On Mon, 4 Feb 2008, Robert A. Martin wrote:

> You still need to add to that issues that apply to all languages
> versus these lists of language specific weaknesses and C and C++ have
> significant overlap given their relationship.

There is an important point to keep in mind when using the (current) CWE
views.  Some weaknesses have been marked with an "All Languages" tag, even
though they might be more prevalent in certain languages.  For example,
format string problems can happen in any language that uses format strings
("%99999999s" to fill up disk or memory, anybody?), so it's marked with
"All" and it's not in the C-specific view, even though there's a heavy
concentration of format strings in C/C++.  On the opposite end, eval
injection issues are labeled as affecting specific languages such as Perl
and PHP, when a category of "any interpreted language with an eval() or
equivalent" would be more appropriate.  We haven't yet accounted for these
subtleties within CWE yet, although we plan to do so.

- Steve
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to