How to choose the CWE code folder name?

Hellow there, im working on VbD features, but i’ve noticed that same vulnerability can be in multiple folders with different codes, for example: I’ve seen CSRF features with different folder name codes (CWE-0079, CWE-0352, CWE-0319, CWE-200) despite is the same vulnerability.

So i decided to look into the VbD Structure guide rules and VbD Submission guide but it is not specified.

My question is: Once I found a vulnerability, if it fits in multiple CWE codes, How to choose the folder name one?

The assertion: cwe79 cwe352 cwe319 and cwe200 are equal, is false

they are different (XSS, XSRF, sensitive-info-leak, etc)

if they are currently cataloged as the same vulnerability then that’s a mistake that the hacker made, so answering your question:

if you found a vulnerability and there two or more CWE codes that apply, choose the more specific one:

it means, the leaf to the right in the mentioned graph

for example note cwe-200 can be more specific (Parent Of another CWE):

ChildOf	Class	668	Exposure of Resource to Wrong Sphere
ParentOf	Base	201	Exposure of Sensitive Information Through Sent Data
ParentOf	Base	203	Observable Discrepancy
ParentOf	Base	209	Generation of Error Message Containing Sensitive Information
ParentOf	Base	213	Exposure of Sensitive Information Due to Incompatible Policies
ParentOf	Base	215	Insertion of Sensitive Information Into Debugging Code
ParentOf	Base	359	Exposure of Private Personal Information to an Unauthorized Actor
ParentOf	Base	497	Exposure of Sensitive System Information to an Unauthorized Control Sphere
ParentOf	Base	538	Insertion of Sensitive Information into Externally-Accessible File or Directory
ParentOf	Base	1243	Exposure of Security-Sensitive Fuse Values During Debug
CanFollow	Variant	498	Cloneable Class Containing Sensitive Information
CanFollow	Variant	499	Serializable Class Containing Sensitive Data