Just some quick comments on this topic. It’s an interesting observation about shell languages being different than C. I know I’ve probably offended some co-workers recently with my initial attempts at bash scripting 😉 It feels to me like the syntax is somehow less stringent, but maybe the key difference is in interpreted languages versus compiled languages, combined with the lack of strict typing.
Kurt said “I've seen code with loops of one because of future growth, or because various options were removed and it's easier than refactoring the code” – so a CWE-related writeup wouldn’t want to inadvertently call all loops of size 1 “bad.” But remember that a weakness is about a <mistake> that only becomes a vulnerability <under the right conditions.> Code analysis tools report weaknesses all the time, but determining false positives is a different story that’s not in CWE’s purview. Similarly, external parties can decide which CWEs become a “requirement” or not – it’s primarily CWE’s responsibility to provide the identifier and explanation for the mistake, and how it can (at least sometimes) contribute to vulnerabilities. In this “dir” example, we can’t be clear whether the developer made a mistake or not. But we can observe that there’s a loop construct with only one element, and that it’s (sometimes) going to be a mistake. And it seems like such constructs could occur in most languages. I’m not sure how deep CWE should go to cover “just bad syntax,” but for this example, I think CWE-670 is probably the closest match in spirit – the algorithm (probably) isn’t implementing the logic that the programmer thought they were implementing. There’s a good argument for CWE-1164 as well, though, since the developer might be doing this intentionally even though the code is not technically essential. For issues where there might be some varying opinions about whether some code choice is “good” or not, note that we also cover source code conventions with CWE-1078: Inappropriate Source Code Style or Formatting. It has some useful children. - Steve