],
        [
          "A02:2025",
          "CWE-1125"
        ]
      ]
    }
  },
  "edges": [
    {
      "source_framework": "CWE",
      "source_id": "CWE-1004",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 broadly encompasses cookie-attribute hardening as one misconfiguration vector while CWE-1004 is only one narrow instance of that class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Insecure Design category; B is one specific design-level UI-layer flaw squarely inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1022",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation-level flaw that only tangentially fits inside the broad design-flaw bucket of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-105",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection broadly addresses untrusted input crossing interpreter boundaries, which missing Struts validators (B) can enable, but B is a narrow framework-specific validation omission outside the injection category itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1069",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of exception mishandling squarely inside A's broad category, while A covers many other failure modes B does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-11",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of ASP.NET debug misconfiguration squarely inside the broad Security Misconfiguration category A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1104",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (unmaintained deps) squarely inside A's broad supply-chain category of vulnerable/outdated/compromised dependencies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-112",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow input-validation issue that can contribute to some XML-based injection vectors but lies outside A's core interpreter-neutralization scope; B therefore covers none of the broad A category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1125",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists exposed attack surface from misconfiguration/hardening gaps, so largely encompasses B, while B only addresses one narrow slice of the broader misconfiguration category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1125",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains excessive attack surface as one concrete instance; the reverse is only a narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow CRLF neutralization flaw that matches the broad injection pattern in A but is outside the listed examples and not squarely encompassed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes OS-command/process execution from untrusted input, a direct subset of the injection weaknesses enumerated by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-115",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Injection (A) is one specific class of input misinterpretation at interpreter boundaries, so A addresses only a slice of B while B broadly encompasses the root cause of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad weakness class whose primary root cause is missing neutralization; CWE-116 names one core neutralization technique (escaping), so A encompasses most of B while B only addresses a slice of A's many injection vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection addresses untrusted input into command/query interpreters (SQL/OS/LDAP/XSS/etc.); CWE-117 is a narrow output-neutralization case for logs that is only tangentially related to the listed injection types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category whose integrity clause squarely contains the specific log-injection weakness B, while B addresses only one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1174",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of framework-level misconfiguration squarely inside the broad A02 category, so A fully encompasses B while B addresses only a tiny slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1190",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow boot-time DMA sequencing flaw that is a direct instance of security-configuration failure, so the broad A02 category encompasses it; the reverse does not hold."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-12",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that directly contains this exact ASP.NET error-page weakness; the single CWE is only one narrow instance inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1204",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse of cryptography and therefore fully contained inside the broad Cryptographic Failures category, while B only addresses a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1240",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad OWASP crypto-failures bucket; B is one specific risky-implementation weakness squarely inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad category of crypto failures; CWE-1241 is one narrow instance of weak RNG that falls inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 broadly addresses crypto-related data exposure; CWE-1258 is one narrow hardware-debug instance of such exposure, so A partially encompasses B while B covers only a negligible slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1264",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses error-handling and logic flaws that produce fail-open or inconsistent states; B is one narrow hardware de-sync instance of such a flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1271",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow hardware instance of weak/unset security defaults that is directly subsumed by A's broad weak-defaults misconfiguration bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1275",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists CSRF (of which improper SameSite cookies are a direct cause) while B is only one narrow cookie-specific slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow hardware-specific bypass of access-control protections and therefore falls inside the broad A01 definition, while A spans many unrelated authz failure modes that B does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-13",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad misconfiguration class described by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-130",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow parsing inconsistency that can be viewed as an instance of mishandling an exceptional condition, but A is a broad error/exception-handling bucket that only incidentally touches this CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1327",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad server-setting misconfigurations described by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1329",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad supply-chain category that explicitly includes outdated components; B is one narrow root cause inside that slice but ignores A's other elements such as signing, build pipelines, and compromised dependencies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1336",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly lists template injection as one of its included weakness classes, fully encompassing CWE-1336, while the CWE addresses only that single slice of the broader Injection category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A03 broadly addresses supply-chain component issues (including trustworthiness) plus pipelines/signing; CWE-1357 is one specific slice of that space."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1390",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP bucket whose core is exactly the weakness CWE-1390 describes; the CWE therefore addresses only one slice of A07's listed failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad authentication-failures bucket that squarely contains weak-credential misuse as one failure mode, while CWE-1391 is only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1392",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Default credentials is one specific root cause squarely inside the broad Authentication Failures category, so A fully addresses B while B only touches one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1393",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Default-password use is one concrete root cause squarely inside the broad Authentication Failures category, while the CWE addresses only that single slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1395",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (vulnerable deps) inside the broader supply-chain scope of A, so A fully encompasses B while B only partially addresses A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1429",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad logging/alerting-failure category that squarely contains the missing security-relevant feedback weakness described by B, while B is only one narrow hardware-specific slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1431",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow hardware-specific instance of sensitive crypto-state exposure squarely inside the broad A04 category, so A encompasses most of B while B addresses only a tiny slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-146",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category whose core is improper neutralization of untrusted input at interpreter boundaries; CWE-146 is one narrow slice of that category focused solely on expression/command delimiters."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that squarely contains CWE-15 as one specific externally-controlled-settings slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-159",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the interpreter-boundary subset of special-element mishandling while B is a broader root-cause weakness that explains only some injection cases."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific design-level flaw in a protection mechanism and therefore falls inside the broad A06 Insecure Design bucket, while the narrow CWE only touches a tiny slice of that bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the neutralization slice of input-validation failures that reach interpreters, while B is a broad root-cause class that enables many non-injection issues and does not mandate interpreter-specific controls."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 directly addresses authorization failures that enable unauthorized information exposure (core of CWE-200), but also covers unrelated issues such as CSRF and state-changing actions; CWE-200 is only one possible outcome of broken access control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses any failure that lets an actor see data they shouldn't; B is one narrow transmission-time instance of that failure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-209",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific leakage vector squarely inside A's broad 'error paths leak information' scope, while A also covers fail-open/inconsistent-state issues outside B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-215",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow form of info leakage via debug code that fits inside A's broader error/exception leakage bucket, while B addresses none of A's other elements such as fail-open or inconsistent states."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-219",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific instance of missing access control on sensitive resources and therefore sits squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as one included weakness, so the broad category fully encompasses CWE-22 while the narrow CWE only addresses one slice of A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-221",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A directly addresses the core recording omission in B plus adds alerting and integrity, while B only covers the logging slice of A's broader failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-222",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category that squarely contains truncation of security data as one failure mode, while B addresses only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A09 is the broad logging/alerting category whose core failure mode is exactly the omission CWE-223 describes, while B covers only the logging-omission slice of A's wider scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-224",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category that squarely contains the narrow alternate-name logging flaw described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-23",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as in-scope, so it fully encompasses the specific Relative Path Traversal weakness; the narrow CWE only addresses one slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-234",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of mishandling an exceptional condition (missing function argument) that falls inside A's broad error/exception-handling scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-248",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Uncaught exceptions are a direct instance of mishandling exceptional conditions, while A also covers leaks, fail-open states, and other error-handling flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-252",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete cause (unchecked returns) squarely inside A's broad exception-handling bucket, while A also covers leaks, fail-open auth, and other paths B does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-256",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the specific design decision of plaintext password storage, while the narrow CWE cannot encompass the rest of the category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-258",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly encompasses authentication bypass via absent/weak credentials, of which an empty config-file password is one concrete instance; the narrow CWE covers none of the category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-259",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-259 is one narrow root cause squarely inside the broad A07 authentication-failures bucket, so A addresses most of B while B addresses only a slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-260",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete case squarely inside the broad Security Misconfiguration category, so A fully addresses B while B only touches one slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-261",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that squarely contains the narrow password-encoding weakness, while CWE-261 addresses only one slice of A04."