On Mon, 4 Feb 2008, Robert A. Martin wrote: > You still need to add to that issues that apply to all languages > versus these lists of language specific weaknesses and C and C++ have > significant overlap given their relationship.
There is an important point to keep in mind when using the (current) CWE views. Some weaknesses have been marked with an "All Languages" tag, even though they might be more prevalent in certain languages. For example, format string problems can happen in any language that uses format strings ("%99999999s" to fill up disk or memory, anybody?), so it's marked with "All" and it's not in the C-specific view, even though there's a heavy concentration of format strings in C/C++. On the opposite end, eval injection issues are labeled as affecting specific languages such as Perl and PHP, when a category of "any interpreted language with an eval() or equivalent" would be more appropriate. We haven't yet accounted for these subtleties within CWE yet, although we plan to do so. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________