Doesn't the view CWE-699 include CWE-772 ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Doesn't the view CWE-699 include CWE-772 ?

Mingyue Zhu

Dear CWE Research Group,

 

While working on the security weakness based on source code, I found that the view "CWE-699 Development Concepts" doesn't include the weakness base "CWE-772 Missing Release of Resource after Effective Lifetime". I 'm afraid I can't agree with it. Here are my reasons:

 

1. The weakness base "CWE-772: Missing Release of Resource after Effective Lifetime" happens in Source Code. And it can be found by the static analysis tool like "Coverity Static Application Security Testing (SAST)-C/C++". Therefore, it should be included in "CWE-699 Development Concepts".

2. All CWE-772's parent entries (CWE-400,CWE-404) are included in the view CWE-699. And all CWE-772's child entries (CWE-401,CWE-775) are included in the view CWE-699,too. Only CWE-772 itself is left.

3.In CWE-772's demonstrative examples, we can see missing release of database connection results in a “DoS:resource consumption” impact. No other CWE entry in the view CWE-699 can replace CWE-772 to show this kind of weakness.

 

I think add CWE-772 into CWE-699 is more reasonable. Please tell me your opinion about this and please forgive my poor English.

 

 

thanks,

--

Mingyue Zhu

Reply | Threaded
Open this post in threaded view
|

Re: Doesn't the view CWE-699 include CWE-772 ?

Steven M. Christey-3
(copying entire CWE-RESEARCH list on this response)


Mingyue,

Thank you for noticing this.  We agree that CWE-772 should be part of the
CWE-699 view.  We will make this change in the next version of CWE, and we
will also investigate to see if there are other CWE weaknesses that should
be listed in CWE-699.

Regards,
Steve Christey
CWE Technical Lead