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-261",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly addresses authentication failures including credential handling, so it touches weak password encoding only as one narrow slice; CWE-261 is a single implementation flaw and cannot encompass the category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-266",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-266 is a design-level flaw squarely inside the Insecure Design bucket, while the single CWE is only one narrow slice of that broad category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 broadly addresses design-level control gaps, of which flawed privilege management is only one possible instance (and often manifests as implementation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-274",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad exception-handling bucket only tangentially touches the narrow privilege-check failure described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-276",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 broadly addresses authorization bypasses but only tangentially includes default permission misconfigurations (more aligned with Security Misconfiguration); CWE-276 is a narrow installation-time config flaw that does not address any of A01's core weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-280",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses mishandling of any exceptional conditions leading to invalid states, directly encompassing B's specific privilege-error case while B only illustrates one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-281",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad authorization-failure category that directly contains the specific permission-preservation flaw described by CWE-281, while the CWE addresses only one narrow slice of A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-282",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific authorization failure (ownership) squarely inside the broad Broken Access Control category, so A encompasses most of B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-283",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific authorization failure (unverified resource ownership) squarely inside the broad Broken Access Control category that also lists IDOR and missing function-level checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the OWASP category whose scope is exactly the weakness CWE-284 defines, while CWE-284 is only the parent node and does not enumerate the concrete issues (IDOR, path traversal, CSRF, etc.) that A01 also covers."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category whose core definition is exactly CWE-285, while B is only one specific slice of the many weaknesses A enumerates."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-286",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 addresses any design-level flaw; CWE-286 is one possible user-management weakness that may or may not be architectural."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP category whose core weakness is exactly CWE-287; the CWE is only one slice of the multi-aspect category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside A's broad authentication-failure category, so A fully contains B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-289",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is a broad bucket that fully contains the specific bypass technique described by CWE-289, while CWE-289 addresses only one narrow slice of the many failure modes listed in A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly includes bypass of identity verification; CWE-290 is one concrete spoofing realization of that bypass and therefore fully contained, while the narrow CWE only addresses one slice of A07's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-291",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of flawed identity verification squarely inside A's broad authentication-failure scope, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-293",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow flawed-auth mechanism squarely inside A's broad identity-verification-failure bucket, so A encompasses most of B while B only touches a single slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside A's broad 'authentication bypassed' bucket, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-295",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-295 is one narrow mechanism that can contribute to identity-verification bypass but lies outside A07's listed scope and is normally categorized under cryptographic failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-296",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP category that squarely contains improper certificate-chain validation as one of its classic transport-cryptography failures, while the single CWE is only one narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches the shared concept of identity verification but targets application-level auth flaws; B is a narrow channel-integrity weakness outside A's primary scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside the broad Authentication Failures category, so A fully encompasses B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-303",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation flaw squarely inside the broad A07 authentication-failures bucket, so A covers B mostly while B covers only a slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-304",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow authentication failure mode squarely inside the broad A07 category, while A enumerates many unrelated failure modes (brute-force, credential stuffing, session hijacking, etc.)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-305",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly encompasses authentication bypass scenarios including the primary-weakness case in CWE-305, while CWE-305 addresses only one narrow slice of the many failure modes listed in A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad bucket containing missing auth for critical functions as one core failure mode, while CWE-306 is only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly lists brute-force as a core failure mode, fully encompassing CWE-307's narrow scope while B addresses only one slice of A's many authentication issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-308 is a specific instance of weak identity verification squarely inside the broad A07 category, while B addresses only one narrow slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad authentication-failures bucket that squarely contains the password-primary-auth weakness described by CWE-309, while CWE-309 addresses only one narrow slice of A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete design-level omission (encryption control) that falls inside the broad A category of architecture-level missing/flawed controls."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-312",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-312 describes one concrete design-level flaw squarely inside the broad A06 Insecure Design bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-313",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 addresses broad design-level control gaps; CWE-313 is one possible symptom that may arise from missing encryption design but is equally an implementation failure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific instance of absent cryptography in transit and is therefore fully contained inside the broader A04 category while covering only a narrow slice of it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-321",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hard-coded keys are a canonical instance of cryptographic misuse squarely inside the A04 category, while A04 spans many other failure modes beyond this single CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-322",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures bucket that squarely contains this specific key-exchange misuse, while the single CWE only addresses one narrow slice of A04."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-322",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of missing entity authentication inside the broad A07 category, so A addresses most of B while B only touches a slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-323",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures bucket that fully contains the specific nonce-reuse misuse described by CWE-323, while the CWE addresses only one narrow slice of A04."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-324",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad category of crypto misuse/failures; B is one narrow misuse (expired key) squarely inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-325",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation flaw squarely inside the broad cryptographic-failures category, while A spans many unrelated weaknesses (absent encryption, weak algorithms, key management, etc.)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 explicitly lists weak cryptography as a root cause, fully containing the narrower inadequate-strength case while B addresses only one slice of A's absent/weak/misused scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP category whose scope explicitly contains the single weakness described by CWE-327."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 misconfiguration can include weak crypto settings but B is a narrow implementation flaw unrelated to the broad hardening category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-328 is a narrow instance of weak/misused cryptography squarely inside the broad A04 category, while A04 spans many unrelated crypto failures beyond hashing."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-329",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow misuse of cryptography squarely inside the broad A04 category, so A encompasses B while B only addresses a single slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-330",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that directly contains insufficient randomness as one of its canonical weaknesses, while CWE-330 is only one narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-331",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that squarely contains insufficient-entropy weaknesses, while CWE-331 is only one narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-332",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-332 is a specific cryptographic weakness squarely inside the broad A04 category of crypto failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-334",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-334 is a specific instance of weak/misused cryptography squarely inside the A04 category, while the broad OWASP bucket contains many unrelated crypto failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-335",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow misuse of cryptography that is fully contained inside the broad Cryptographic Failures category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-336",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-336 is a specific misuse of cryptography squarely inside the broad A04 category of cryptographic failures, but represents only one narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-337",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse of cryptography squarely inside the broad A04 category, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-338",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP bucket that directly contains the specific weak-PRNG misuse described by CWE-338."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-340",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 addresses only the crypto-randomness subset of predictable values; CWE-340 is broader and only one narrow root cause among many crypto failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-342",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow RNG predictability flaw squarely inside the broad cryptographic-failures category, while B cannot encompass the rest of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A08 is the broad integrity-failure category whose core description directly encompasses insufficient data-authenticity verification, while CWE-345 addresses only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly addresses identity-verification bypasses; CWE-346 is one narrow origin-check flaw that can contribute to such a bypass but is not a core authentication mechanism."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-347",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 addresses broad crypto misuse leading to data exposure; CWE-347 is one narrow integrity/authenticity flaw that only tangentially overlaps that scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly enumerates CSRF as one of its included weaknesses, while B is only one narrow slice of the broader Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad integrity-failure category whose description directly contains B's specific transmission-integrity weakness, while B is only one narrow slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-354",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A03 broadly addresses supply-chain integrity via signing infrastructure but only tangentially touches the narrow checksum-validation flaw in CWE-354."