Hello everyone,

On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote:
> Kurt said “I've seen code with loops of one because of future growth, or
> because various options were removed and it's easier than refactoring the
> code” – so a CWE-related writeup wouldn’t want to inadvertently call all
> loops of size 1 “bad.”

>From what I can see, it's a mixed bag. There are cases like Kurt mentioned, 
but also some that are thinko's.
> But remember that a weakness is about a <mistake> that only becomes a
> vulnerability <under the right conditions.> Code analysis tools report
> weaknesses all the time, but determining false positives is a different
> story that’s not in CWE’s purview. Similarly, external parties can decide
> which CWEs become a “requirement” or not – it’s primarily CWE’s
> responsibility to provide the identifier and explanation for the mistake,
> and how it can (at least sometimes) contribute to vulnerabilities.
> In this “dir” example, we can’t be clear whether the developer made a
> mistake or not. But we can observe that there’s a loop construct with only
> one element, and that it’s (sometimes) going to be a mistake. And it seems
> like such constructs could occur in most languages.
> I’m not sure how deep CWE should go to cover “just bad syntax,” but for
> this example, I think CWE-670 is probably the closest match in spirit –
> the algorithm (probably) isn’t implementing the logic that the programmer
> thought they were implementing. There’s a good argument for CWE-1164 as
> well, though, since the developer might be doing this intentionally even
> though the code is not technically essential.

In the end, we chose 1164. It was added to a csv file where we are cateloging 
warnings from a couple tools and mapping to CWE. It is here in case anyone 
finds it useful:


Thanks for the help!


Reply via email to