CWE ↔ OWASP ASVS 5.0
A two-way mapping between CWE and
OWASP ASVS 5.0: 672 related pairs, 1344 directional
rows, LLM-authored (is prevented by · prevents) and human-QA’d
(cohort bulk_after_review_2026_06_08 where applicable).
← all releases
What we add (no authoritative mapping exists)
No standards body publishes a CWE ↔ OWASP ASVS 5.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.
Reliability
| CWE → OWASP ASVS 5.0 | OWASP ASVS 5.0 → CWE | |
|---|---|---|
| Completeness (full + mostly) | 21.4% | 55.6% |
| Scope — no counterpart (none) | 49.9% | 28.6% |
| Counterpart coverage | 275 mapped | 273 of 345 (79.1%) |
| Reverse-presence (bidirectionality) | 99.7% |
|---|---|
| Extent-rank correlation (forward vs reverse) | 0.826 |
Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.
Abstraction
| CWE | OWASP ASVS 5.0 | |
|---|---|---|
| Breadth (avg counterparts per entity) | 1.71 | 2.19 |
| Depth (avg coverage strength, 0–3) | 1.27 | 1.75 |
Verdict: OWASP ASVS 5.0 sits at a higher level of abstraction (fans out more).
CWE abstraction: Base 164, Variant 65, Class 38, Pillar 5, Compound 3
Raw data
Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX
JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.