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-356",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single concrete instance of a missing design-level control and therefore sits squarely inside the A06 category, while the broad category only partially addresses the narrow UI-warning weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses authorization failures that enable any unauthorized access (including to PII), while B is a narrow slice focused solely on personal data exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-36",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness and therefore fully contains the specific absolute-path case described by B, while B addresses only one narrow slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Race conditions can arise from flawed concurrency design but are primarily an implementation-level synchronization error, so A06 only partially encompasses CWE-362 while the narrow CWE covers none of the broad design category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-369",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Divide-by-zero is one concrete arithmetic exception squarely inside the broad exceptional-conditions mishandling category, while the CWE addresses only a narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-37",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as an included weakness, so it fully encompasses this specific CWE-37 instance, while the narrow CWE only addresses one slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-379",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow file-permission instance squarely inside the broad authorization-failure bucket defined by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-38",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness, fully encompassing the narrow B instance, while B addresses only one tiny slice of the broad A category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP bucket whose session-management mistakes explicitly include session fixation; the single CWE is only one narrow slice of that bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-39",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as an included weakness, so the broad category fully encompasses this narrow CWE variant while the CWE addresses only one tiny slice of A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-390",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of error mishandling squarely inside A's broad exceptional-conditions bucket, while A spans many additional failure modes B does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-391",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad mishandling-of-exceptions bucket that directly contains the narrow 'ignore errors' slice described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-394",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (unchecked legitimate return values) inside A's broad error/exception-handling bucket, so A encompasses most of B while B only touches one facet of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-396",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow coding practice squarely inside A's broad exception-handling category, while A spans many unrelated failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-397",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A10 is the broad exception-mishandling category that directly contains the generic-exception declaration weakness described by CWE-397."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-40",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness, fully encompassing this narrow UNC-specific variant, while B addresses only one tiny slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-402",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific access-control failure (leaking private resources) squarely inside A's broad authorization-bypass scope, while A contains many unrelated weaknesses B does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-419",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the specific unprotected-channel weakness, while the narrow CWE only illustrates one slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-424",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow slice (alternate-path bypasses) squarely inside A's broad broken-access-control bucket, so A encompasses most of B while B only partially addresses A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad Broken Access Control category that fully contains the specific forced-browsing weakness described by CWE-425, while the CWE addresses only one narrow slice of A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-426",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A08 is the broad integrity-failure category that squarely contains the specific untrusted-search-path weakness, while CWE-426 is only one narrow slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow path-element weakness that can produce integrity failures but lies outside A's listed scope (deserialization, updates, CI/CD); A therefore only partially addresses it while B covers none of the broad category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-434",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the missing control exemplified by CWE-434; the single CWE addresses only one narrow slice of all possible design weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-436",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is a broad design-flaw category that can subsume interpretation conflicts as one possible architectural omission, while CWE-436 is a narrow interoperability issue that does not address the rest of A06."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow proxy-specific failure mode that falls under A's broad authorization-bypass umbrella, but A lists only unrelated examples and B does not address any other access-control weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 broadly captures design-level control gaps that could contribute to smuggling risks, but CWE-444 is a narrow parsing inconsistency that is often an implementation detail rather than a baked-in architectural flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains this specific UI-representation weakness; the narrow CWE addresses only one slice of design issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-454",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-454 is a design-level trust/initialization flaw squarely inside the A06 bucket, but represents only one narrow slice of the broad Insecure Design category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-460",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of the inconsistent-state exception mishandling that A broadly encompasses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-470",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Unsafe reflection is a specific injection subclass squarely inside A05's scope, while B addresses only one narrow slice of the broad injection category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-472",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific design assumption flaw squarely inside the broad Insecure Design category, while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-476",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-476 is one narrow coding defect under the broad umbrella of exception/condition mishandling, but matches none of A's stated outcomes (info leak, fail-open, inconsistent state)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-478",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of unhandled control flow that can produce inconsistent state; A broadly addresses error/exception paths and logic-flaw handling but does not specifically target switch/case coverage."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-489",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Active debug code is one concrete instance of incomplete hardening within the broad Security Misconfiguration category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific integrity-failure scenario (unsigned code download) squarely inside the broad A08 category that also covers deserialization, CI/CD, etc."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-497",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific instance of unauthorized information exposure caused by failed authorization, squarely inside the broad Broken Access Control category, while B addresses none of A's other weakness types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-5",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Security Misconfiguration category that fully contains the narrow J2EE-specific encryption-transit weakness described by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-501",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-501 is a canonical design-level trust-boundary flaw squarely inside the broad Insecure Design bucket, so A encompasses B while B only illustrates one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-502",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists insecure deserialization as a core weakness it addresses, fully encompassing B, while B addresses only one narrow slice of the broader integrity failures in A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's CI/CD and update-integrity scope touches one vector that can introduce embedded malicious code, while B is a narrow symptom that does not address A's broader verification failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly lists brute-force and credential-stuffing failures whose root cause is weak passwords, so the broad category fully contains CWE-521 while the single CWE is only one slice of A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains credential-protection failures such as CWE-522, while the single CWE addresses only one narrow slice of all possible design weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-523",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of unprotected sensitive data in transit squarely inside the broad A04 cryptographic-failures category, while B addresses only one slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-525",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-525 is a narrow implementation-level caching flaw only tangentially related to the broad design-phase category A06."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-526",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration category that squarely contains improper secret storage in env vars as one hardening failure, while the narrow CWE only illustrates one slice of A02."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-532",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A09 is the broad OWASP logging-failures category that squarely contains the specific CWE-532 weakness, while the single CWE only addresses one narrow slice of A09."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-535",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket of error-handling weaknesses that explicitly includes information leakage; B is one narrow, squarely-contained instance of shell-error disclosure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-537",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket whose 'error paths leak information' clause directly contains the exact weakness described by B; B is only one narrow Java-specific slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-538",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-538 is one narrow file-exposure instance squarely inside the broad Broken Access Control category, so A encompasses B but B covers none of A's other weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single concrete design flaw squarely inside the broad A06 insecure-design bucket, so A fully encompasses it while B only covers one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-544",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket that explicitly includes inconsistent error states; B names only the single narrow root cause of missing standardization."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-548",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of unauthorized information exposure squarely caused by missing access-control enforcement, so A encompasses it while B only addresses one slice of A's many failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-550",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific case of information leakage via error paths that A explicitly encompasses, while A also covers unrelated failure modes such as fail-open and inconsistent states."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific manifestation of the broad authorization failures described by A, while B addresses only a narrow slice of A's many access-control weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-564",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly scopes over all SQL injection (including framework-specific variants like Hibernate), while CWE-564 is only one narrow instance inside that bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-565",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of trusting unvalidated data (cookies) without integrity checks, squarely inside A's general integrity-failure category, while B covers only one slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-566",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific IDOR-style instance of authorization bypass that sits squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-57",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal (of which CWE-57 is a narrow variant) as a core failure mode, while B addresses only one specific pathname-equivalence slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-59",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category that squarely contains link-following as one concrete authorization bypass (similar to the path-traversal cases it explicitly lists); B is a single narrow CWE and therefore covers almost none of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-598",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-598 is a specific design-level flaw in request handling that falls squarely inside the broad Insecure Design category, while one CWE covers only a narrow slice of the category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-601",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Open redirect is a narrow input-handling flaw that can sometimes enable access-control bypass but is not among the weaknesses described by A01 and does not address any of A01's core authorization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a canonical instance of a design-level flaw where architecture trusts client enforcement, so the broad Insecure Design category fully contains it while the narrow CWE only addresses one slice of the category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-603",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete bypass technique squarely inside A's broad authentication-failure category, while A contains many unrelated weaknesses (brute-force, session management, credential stuffing, etc.)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-61",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Symlink following is a specific file-system instance of unauthorized access squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-611",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that directly includes XXE via parser hardening; the single CWE is only one narrow instance inside that bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-613",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific session-management failure squarely inside A's listed authentication weaknesses, while A spans many unrelated auth issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-614",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific instance of cookie-related misconfiguration squarely inside the broad A02 category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-620",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single, canonical instance of the weak password-reset flows explicitly listed in A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-636",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly names fail-open behavior as one of its core cases, fully encompassing B, while B addresses only that single slice of A's broader exception-handling weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-639",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific IDOR-style instance squarely inside the broad Broken Access Control category that explicitly lists IDOR."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-640",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists weak password reset flows as one of its core failure modes, fully encompassing the narrow password-recovery weakness in B, while B addresses only one slice of A's broad authentication failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains the specific state-exposure weakness described by CWE-642, while one CWE only illustrates a narrow slice of all possible design flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-643",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 defines the broad injection class that exactly matches CWE-643's XPath weakness, while the CWE is only one narrow instance of that class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-644",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific neutralization flaw (HTTP-header scripting syntax) squarely inside the broad injection bucket defined by A, but B addresses none of A's other injection classes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-646",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes a single design-level validation flaw that sits squarely inside the broad Insecure Design category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-647",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific URL-canonicalization bypass squarely inside the broad Broken Access Control bucket, so A fully encompasses B while B only addresses one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-65",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad access-control bucket; CWE-65 is one narrow file-link instance that falls inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-652",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose definition directly encompasses XQuery Injection as one interpreter case; the narrow CWE-652 addresses only a single slice of that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-653",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a canonical design-level isolation flaw squarely inside the broad A06 insecure-design bucket, so A fully encompasses B while B only addresses one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-656",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a classic design-level flaw squarely inside the broad Insecure Design category, while the narrow CWE only represents one slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-657",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-level weakness category whose definition directly and completely contains the single CWE that describes violation of those same principles."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-668",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authorization-failure category whose core symptom is exactly the wrong-sphere exposure defined by B; B is only one framing among A's many listed weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-671",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket; CWE-671 is one specific design-rooted slice inside it (no admin tailoring) so A covers B mostly while B covers only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the design-time omission of protection mechanisms but excludes B's implementation errors, while B is only one narrow failure mode among A's many design weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-703",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad 2025 category whose core weakness is exactly CWE-703, while the CWE is only one slice of the category's described scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is a broad design-level category; CWE-73 is a narrow input-handling flaw that can result from poor design but is primarily an implementation weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete permission-assignment failure squarely inside the broad Broken Access Control category, while A also covers many unrelated issues such as IDOR, path traversal and CSRF."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad OWASP injection bucket whose scope exactly matches the general weakness CWE-74 defines, while the single CWE is only one slice of that bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-749",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of missing function-level access control that is explicitly listed inside A's broad Broken Access Control bucket."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-754",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad mishandling category whose scope directly contains the specific improper-check weakness defined by B."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-755",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the OWASP category whose core weakness is exactly CWE-755, adding only impact examples; B is the single general CWE and therefore only a slice of the broader category A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-756",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad exception-handling bucket whose info-leak sub-area squarely contains B's narrow missing-custom-error-page weakness, while B addresses only one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP bucket that directly contains the specific negotiation weakness described by CWE-757."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-759",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific misuse of cryptography squarely inside the broad A04 Cryptographic Failures category, so A fully encompasses B while B addresses only one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-76",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose root cause is missing/improper neutralization; CWE-76 is one narrow slice of that (failure on equivalent elements)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-760",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse squarely inside the broad A04 cryptographic-failures bucket, so A addresses nearly all of B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that directly contains command injection as one of its listed sub-types (OS command)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-776",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 explicitly encompasses XML parser configuration/hardening weaknesses such as unbounded DTD entity expansion; the narrow CWE addresses only one slice of the broad misconfiguration category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad OWASP category whose logging-failure slice directly contains B, while B addresses only one of A's three distinct weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly enumerates OS command injection among its interpreter-boundary cases, fully encompassing CWE-78, while CWE-78 addresses only one narrow slice of the broader Injection category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-780",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that fully contains the specific RSA-without-OAEP misuse described by CWE-780, while the CWE addresses only one narrow slice of A04."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-784",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific instance of unvalidated data (cookie) used in a security decision and therefore sits squarely inside A's broad integrity-failure category, while the converse is not true."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly lists XSS as one of its injection subtypes, so fully contains CWE-79; the reverse is only a single slice of the broader Injection category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hard-coded credentials is one specific root cause squarely inside the broad Authentication Failures category, while the CWE addresses only that single slice of A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-799",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-799 is one concrete missing-control example that falls squarely inside the broad Insecure Design bucket, but represents only a narrow slice of it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that explicitly lists XSS; CWE-80 is one narrow XSS variant squarely inside it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-807",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-807 is a canonical design-level flaw squarely inside the Insecure Design bucket, while the CWE is only one narrow slice of the broad OWASP category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-829 is one of the explicit weaknesses enumerated under the A08 integrity-failures category, while A08 also covers several unrelated issues such as deserialization and unsigned updates."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-83",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific XSS subcase squarely inside the broad Injection category that explicitly lists XSS."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-830",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of trusting unverified code from an external source, squarely inside A's broad integrity-failure bucket while covering only a tiny slice of A's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-836",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow flawed-auth implementation squarely inside the broad A07 category, while B addresses none of A's other failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-841",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific design-level workflow flaw squarely inside the broad A06 insecure-design bucket, while B itself only addresses one narrow slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-86",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection broadly addresses untrusted-input neutralization failures across interpreters (incl. XSS/HTML contexts); CWE-86 is one narrow identifier-specific case that falls inside that bucket but is not a primary exemplar, while the narrow CWE cannot encompass the wide injection category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-862",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category that explicitly includes missing authorization checks; B is one narrow CWE inside that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-863",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad OWASP bucket whose core is exactly the failure mode CWE-863 describes; the CWE is only one slice of the many weaknesses (IDOR, traversal, CSRF, etc.) under A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category that squarely contains CWE-88 (a narrow form of OS command argument injection); the reverse is only a single slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Injection category that exactly contains SQL Injection (B) as one of its listed weaknesses, while B covers only that single slice of A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-90",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category that explicitly lists LDAP injection as one of its instances, while CWE-90 is only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-91",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Injection category whose definition directly encompasses XML Injection, while B is only one narrow instance inside that category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-915",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete input-handling weakness squarely inside A's insecure-deserialization / untrusted-data-integrity scope, while A also covers unrelated topics such as unsigned updates and CI/CD compromise."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-916",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-916 is one specific instance of weak cryptography for data at rest squarely inside the A04 category."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-917",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose definition directly contains EL injection as one of its instances; CWE-917 is only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SSRF is a narrow outbound-request validation flaw that only tangentially overlaps the broad authorization failures described by A01."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-922",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a storage-specific instance of unauthorized access that falls inside the broad Broken Access Control bucket, while B addresses only a narrow slice of A's many access-control failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-93",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CRLF injection is a direct instance of the general untrusted-input neutralization flaw defined by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad OWASP injection bucket that squarely contains CWE-94 as one of its listed weakness types (template/code injection)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is a broad auth-failure bucket whose described weaknesses (bypass, hijacking, session mistakes) directly subsume the narrow source-verification flaw in CWE-940, while the single CWE only touches one slice of A07."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-942",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad misconfiguration weakness described by A."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-95",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that directly contains eval injection as one of its instances; CWE-95 is only that single narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that squarely contains static code/template injection as one of its listed variants, while CWE-96 addresses only that narrow slice."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-97",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that directly encompasses the specific SSI neutralization flaw described by CWE-97."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-98",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that squarely contains this specific untrusted-input-to-include flaw as one of its instances."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 centers on interpreter-boundary neutralization; CWE-99 addresses unrestricted resource identifiers that only sometimes involve interpreters, so A addresses only a slice of B while B is unrelated to most of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1275",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists CSRF (of which improper SameSite cookies are a direct cause) while B is only one narrow cookie-specific slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow hardware-specific bypass of access-control protections and therefore falls inside the broad A01 definition, while A spans many unrelated authz failure modes that B does not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 directly addresses authorization failures that enable unauthorized information exposure (core of CWE-200), but also covers unrelated issues such as CSRF and state-changing actions; CWE-200 is only one possible outcome of broken access control."