Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pySCG: Missing rules on CWE Top 25 #680

Open
myteron opened this issue Oct 29, 2024 · 2 comments
Open

pySCG: Missing rules on CWE Top 25 #680

myteron opened this issue Oct 29, 2024 · 2 comments

Comments

@myteron
Copy link
Contributor

myteron commented Oct 29, 2024

Most Dangerous Software Weaknesses CWE Top 25 2023 can be interpreted as mandatory for a learning resource on secure coding.
Will need to debate list of rules to add to the Python - Secure Coding One Stop Shop

Missing rule:
1 : CWE-787 Out-of-bounds Write
4 : CWE-416 Use After Free
14 : CWE-190 Integer Overflow or Wraparound
17: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
23 CWE-94 Improper Control of Generation of Code ('Code Injection')

Not Python ?, JavaScript/Web/HTML/Architecture:
2 : CWE-79 Improper Neutralization of Input During Web Generation ('Cross-site Scripting')
7 : CWE-125 Out-of-bounds Read
9 : CWE-352 Cross-Site Request Forgery (CSRF)
11: CWE-434 Missing Authorization
13: CWE-287 Missing Authentication
19: CWE-918 Server-Side Request Forgery (SSRF)
20: CWE-306 Missing Authentication for Critical Function
22: CWE-269 Improper Privilege Management
24: CWE-863 Incorrect Authorization
25: CWE-276 Incorrect Default Permissions

Similar existing rule, need to check:
6 : CWE-20 Improper Input Validation
8 : CWE-22 Improper Limitation of a Path-name to a Restricted Directory ('Path Traversal')
10: CWE-434 Unrestricted Upload of File with Dangerous Type
16: CWE-77 Improper Neutralization of Special Elements used in a Command

Existing Rule, either online or pending publication as part of #531 :
3 : CWE-89 SQL Injection
5 : CWE-78 Os Command Injection
12 : CWE-476 NULL pointer Dereference
15: CWE-502: Deserialization of Untrusted Data
18: CWE-798 Hard-coded Credentials
21 CWE-362 Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")

Rg Helge

@myteron myteron changed the title pySCG: Missing ruels on CWE Top 25 pySCG: Missing rules on CWE Top 25 Oct 29, 2024
@david-a-wheeler
Copy link
Contributor

The following aren't relevant in Python (unless you include C extensions, which I presume is out of scope):

  • 1 : CWE-787 Out-of-bounds Write
  • 4 : CWE-416 Use After Free
  • 14 : CWE-190 Integer Overflow or Wraparound
  • 17: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

@david-a-wheeler
Copy link
Contributor

I created #715 as a small step towards this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants