Hello everyone, On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote: > Kurt said “I've seen code with loops of one because of future growth, or > because various options were removed and it's easier than refactoring the > code” – so a CWE-related writeup wouldn’t want to inadvertently call all > loops of size 1 “bad.”
>From what I can see, it's a mixed bag. There are cases like Kurt mentioned, but also some that are thinko's. > But remember that a weakness is about a <mistake> that only becomes a > vulnerability <under the right conditions.> Code analysis tools report > weaknesses all the time, but determining false positives is a different > story that’s not in CWE’s purview. Similarly, external parties can decide > which CWEs become a “requirement” or not – it’s primarily CWE’s > responsibility to provide the identifier and explanation for the mistake, > and how it can (at least sometimes) contribute to vulnerabilities. > > In this “dir” example, we can’t be clear whether the developer made a > mistake or not. But we can observe that there’s a loop construct with only > one element, and that it’s (sometimes) going to be a mistake. And it seems > like such constructs could occur in most languages. > > I’m not sure how deep CWE should go to cover “just bad syntax,” but for > this example, I think CWE-670 is probably the closest match in spirit – > the algorithm (probably) isn’t implementing the logic that the programmer > thought they were implementing. There’s a good argument for CWE-1164 as > well, though, since the developer might be doing this intentionally even > though the code is not technically essential. In the end, we chose 1164. It was added to a csv file where we are cateloging warnings from a couple tools and mapping to CWE. It is here in case anyone finds it useful: https://github.com/csutils/csmock/blob/main/cwe-map.csv Thanks for the help! -Steve