CLASSIFICATION: UNCLASSIFIED
We played with CWE-499 for a while and couldn't get variables that don't
explicitly disable serialization to serialize (a statement in the CWE and
implied by the example) without using reflection; however, using reflection,
you can change the scope of internal varia
Currently, CWE-1007 is a child of UI misrepresentation. However, source code
can be maliciously injected using bidi and Unicode homoglyphs as well (see
https://www.swatips.com/articles/20211129.html and
https://arxiv.org/abs/2111.00169 and the examples under
https://github.com/nickboucher/troja
I see what you’re saying about the CWE-14[0-6] family being pretty limited to
input processing when the issue could exist because of input or malformed
output. Perhaps changing these to input/output would be more inclusive of this
type of issue. Good catch.
From: Kurt Seifried
Sent: Friday
I did want to renew this discussion. In light of the increased focus on supply
chain risk management and composition analysis, the licensing issues and
weaknesses in aggregated software are becoming more of a problem. Being able to
categorize these weaknesses meaningfully would be helpful.
J
From: Przemyslaw Roguski
Sent: Sunday, November 5, 2023 1:21 PM
To: Steven M Christey
Cc: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
; CWE Research Discussion
Subject: [Non-DoD Source] Re: Request for CWE: Improper Licensing (UNCLASSIFIED)
You don't often get email
CWE to categorize it.
Thank you for helping me understand the position better. I do not think I agree
with it, but do understand the position better than I did before.
Jon
From: Hatfield, Arthur
Sent: Thursday, November 9, 2023 9:54 AM
To: Hood, Jonathan W CTR USARMY DEVCOM AVMC