I agree you all are pain in the ass.
Keep spamming my mailbox.

On Wed, 1 Jun 2022, 9:13 pm Kevin Keen, <kk...@colsa.com> wrote:

>
> I agree that CWEs could use some updates. In addition to possible new
> CWEs, I remember looking at a few that didn't have code examples and
> thinking that they could benefit from that.
>
>
> I would however, push back just a little on stand alone software not being
> a common case. I think it depends on your area. For the average at home
> user a trend toward cloud is probably true. But we see a lot of software in
> the field I'm in and it is rarely ever cloud based.
> ------------------------------
> *From:* Kurt Seifried <k...@seifried.org>
> *Sent:* Tuesday, May 31, 2022 8:21 PM
> *To:* Steve Grubb <sgr...@redhat.com>
> *Cc:* Steven M Christey <co...@mitre.org>; CWE Research Discussion <
> cwe-research-list@mitre.org>
> *Subject:* [External] - Re: Bad loop construct
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> On a related item, I'm doing a CWE a week with my Smartcontracts working
> group (~10 total and then we'll release a short paper on it at the end of
> summer) at the Cloud Security Alliance. Longer term my plan is to look at
> all the stuff covered in places like rekt.news or Microsoft blog entries
> and so on, and make sure it maps cleanly to a CWE, and if not, to make a
> CWE for it. E.g. so far:
> [image: Screenshot 2022-05-31 191808.png]
>
> I've submitted 1, 3, and 4 so far, and 5 are going in next week (3 for 1
> sale =). In my mind every CVE/vuln/etc writeup should map to a CWE, and I
> don't mean CWE-20.
>
> We literally need a few hundred more CWE's, especially in the smart
> contract/blockchain space, and the Cloud SaaS space. CWE is showing its age
> with respect to "software" being something you download and run locally.
> That's not the case so much anymore.
>
>
> On Tue, May 31, 2022 at 3:30 PM Steve Grubb <sgr...@redhat.com> wrote:
>
> Hello everyone,
>
> On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote:
> > Kurt said “I've seen code with loops of one because of future growth, or
> > because various options were removed and it's easier than refactoring the
> > code” – so a CWE-related writeup wouldn’t want to inadvertently call all
> > loops of size 1 “bad.”
>
> From what I can see, it's a mixed bag. There are cases like Kurt
> mentioned,
> but also some that are thinko's.
>
> > But remember that a weakness is about a <mistake> that only becomes a
> > vulnerability <under the right conditions.> Code analysis tools report
> > weaknesses all the time, but determining false positives is a different
> > story that’s not in CWE’s purview. Similarly, external parties can decide
> > which CWEs become a “requirement” or not – it’s primarily CWE’s
> > responsibility to provide the identifier and explanation for the mistake,
> > and how it can (at least sometimes) contribute to vulnerabilities.
> >
> > In this “dir” example, we can’t be clear whether the developer made a
> > mistake or not. But we can observe that there’s a loop construct with
> only
> > one element, and that it’s (sometimes) going to be a mistake. And it
> seems
> > like such constructs could occur in most languages.
> >
> > I’m not sure how deep CWE should go to cover “just bad syntax,” but for
> > this example, I think CWE-670 is probably the closest match in spirit –
> > the algorithm (probably) isn’t implementing the logic that the programmer
> > thought they were implementing. There’s a good argument for CWE-1164 as
> > well, though, since the developer might be doing this intentionally even
> > though the code is not technically essential.
>
> In the end, we chose 1164. It was added to a csv file where we are
> cateloging
> warnings from a couple tools and mapping to CWE. It is here in case anyone
> finds it useful:
>
> https://github.com/csutils/csmock/blob/main/cwe-map.csv
> <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fcsutils%2Fcsmock%2Fblob%2Fmain%2Fcwe-map.csv&data=05%7C01%7Ckkeen%40colsa.com%7Cf518d89fcb464d325ecb08da436d4ba5%7C9821086b78824b43a5edb1e979bee31f%7C1%7C0%7C637896433982029055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O4u39YUHsyfUDc3141c8pXCXDoQ3yKlZAjmB%2BZxaQN0%3D&reserved=0>
>
> Thanks for the help!
>
> -Steve
>
>
>
>
> --
> Kurt Seifried (He/Him)
> k...@seifried.org
> ------------------------------
> The information contained in this e-mail and any attachments from COLSA
> Corporation may contain company sensitive and/or proprietary information,
> and is intended only for the named recipient to whom it was originally
> addressed. If you are not the intended recipient, any disclosure,
> distribution, or copying of this e-mail or its attachments is strictly
> prohibited. If you have received this e-mail in error, please notify the
> sender immediately by return e-mail and permanently delete the e-mail and
> any attachments.
>
> COLSA Proprietary
>

Reply via email to