Hello,

I am continuing to look at ShellCheck and how to map it's warnings to CWE's. 
I'm looking at SC2043 - This loop will only ever run once for a constant 
value.

https://www.shellcheck.net/wiki/SC2043

An example might be:

dir=$(ls $HOME)
for i in dir
do
  echo $i
done

which outputs "dir" because it's missing the "$" in the for statement.

One of my thoughts is this could be CWE-606: Unchecked Input for Loop 
Condition. It talks about unchecked inputs causing excessive looping. What 
about wrong input for loop conditional causing no iteration?

Another thought is this could be CWE-670: Always-Incorrect Control Flow 
Implementation. (But looking at that, I would have expected other bad loop 
nodes such as CWE-835: Loop with Unreachable Exit Condition.)

Is there a better fit? Shell scripting problems really are a hard to match to 
a CWE because it's problems are similar but very different than C.

Best Regards,
-Steve

Reply via email to