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses any failure that lets an actor see data they shouldn't; B is one narrow transmission-time instance of that failure."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-219",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific instance of missing access control on sensitive resources and therefore sits squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as one included weakness, so the broad category fully encompasses CWE-22 while the narrow CWE only addresses one slice of A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-23",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as in-scope, so it fully encompasses the specific Relative Path Traversal weakness; the narrow CWE only addresses one slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-276",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 broadly addresses authorization bypasses but only tangentially includes default permission misconfigurations (more aligned with Security Misconfiguration); CWE-276 is a narrow installation-time config flaw that does not address any of A01's core weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-281",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad authorization-failure category that directly contains the specific permission-preservation flaw described by CWE-281, while the CWE addresses only one narrow slice of A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-282",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific authorization failure (ownership) squarely inside the broad Broken Access Control category, so A encompasses most of B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-283",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific authorization failure (unverified resource ownership) squarely inside the broad Broken Access Control category that also lists IDOR and missing function-level checks."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the OWASP category whose scope is exactly the weakness CWE-284 defines, while CWE-284 is only the parent node and does not enumerate the concrete issues (IDOR, path traversal, CSRF, etc.) that A01 also covers."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category whose core definition is exactly CWE-285, while B is only one specific slice of the many weaknesses A enumerates."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly enumerates CSRF as one of its included weaknesses, while B is only one narrow slice of the broader Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses authorization failures that enable any unauthorized access (including to PII), while B is a narrow slice focused solely on personal data exposure."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-36",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness and therefore fully contains the specific absolute-path case described by B, while B addresses only one narrow slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-37",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as an included weakness, so it fully encompasses this specific CWE-37 instance, while the narrow CWE only addresses one slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-379",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow file-permission instance squarely inside the broad authorization-failure bucket defined by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-38",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness, fully encompassing the narrow B instance, while B addresses only one tiny slice of the broad A category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-39",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 explicitly lists path traversal as an included weakness, so the broad category fully encompasses this narrow CWE variant while the CWE addresses only one tiny slice of A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-40",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal as an included weakness, fully encompassing this narrow UNC-specific variant, while B addresses only one tiny slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-402",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific access-control failure (leaking private resources) squarely inside A's broad authorization-bypass scope, while A contains many unrelated weaknesses B does not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-424",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow slice (alternate-path bypasses) squarely inside A's broad broken-access-control bucket, so A encompasses most of B while B only partially addresses A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad Broken Access Control category that fully contains the specific forced-browsing weakness described by CWE-425, while the CWE addresses only one narrow slice of A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow proxy-specific failure mode that falls under A's broad authorization-bypass umbrella, but A lists only unrelated examples and B does not address any other access-control weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-497",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific instance of unauthorized information exposure caused by failed authorization, squarely inside the broad Broken Access Control category, while B addresses none of A's other weakness types."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-538",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-538 is one narrow file-exposure instance squarely inside the broad Broken Access Control category, so A encompasses B but B covers none of A's other weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-548",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of unauthorized information exposure squarely caused by missing access-control enforcement, so A encompasses it while B only addresses one slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific manifestation of the broad authorization failures described by A, while B addresses only a narrow slice of A's many access-control weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-566",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific IDOR-style instance of authorization bypass that sits squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-57",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists path traversal (of which CWE-57 is a narrow variant) as a core failure mode, while B addresses only one specific pathname-equivalence slice of the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-59",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category that squarely contains link-following as one concrete authorization bypass (similar to the path-traversal cases it explicitly lists); B is a single narrow CWE and therefore covers almost none of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-601",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Open redirect is a narrow input-handling flaw that can sometimes enable access-control bypass but is not among the weaknesses described by A01 and does not address any of A01's core authorization failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-61",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Symlink following is a specific file-system instance of unauthorized access squarely inside the broad Broken Access Control category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-639",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific IDOR-style instance squarely inside the broad Broken Access Control category that explicitly lists IDOR."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-647",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific URL-canonicalization bypass squarely inside the broad Broken Access Control bucket, so A fully encompasses B while B only addresses one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-65",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad access-control bucket; CWE-65 is one narrow file-link instance that falls inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-668",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authorization-failure category whose core symptom is exactly the wrong-sphere exposure defined by B; B is only one framing among A's many listed weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete permission-assignment failure squarely inside the broad Broken Access Control category, while A also covers many unrelated issues such as IDOR, path traversal and CSRF."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-749",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of missing function-level access control that is explicitly listed inside A's broad Broken Access Control bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-862",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Broken Access Control category that explicitly includes missing authorization checks; B is one narrow CWE inside that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-863",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A01 is the broad OWASP bucket whose core is exactly the failure mode CWE-863 describes; the CWE is only one slice of the many weaknesses (IDOR, traversal, CSRF, etc.) under A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SSRF is a narrow outbound-request validation flaw that only tangentially overlaps the broad authorization failures described by A01."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "CWE",
      "target_id": "CWE-922",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a storage-specific instance of unauthorized access that falls inside the broad Broken Access Control bucket, while B addresses only a narrow slice of A's many access-control failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1004",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 broadly encompasses cookie-attribute hardening as one misconfiguration vector while CWE-1004 is only one narrow instance of that class."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-11",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of ASP.NET debug misconfiguration squarely inside the broad Security Misconfiguration category A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1125",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists exposed attack surface from misconfiguration/hardening gaps, so largely encompasses B, while B only addresses one narrow slice of the broader misconfiguration category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1174",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of framework-level misconfiguration squarely inside the broad A02 category, so A fully encompasses B while B addresses only a tiny slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1190",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow boot-time DMA sequencing flaw that is a direct instance of security-configuration failure, so the broad A02 category encompasses it; the reverse does not hold."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-12",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that directly contains this exact ASP.NET error-page weakness; the single CWE is only one narrow instance inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1271",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow hardware instance of weak/unset security defaults that is directly subsumed by A's broad weak-defaults misconfiguration bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-13",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad misconfiguration class described by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1327",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad server-setting misconfigurations described by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that squarely contains CWE-15 as one specific externally-controlled-settings slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-260",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete case squarely inside the broad Security Misconfiguration category, so A fully addresses B while B only touches one slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 misconfiguration can include weak crypto settings but B is a narrow implementation flaw unrelated to the broad hardening category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-489",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Active debug code is one concrete instance of incomplete hardening within the broad Security Misconfiguration category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Security Misconfiguration category that fully contains the narrow J2EE-specific encryption-transit weakness described by B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-526",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration category that squarely contains improper secret storage in env vars as one hardening failure, while the narrow CWE only illustrates one slice of A02."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-611",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket that directly includes XXE via parser hardening; the single CWE is only one narrow instance inside that bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-614",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific instance of cookie-related misconfiguration squarely inside the broad A02 category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-671",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 is the broad misconfiguration bucket; CWE-671 is one specific design-rooted slice inside it (no admin tailoring) so A covers B mostly while B covers only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-776",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A02 explicitly encompasses XML parser configuration/hardening weaknesses such as unbounded DTD entity expansion; the narrow CWE addresses only one slice of the broad misconfiguration category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "CWE",
      "target_id": "CWE-942",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of the broad misconfiguration weakness described by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1104",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (unmaintained deps) squarely inside A's broad supply-chain category of vulnerable/outdated/compromised dependencies."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1329",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad supply-chain category that explicitly includes outdated components; B is one narrow root cause inside that slice but ignores A's other elements such as signing, build pipelines, and compromised dependencies."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A03 broadly addresses supply-chain component issues (including trustworthiness) plus pipelines/signing; CWE-1357 is one specific slice of that space."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1395",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (vulnerable deps) inside the broader supply-chain scope of A, so A fully encompasses B while B only partially addresses A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "CWE",
