On a related item, I'm doing a CWE a week with my Smartcontracts working
group (~10 total and then we'll release a short paper on it at the end of
summer) at the Cloud Security Alliance. Longer term my plan is to look at
all the stuff covered in places like rekt.news or Microsoft blog entries
and so on, and make sure it maps cleanly to a CWE, and if not, to make a
CWE for it. E.g. so far:
[image: Screenshot 2022-05-31 191808.png]

I've submitted 1, 3, and 4 so far, and 5 are going in next week (3 for 1
sale =). In my mind every CVE/vuln/etc writeup should map to a CWE, and I
don't mean CWE-20.

We literally need a few hundred more CWE's, especially in the smart
contract/blockchain space, and the Cloud SaaS space. CWE is showing its age
with respect to "software" being something you download and run locally.
That's not the case so much anymore.

On Tue, May 31, 2022 at 3:30 PM Steve Grubb <sgr...@redhat.com> wrote:

> Hello everyone,
> On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote:
> > Kurt said “I've seen code with loops of one because of future growth, or
> > because various options were removed and it's easier than refactoring the
> > code” – so a CWE-related writeup wouldn’t want to inadvertently call all
> > loops of size 1 “bad.”
> From what I can see, it's a mixed bag. There are cases like Kurt
> mentioned,
> but also some that are thinko's.
> > But remember that a weakness is about a <mistake> that only becomes a
> > vulnerability <under the right conditions.> Code analysis tools report
> > weaknesses all the time, but determining false positives is a different
> > story that’s not in CWE’s purview. Similarly, external parties can decide
> > which CWEs become a “requirement” or not – it’s primarily CWE’s
> > responsibility to provide the identifier and explanation for the mistake,
> > and how it can (at least sometimes) contribute to vulnerabilities.
> >
> > In this “dir” example, we can’t be clear whether the developer made a
> > mistake or not. But we can observe that there’s a loop construct with
> only
> > one element, and that it’s (sometimes) going to be a mistake. And it
> seems
> > like such constructs could occur in most languages.
> >
> > I’m not sure how deep CWE should go to cover “just bad syntax,” but for
> > this example, I think CWE-670 is probably the closest match in spirit –
> > the algorithm (probably) isn’t implementing the logic that the programmer
> > thought they were implementing. There’s a good argument for CWE-1164 as
> > well, though, since the developer might be doing this intentionally even
> > though the code is not technically essential.
> In the end, we chose 1164. It was added to a csv file where we are
> cateloging
> warnings from a couple tools and mapping to CWE. It is here in case anyone
> finds it useful:
> https://github.com/csutils/csmock/blob/main/cwe-map.csv
> Thanks for the help!
> -Steve

Kurt Seifried (He/Him)

Reply via email to