Just some quick comments on this topic.

It’s an interesting observation about shell languages being different than C. I 
know I’ve probably offended some co-workers recently with my initial attempts 
at bash scripting 😉 It feels to me like the syntax is somehow less stringent, 
but maybe the key difference is in interpreted languages versus compiled 
languages, combined with the lack of strict typing.

Kurt said “I've seen code with loops of one because of future growth, or 
because various options were removed and it's easier than refactoring the code” 
– so a CWE-related writeup wouldn’t want to inadvertently call all loops of 
size 1 “bad.”

But remember that a weakness is about a <mistake> that only becomes a 
vulnerability <under the right conditions.> Code analysis tools report 
weaknesses all the time, but determining false positives is a different story 
that’s not in CWE’s purview. Similarly, external parties can decide which CWEs 
become a “requirement” or not – it’s primarily CWE’s responsibility to provide 
the identifier and explanation for the mistake, and how it can (at least 
sometimes) contribute to vulnerabilities.

In this “dir” example, we can’t be clear whether the developer made a mistake 
or not. But we can observe that there’s a loop construct with only one element, 
and that it’s (sometimes) going to be a mistake. And it seems like such 
constructs could occur in most languages.

I’m not sure how deep CWE should go to cover “just bad syntax,” but for this 
example, I think CWE-670 is probably the closest match in spirit – the 
algorithm (probably) isn’t implementing the logic that the programmer thought 
they were implementing. There’s a good argument for CWE-1164 as well, though, 
since the developer might be doing this intentionally even though the code is 
not technically essential.

For issues where there might be some varying opinions about whether some code 
choice is “good” or not, note that we also cover source code conventions with 
CWE-1078: Inappropriate Source Code Style or Formatting. It has some useful 

- Steve

Reply via email to