      "target_id": "CWE-354",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A03 broadly addresses supply-chain integrity via signing infrastructure but only tangentially touches the narrow checksum-validation flaw in CWE-354."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1204",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse of cryptography and therefore fully contained inside the broad Cryptographic Failures category, while B only addresses a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1240",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad OWASP crypto-failures bucket; B is one specific risky-implementation weakness squarely inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad category of crypto failures; CWE-1241 is one narrow instance of weak RNG that falls inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 broadly addresses crypto-related data exposure; CWE-1258 is one narrow hardware-debug instance of such exposure, so A partially encompasses B while B covers only a negligible slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1431",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow hardware-specific instance of sensitive crypto-state exposure squarely inside the broad A04 category, so A encompasses most of B while B addresses only a tiny slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-261",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that squarely contains the narrow password-encoding weakness, while CWE-261 addresses only one slice of A04."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-296",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP category that squarely contains improper certificate-chain validation as one of its classic transport-cryptography failures, while the single CWE is only one narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific instance of absent cryptography in transit and is therefore fully contained inside the broader A04 category while covering only a narrow slice of it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-321",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hard-coded keys are a canonical instance of cryptographic misuse squarely inside the A04 category, while A04 spans many other failure modes beyond this single CWE."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-322",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures bucket that squarely contains this specific key-exchange misuse, while the single CWE only addresses one narrow slice of A04."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-323",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures bucket that fully contains the specific nonce-reuse misuse described by CWE-323, while the CWE addresses only one narrow slice of A04."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-324",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad category of crypto misuse/failures; B is one narrow misuse (expired key) squarely inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-325",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation flaw squarely inside the broad cryptographic-failures category, while A spans many unrelated weaknesses (absent encryption, weak algorithms, key management, etc.)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 explicitly lists weak cryptography as a root cause, fully containing the narrower inadequate-strength case while B addresses only one slice of A's absent/weak/misused scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP category whose scope explicitly contains the single weakness described by CWE-327."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-328 is a narrow instance of weak/misused cryptography squarely inside the broad A04 category, while A04 spans many unrelated crypto failures beyond hashing."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-329",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow misuse of cryptography squarely inside the broad A04 category, so A encompasses B while B only addresses a single slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-330",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that directly contains insufficient randomness as one of its canonical weaknesses, while CWE-330 is only one narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-331",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that squarely contains insufficient-entropy weaknesses, while CWE-331 is only one narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-332",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-332 is a specific cryptographic weakness squarely inside the broad A04 category of crypto failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-334",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-334 is a specific instance of weak/misused cryptography squarely inside the A04 category, while the broad OWASP bucket contains many unrelated crypto failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-335",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes one narrow misuse of cryptography that is fully contained inside the broad Cryptographic Failures category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-336",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-336 is a specific misuse of cryptography squarely inside the broad A04 category of cryptographic failures, but represents only one narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-337",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse of cryptography squarely inside the broad A04 category, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-338",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP bucket that directly contains the specific weak-PRNG misuse described by CWE-338."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-340",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 addresses only the crypto-randomness subset of predictable values; CWE-340 is broader and only one narrow root cause among many crypto failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-342",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow RNG predictability flaw squarely inside the broad cryptographic-failures category, while B cannot encompass the rest of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-347",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 addresses broad crypto misuse leading to data exposure; CWE-347 is one narrow integrity/authenticity flaw that only tangentially overlaps that scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-523",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of unprotected sensitive data in transit squarely inside the broad A04 cryptographic-failures category, while B addresses only one slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad OWASP bucket that directly contains the specific negotiation weakness described by CWE-757."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-759",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific misuse of cryptography squarely inside the broad A04 Cryptographic Failures category, so A fully encompasses B while B addresses only one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-760",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific misuse squarely inside the broad A04 cryptographic-failures bucket, so A addresses nearly all of B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-780",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A04 is the broad cryptographic-failures category that fully contains the specific RSA-without-OAEP misuse described by CWE-780, while the CWE addresses only one narrow slice of A04."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "CWE",
      "target_id": "CWE-916",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-916 is one specific instance of weak cryptography for data at rest squarely inside the A04 category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-105",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection broadly addresses untrusted input crossing interpreter boundaries, which missing Struts validators (B) can enable, but B is a narrow framework-specific validation omission outside the injection category itself."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-112",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow input-validation issue that can contribute to some XML-based injection vectors but lies outside A's core interpreter-neutralization scope; B therefore covers none of the broad A category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow CRLF neutralization flaw that matches the broad injection pattern in A but is outside the listed examples and not squarely encompassed."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes OS-command/process execution from untrusted input, a direct subset of the injection weaknesses enumerated by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-115",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Injection (A) is one specific class of input misinterpretation at interpreter boundaries, so A addresses only a slice of B while B broadly encompasses the root cause of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad weakness class whose primary root cause is missing neutralization; CWE-116 names one core neutralization technique (escaping), so A encompasses most of B while B only addresses a slice of A's many injection vectors."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection addresses untrusted input into command/query interpreters (SQL/OS/LDAP/XSS/etc.); CWE-117 is a narrow output-neutralization case for logs that is only tangentially related to the listed injection types."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1336",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly lists template injection as one of its included weakness classes, fully encompassing CWE-1336, while the CWE addresses only that single slice of the broader Injection category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-146",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category whose core is improper neutralization of untrusted input at interpreter boundaries; CWE-146 is one narrow slice of that category focused solely on expression/command delimiters."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-159",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the interpreter-boundary subset of special-element mishandling while B is a broader root-cause weakness that explains only some injection cases."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the neutralization slice of input-validation failures that reach interpreters, while B is a broad root-cause class that enables many non-injection issues and does not mandate interpreter-specific controls."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-470",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Unsafe reflection is a specific injection subclass squarely inside A05's scope, while B addresses only one narrow slice of the broad injection category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-564",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly scopes over all SQL injection (including framework-specific variants like Hibernate), while CWE-564 is only one narrow instance inside that bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-643",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 defines the broad injection class that exactly matches CWE-643's XPath weakness, while the CWE is only one narrow instance of that class."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-644",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific neutralization flaw (HTTP-header scripting syntax) squarely inside the broad injection bucket defined by A, but B addresses none of A's other injection classes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-652",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose definition directly encompasses XQuery Injection as one interpreter case; the narrow CWE-652 addresses only a single slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad OWASP injection bucket whose scope exactly matches the general weakness CWE-74 defines, while the single CWE is only one slice of that bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-76",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose root cause is missing/improper neutralization; CWE-76 is one narrow slice of that (failure on equivalent elements)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that directly contains command injection as one of its listed sub-types (OS command)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly enumerates OS command injection among its interpreter-boundary cases, fully encompassing CWE-78, while CWE-78 addresses only one narrow slice of the broader Injection category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 explicitly lists XSS as one of its injection subtypes, so fully contains CWE-79; the reverse is only a single slice of the broader Injection category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that explicitly lists XSS; CWE-80 is one narrow XSS variant squarely inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-83",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific XSS subcase squarely inside the broad Injection category that explicitly lists XSS."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-86",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection broadly addresses untrusted-input neutralization failures across interpreters (incl. XSS/HTML contexts); CWE-86 is one narrow identifier-specific case that falls inside that bucket but is not a primary exemplar, while the narrow CWE cannot encompass the wide injection category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category that squarely contains CWE-88 (a narrow form of OS command argument injection); the reverse is only a single slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Injection category that exactly contains SQL Injection (B) as one of its listed weaknesses, while B covers only that single slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-90",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category that explicitly lists LDAP injection as one of its instances, while CWE-90 is only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-91",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Injection category whose definition directly encompasses XML Injection, while B is only one narrow instance inside that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-917",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection category whose definition directly contains EL injection as one of its instances; CWE-917 is only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-93",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CRLF injection is a direct instance of the general untrusted-input neutralization flaw defined by A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad OWASP injection bucket that squarely contains CWE-94 as one of its listed weakness types (template/code injection)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-95",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that directly contains eval injection as one of its instances; CWE-95 is only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 is the broad injection bucket that squarely contains static code/template injection as one of its listed variants, while CWE-96 addresses only that narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-97",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that directly encompasses the specific SSI neutralization flaw described by CWE-97."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-98",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 Injection is the broad category that squarely contains this specific untrusted-input-to-include flaw as one of its instances."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A05 centers on interpreter-boundary neutralization; CWE-99 addresses unrestricted resource identifiers that only sometimes involve interpreters, so A addresses only a slice of B while B is unrelated to most of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad Insecure Design category; B is one specific design-level UI-layer flaw squarely inside it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1022",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation-level flaw that only tangentially fits inside the broad design-flaw bucket of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1125",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains excessive attack surface as one concrete instance; the reverse is only a narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific design-level flaw in a protection mechanism and therefore falls inside the broad A06 Insecure Design bucket, while the narrow CWE only touches a tiny slice of that bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-256",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the specific design decision of plaintext password storage, while the narrow CWE cannot encompass the rest of the category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-266",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-266 is a design-level flaw squarely inside the Insecure Design bucket, while the single CWE is only one narrow slice of that broad category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 broadly addresses design-level control gaps, of which flawed privilege management is only one possible instance (and often manifests as implementation)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-286",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 addresses any design-level flaw; CWE-286 is one possible user-management weakness that may or may not be architectural."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete design-level omission (encryption control) that falls inside the broad A category of architecture-level missing/flawed controls."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-312",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-312 describes one concrete design-level flaw squarely inside the broad A06 Insecure Design bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-313",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 addresses broad design-level control gaps; CWE-313 is one possible symptom that may arise from missing encryption design but is equally an implementation failure."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-356",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single concrete instance of a missing design-level control and therefore sits squarely inside the A06 category, while the broad category only partially addresses the narrow UI-warning weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Race conditions can arise from flawed concurrency design but are primarily an implementation-level synchronization error, so A06 only partially encompasses CWE-362 while the narrow CWE covers none of the broad design category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-419",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the specific unprotected-channel weakness, while the narrow CWE only illustrates one slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-434",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains the missing control exemplified by CWE-434; the single CWE addresses only one narrow slice of all possible design weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-436",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is a broad design-flaw category that can subsume interpretation conflicts as one possible architectural omission, while CWE-436 is a narrow interoperability issue that does not address the rest of A06."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 broadly captures design-level control gaps that could contribute to smuggling risks, but CWE-444 is a narrow parsing inconsistency that is often an implementation detail rather than a baked-in architectural flaw."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains this specific UI-representation weakness; the narrow CWE addresses only one slice of design issues."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-454",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-454 is a design-level trust/initialization flaw squarely inside the A06 bucket, but represents only one narrow slice of the broad Insecure Design category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-472",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific design assumption flaw squarely inside the broad Insecure Design category, while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-501",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-501 is a canonical design-level trust-boundary flaw squarely inside the broad Insecure Design bucket, so A encompasses B while B only illustrates one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw category that squarely contains credential-protection failures such as CWE-522, while the single CWE addresses only one narrow slice of all possible design weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-525",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-525 is a narrow implementation-level caching flaw only tangentially related to the broad design-phase category A06."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single concrete design flaw squarely inside the broad A06 insecure-design bucket, so A fully encompasses it while B only covers one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-598",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-598 is a specific design-level flaw in request handling that falls squarely inside the broad Insecure Design category, while one CWE covers only a narrow slice of the category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a canonical instance of a design-level flaw where architecture trusts client enforcement, so the broad Insecure Design category fully contains it while the narrow CWE only addresses one slice of the category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-flaw bucket that squarely contains the specific state-exposure weakness described by CWE-642, while one CWE only illustrates a narrow slice of all possible design flaws."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-646",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B describes a single design-level validation flaw that sits squarely inside the broad Insecure Design category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-653",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a canonical design-level isolation flaw squarely inside the broad A06 insecure-design bucket, so A fully encompasses B while B only addresses one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-656",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a classic design-level flaw squarely inside the broad Insecure Design category, while the narrow CWE only represents one slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-657",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is the broad design-level weakness category whose definition directly and completely contains the single CWE that describes violation of those same principles."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the design-time omission of protection mechanisms but excludes B's implementation errors, while B is only one narrow failure mode among A's many design weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A06 is a broad design-level category; CWE-73 is a narrow input-handling flaw that can result from poor design but is primarily an implementation weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-799",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-799 is one concrete missing-control example that falls squarely inside the broad Insecure Design bucket, but represents only a narrow slice of it."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-807",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-807 is a canonical design-level flaw squarely inside the Insecure Design bucket, while the CWE is only one narrow slice of the broad OWASP category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "CWE",
      "target_id": "CWE-841",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific design-level workflow flaw squarely inside the broad A06 insecure-design bucket, while B itself only addresses one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1390",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP bucket whose core is exactly the weakness CWE-1390 describes; the CWE therefore addresses only one slice of A07's listed failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad authentication-failures bucket that squarely contains weak-credential misuse as one failure mode, while CWE-1391 is only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1392",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Default credentials is one specific root cause squarely inside the broad Authentication Failures category, so A fully addresses B while B only touches one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1393",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Default-password use is one concrete root cause squarely inside the broad Authentication Failures category, while the CWE addresses only that single slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-258",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly encompasses authentication bypass via absent/weak credentials, of which an empty config-file password is one concrete instance; the narrow CWE covers none of the category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-259",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-259 is one narrow root cause squarely inside the broad A07 authentication-failures bucket, so A addresses most of B while B addresses only a slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-261",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly addresses authentication failures including credential handling, so it touches weak password encoding only as one narrow slice; CWE-261 is a single implementation flaw and cannot encompass the category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP category whose core weakness is exactly CWE-287; the CWE is only one slice of the multi-aspect category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside A's broad authentication-failure category, so A fully contains B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-289",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is a broad bucket that fully contains the specific bypass technique described by CWE-289, while CWE-289 addresses only one narrow slice of the many failure modes listed in A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly includes bypass of identity verification; CWE-290 is one concrete spoofing realization of that bypass and therefore fully contained, while the narrow CWE only addresses one slice of A07's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-291",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete instance of flawed identity verification squarely inside A's broad authentication-failure scope, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-293",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow flawed-auth mechanism squarely inside A's broad identity-verification-failure bucket, so A encompasses most of B while B only touches a single slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside A's broad 'authentication bypassed' bucket, while B addresses only a narrow slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-295",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-295 is one narrow mechanism that can contribute to identity-verification bypass but lies outside A07's listed scope and is normally categorized under cryptographic failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches the shared concept of identity verification but targets application-level auth flaws; B is a narrow channel-integrity weakness outside A's primary scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific bypass technique squarely inside the broad Authentication Failures category, so A fully encompasses B while B addresses only a narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-303",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow implementation flaw squarely inside the broad A07 authentication-failures bucket, so A covers B mostly while B covers only a slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-304",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow authentication failure mode squarely inside the broad A07 category, while A enumerates many unrelated failure modes (brute-force, credential stuffing, session hijacking, etc.)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-305",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly encompasses authentication bypass scenarios including the primary-weakness case in CWE-305, while CWE-305 addresses only one narrow slice of the many failure modes listed in A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad bucket containing missing auth for critical functions as one core failure mode, while CWE-306 is only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly lists brute-force as a core failure mode, fully encompassing CWE-307's narrow scope while B addresses only one slice of A's many authentication issues."