CWE coverage inquiry
#10290
Replies: 1 comment
-
|
Hi @phnx, Thanks for raising this issue! I will forward it to the appropriate teams :) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I've been working in a project that involves mapping CWE items to CodeQL queries. I stumbled upon this coverage page which is very helpful. Then I found that some of the queries are mapped to CWE items that CWE recommended not to refer to if more precise items exist. While I found that a lot of these queries are also mapped to other CWE items which makes the mapping interpretation more accurate, a handful of them are only mapped to problematic items or pillar (top level) CWE items.
For example,
cpp/count-untrusted-data-external-apiandcpp/late-check-of-function-argumentwhich are mapped to CWE-20 and CWE-693 orcpp/errors-after-refactoringwhich is mapped to CWE-691.I think CWE published that recommendation recently. So it's understandable if some queries were mapped earlier. I'm just wondering if there's an official plan for the coverage to be reviewed, revised, or clarified?
Thank you in advance :)
Beta Was this translation helpful? Give feedback.
All reactions