CWE-192 misplaced in Research View

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-192 misplaced in Research View

rcvalle
Hello,

While working on our CWE coverage for Red Hat Customer Portal I came
across the "Integer Coercion Error (CWE-192)" category as child of
"Incorrect Conversion between Numeric Types (CWE-681)" in Research View
(CWE-1000).

If this entry was not mistyped to a category instead of a weakness
class--which I don't believe happened, looking at its detais--,it was
misplaced into Research View in someway.

Thanks,
--
Ramon de C Valle / Red Hat Product Security Team



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CWE-192 misplaced in Research View

Steven M. Christey-3
Ramon,

I apologize for the (very) late reply.  It is an exercise for the diligent
cwe-research-list reader to infer how this inquiry suddenly came to my
attention ;-)

You have found an issue in CWE that I've personally been aware of for a
while, but not certain how to resolve.

CWE-1000 (the research view) is not intended to contain any CWE
categories, but as you noticed, CWE-192 is a category but is also
referenced in CWE-1000.  This is a challenge for CWE.  It is a complicated
issue to resolve, since it will require trying to define what "coercion"
means exactly - and there are various definitions and perspectives as used
throughout the community.  Within CWE, we try to resolve these
inconsistencies wherever possible (such as the alternate_terms element),
but the notion of "coercion" has some conceptual challenges that make it
difficult to fix easily within CWE.

Within the context of the Research view, "coercion" can be regarded as a
behavior, which would suggest keeping it in the Research view - but if we
do so, and we convert it to a Weakness type (base or class) instead of a
Category, it's uncertain whether it should be the parent of the various
other weakness types such as CWE-194 or CWE-195, or whether it is
effectively a duplicate of CWE-681 (Incorrect Conversion between Numeric
Types), which is already a Weakness Base.  This is an area where CWE could
benefit from input by experts in this type of weakness.  Any feedback from
Red Hat or other members of this list is welcome.

Regards,
Steve



On Wed, 11 Jul 2012, Ramon de C Valle wrote:

> Hello,
>
> While working on our CWE coverage for Red Hat Customer Portal I came
> across the "Integer Coercion Error (CWE-192)" category as child of
> "Incorrect Conversion between Numeric Types (CWE-681)" in Research View
> (CWE-1000).
>
> If this entry was not mistyped to a category instead of a weakness
> class--which I don't believe happened, looking at its detais--,it was
> misplaced into Research View in someway.
>
> Thanks,
> --
> Ramon de C Valle / Red Hat Product Security Team
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: CWE-192 misplaced in Research View

rcvalle
Hello Steven,

I think regardless if in Development or Research view, the "coercion"
behavior is always result of an incorrect (implicitly or not) conversion
between numeric types; Notice all the examples (1 and 2) in CWE-192
entry are integer signedness erros while implicitly converting one type
to another. This may indicate--and I share this same opinion--CWE-192 is
indeed a duplicate of CWE-681.

On 11/21/2012 08:11 PM, Steven M. Christey wrote:

> Ramon,
>
> I apologize for the (very) late reply.  It is an exercise for the
> diligent cwe-research-list reader to infer how this inquiry suddenly
> came to my attention ;-)
>
> You have found an issue in CWE that I've personally been aware of for a
> while, but not certain how to resolve.
>
> CWE-1000 (the research view) is not intended to contain any CWE
> categories, but as you noticed, CWE-192 is a category but is also
> referenced in CWE-1000.  This is a challenge for CWE.  It is a
> complicated issue to resolve, since it will require trying to define
> what "coercion" means exactly - and there are various definitions and
> perspectives as used throughout the community.  Within CWE, we try to
> resolve these inconsistencies wherever possible (such as the
> alternate_terms element), but the notion of "coercion" has some
> conceptual challenges that make it difficult to fix easily within CWE.
>
> Within the context of the Research view, "coercion" can be regarded as a
> behavior, which would suggest keeping it in the Research view - but if
> we do so, and we convert it to a Weakness type (base or class) instead
> of a Category, it's uncertain whether it should be the parent of the
> various other weakness types such as CWE-194 or CWE-195, or whether it
> is effectively a duplicate of CWE-681 (Incorrect Conversion between
> Numeric Types), which is already a Weakness Base.  This is an area where
> CWE could benefit from input by experts in this type of weakness.  Any
> feedback from Red Hat or other members of this list is welcome.
>
> Regards,
> Steve
>
>
>
> On Wed, 11 Jul 2012, Ramon de C Valle wrote:
>
>> Hello,
>>
>> While working on our CWE coverage for Red Hat Customer Portal I came
>> across the "Integer Coercion Error (CWE-192)" category as child of
>> "Incorrect Conversion between Numeric Types (CWE-681)" in Research View
>> (CWE-1000).
>>
>> If this entry was not mistyped to a category instead of a weakness
>> class--which I don't believe happened, looking at its detais--,it was
>> misplaced into Research View in someway.
>>
>> Thanks,
>> --
>> Ramon de C Valle / Red Hat Product Security Team
>>
>>
>>
Thanks,
--
Ramon de C Valle / Red Hat Product Security Team


smime.p7s (5K) Download Attachment