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-308 is a specific instance of weak identity verification squarely inside the broad A07 category, while B addresses only one narrow slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad authentication-failures bucket that squarely contains the password-primary-auth weakness described by CWE-309, while CWE-309 addresses only one narrow slice of A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-322",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of missing entity authentication inside the broad A07 category, so A addresses most of B while B only touches a slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 broadly addresses identity-verification bypasses; CWE-346 is one narrow origin-check flaw that can contribute to such a bypass but is not a core authentication mechanism."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is the broad OWASP bucket whose session-management mistakes explicitly include session fixation; the single CWE is only one narrow slice of that bucket."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 explicitly lists brute-force and credential-stuffing failures whose root cause is weak passwords, so the broad category fully contains CWE-521 while the single CWE is only one slice of A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-603",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete bypass technique squarely inside A's broad authentication-failure category, while A contains many unrelated weaknesses (brute-force, session management, credential stuffing, etc.)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-613",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific session-management failure squarely inside A's listed authentication weaknesses, while A spans many unrelated auth issues."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-620",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a single, canonical instance of the weak password-reset flows explicitly listed in A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-640",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists weak password reset flows as one of its core failure modes, fully encompassing the narrow password-recovery weakness in B, while B addresses only one slice of A's broad authentication failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hard-coded credentials is one specific root cause squarely inside the broad Authentication Failures category, while the CWE addresses only that single slice of A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-836",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow flawed-auth implementation squarely inside the broad A07 category, while B addresses none of A's other failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A07 is a broad auth-failure bucket whose described weaknesses (bypass, hijacking, session mistakes) directly subsume the narrow source-verification flaw in CWE-940, while the single CWE only touches one slice of A07."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A08 is the broad integrity-failure category whose core description directly encompasses insufficient data-authenticity verification, while CWE-345 addresses only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad integrity-failure category whose description directly contains B's specific transmission-integrity weakness, while B is only one narrow slice of A's many failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-426",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A08 is the broad integrity-failure category that squarely contains the specific untrusted-search-path weakness, while CWE-426 is only one narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow path-element weakness that can produce integrity failures but lies outside A's listed scope (deserialization, updates, CI/CD); A therefore only partially addresses it while B covers none of the broad category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific integrity-failure scenario (unsigned code download) squarely inside the broad A08 category that also covers deserialization, CI/CD, etc."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-502",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly lists insecure deserialization as a core weakness it addresses, fully encompassing B, while B addresses only one narrow slice of the broader integrity failures in A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's CI/CD and update-integrity scope touches one vector that can introduce embedded malicious code, while B is a narrow symptom that does not address A's broader verification failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-565",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow instance of trusting unvalidated data (cookies) without integrity checks, squarely inside A's general integrity-failure category, while B covers only one slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-784",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow, specific instance of unvalidated data (cookie) used in a security decision and therefore sits squarely inside A's broad integrity-failure category, while the converse is not true."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-829 is one of the explicit weaknesses enumerated under the A08 integrity-failures category, while A08 also covers several unrelated issues such as deserialization and unsigned updates."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-830",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of trusting unverified code from an external source, squarely inside A's broad integrity-failure bucket while covering only a tiny slice of A's scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "CWE",
      "target_id": "CWE-915",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete input-handling weakness squarely inside A's insecure-deserialization / untrusted-data-integrity scope, while A also covers unrelated topics such as unsigned updates and CI/CD compromise."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category whose integrity clause squarely contains the specific log-injection weakness B, while B addresses only one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1429",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad logging/alerting-failure category that squarely contains the missing security-relevant feedback weakness described by B, while B is only one narrow hardware-specific slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-221",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A directly addresses the core recording omission in B plus adds alerting and integrity, while B only covers the logging slice of A's broader failures."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-222",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category that squarely contains truncation of security data as one failure mode, while B addresses only that single narrow slice."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A09 is the broad logging/alerting category whose core failure mode is exactly the omission CWE-223 describes, while B covers only the logging-omission slice of A's wider scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-224",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad logging-failures category that squarely contains the narrow alternate-name logging flaw described by B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-532",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A09 is the broad OWASP logging-failures category that squarely contains the specific CWE-532 weakness, while the single CWE only addresses one narrow slice of A09."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad OWASP category whose logging-failure slice directly contains B, while B addresses only one of A's three distinct weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1069",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of exception mishandling squarely inside A's broad category, while A covers many other failure modes B does not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-1264",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses error-handling and logic flaws that produce fail-open or inconsistent states; B is one narrow hardware de-sync instance of such a flaw."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-130",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow parsing inconsistency that can be viewed as an instance of mishandling an exceptional condition, but A is a broad error/exception-handling bucket that only incidentally touches this CWE."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-209",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one specific leakage vector squarely inside A's broad 'error paths leak information' scope, while A also covers fail-open/inconsistent-state issues outside B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-215",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow form of info leakage via debug code that fits inside A's broader error/exception leakage bucket, while B addresses none of A's other elements such as fail-open or inconsistent states."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-234",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of mishandling an exceptional condition (missing function argument) that falls inside A's broad error/exception-handling scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-248",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Uncaught exceptions are a direct instance of mishandling exceptional conditions, while A also covers leaks, fail-open states, and other error-handling flaws."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-252",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one concrete cause (unchecked returns) squarely inside A's broad exception-handling bucket, while A also covers leaks, fail-open auth, and other paths B does not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-274",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad exception-handling bucket only tangentially touches the narrow privilege-check failure described by B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-280",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses mishandling of any exceptional conditions leading to invalid states, directly encompassing B's specific privilege-error case while B only illustrates one narrow slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-369",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Divide-by-zero is one concrete arithmetic exception squarely inside the broad exceptional-conditions mishandling category, while the CWE addresses only a narrow slice of that category."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-390",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of error mishandling squarely inside A's broad exceptional-conditions bucket, while A spans many additional failure modes B does not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-391",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad mishandling-of-exceptions bucket that directly contains the narrow 'ignore errors' slice described by B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-394",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow slice (unchecked legitimate return values) inside A's broad error/exception-handling bucket, so A encompasses most of B while B only touches one facet of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-396",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow coding practice squarely inside A's broad exception-handling category, while A spans many unrelated failure modes."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-397",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A10 is the broad exception-mishandling category that directly contains the generic-exception declaration weakness described by CWE-397."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-460",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of the inconsistent-state exception mishandling that A broadly encompasses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-476",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-476 is one narrow coding defect under the broad umbrella of exception/condition mishandling, but matches none of A's stated outcomes (info leak, fail-open, inconsistent state)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-478",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow instance of unhandled control flow that can produce inconsistent state; A broadly addresses error/exception paths and logic-flaw handling but does not specifically target switch/case coverage."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-535",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket of error-handling weaknesses that explicitly includes information leakage; B is one narrow, squarely-contained instance of shell-error disclosure."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-537",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket whose 'error paths leak information' clause directly contains the exact weakness described by B; B is only one narrow Java-specific slice of A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-544",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad bucket that explicitly includes inconsistent error states; B names only the single narrow root cause of missing standardization."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-550",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a specific case of information leakage via error paths that A explicitly encompasses, while A also covers unrelated failure modes such as fail-open and inconsistent states."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-636",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly names fail-open behavior as one of its core cases, fully encompassing B, while B addresses only that single slice of A's broader exception-handling weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-703",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad 2025 category whose core weakness is exactly CWE-703, while the CWE is only one slice of the category's described scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-754",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad mishandling category whose scope directly contains the specific improper-check weakness defined by B."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-755",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the OWASP category whose core weakness is exactly CWE-755, adding only impact examples; B is the single general CWE and therefore only a slice of the broader category A."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "CWE",
      "target_id": "CWE-756",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad exception-handling bucket whose info-leak sub-area squarely contains B's narrow missing-custom-error-page weakness, while B addresses only one narrow slice of A."
    }
  ]
}