I agree you all are pain in the ass. Keep spamming my mailbox.
On Wed, 1 Jun 2022, 9:13 pm Kevin Keen, <kk...@colsa.com> wrote: > > I agree that CWEs could use some updates. In addition to possible new > CWEs, I remember looking at a few that didn't have code examples and > thinking that they could benefit from that. > > > I would however, push back just a little on stand alone software not being > a common case. I think it depends on your area. For the average at home > user a trend toward cloud is probably true. But we see a lot of software in > the field I'm in and it is rarely ever cloud based. > ------------------------------ > *From:* Kurt Seifried <k...@seifried.org> > *Sent:* Tuesday, May 31, 2022 8:21 PM > *To:* Steve Grubb <sgr...@redhat.com> > *Cc:* Steven M Christey <co...@mitre.org>; CWE Research Discussion < > cwe-research-list@mitre.org> > *Subject:* [External] - Re: Bad loop construct > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > On a related item, I'm doing a CWE a week with my Smartcontracts working > group (~10 total and then we'll release a short paper on it at the end of > summer) at the Cloud Security Alliance. Longer term my plan is to look at > all the stuff covered in places like rekt.news or Microsoft blog entries > and so on, and make sure it maps cleanly to a CWE, and if not, to make a > CWE for it. E.g. so far: > [image: Screenshot 2022-05-31 191808.png] > > I've submitted 1, 3, and 4 so far, and 5 are going in next week (3 for 1 > sale =). In my mind every CVE/vuln/etc writeup should map to a CWE, and I > don't mean CWE-20. > > We literally need a few hundred more CWE's, especially in the smart > contract/blockchain space, and the Cloud SaaS space. CWE is showing its age > with respect to "software" being something you download and run locally. > That's not the case so much anymore. > > > On Tue, May 31, 2022 at 3:30 PM Steve Grubb <sgr...@redhat.com> wrote: > > Hello everyone, > > On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote: > > Kurt said “I've seen code with loops of one because of future growth, or > > because various options were removed and it's easier than refactoring the > > code” – so a CWE-related writeup wouldn’t want to inadvertently call all > > loops of size 1 “bad.” > > From what I can see, it's a mixed bag. There are cases like Kurt > mentioned, > but also some that are thinko's. > > > But remember that a weakness is about a <mistake> that only becomes a > > vulnerability <under the right conditions.> Code analysis tools report > > weaknesses all the time, but determining false positives is a different > > story that’s not in CWE’s purview. Similarly, external parties can decide > > which CWEs become a “requirement” or not – it’s primarily CWE’s > > responsibility to provide the identifier and explanation for the mistake, > > and how it can (at least sometimes) contribute to vulnerabilities. > > > > In this “dir” example, we can’t be clear whether the developer made a > > mistake or not. But we can observe that there’s a loop construct with > only > > one element, and that it’s (sometimes) going to be a mistake. And it > seems > > like such constructs could occur in most languages. > > > > I’m not sure how deep CWE should go to cover “just bad syntax,” but for > > this example, I think CWE-670 is probably the closest match in spirit – > > the algorithm (probably) isn’t implementing the logic that the programmer > > thought they were implementing. There’s a good argument for CWE-1164 as > > well, though, since the developer might be doing this intentionally even > > though the code is not technically essential. > > In the end, we chose 1164. It was added to a csv file where we are > cateloging > warnings from a couple tools and mapping to CWE. It is here in case anyone > finds it useful: > > https://github.com/csutils/csmock/blob/main/cwe-map.csv > <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fcsutils%2Fcsmock%2Fblob%2Fmain%2Fcwe-map.csv&data=05%7C01%7Ckkeen%40colsa.com%7Cf518d89fcb464d325ecb08da436d4ba5%7C9821086b78824b43a5edb1e979bee31f%7C1%7C0%7C637896433982029055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O4u39YUHsyfUDc3141c8pXCXDoQ3yKlZAjmB%2BZxaQN0%3D&reserved=0> > > Thanks for the help! > > -Steve > > > > > -- > Kurt Seifried (He/Him) > k...@seifried.org > ------------------------------ > The information contained in this e-mail and any attachments from COLSA > Corporation may contain company sensitive and/or proprietary information, > and is intended only for the named recipient to whom it was originally > addressed. If you are not the intended recipient, any disclosure, > distribution, or copying of this e-mail or its attachments is strictly > prohibited. If you have received this e-mail in error, please notify the > sender immediately by return e-mail and permanently delete the e-mail and > any attachments. > > COLSA Proprietary >
