Examples of Name and Relationship Changes in CWE Draft 9

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Examples of Name and Relationship Changes in CWE Draft 9

Steven M. Christey-2
If you examine the difference report at
http://cwe.mitre.org/data/reports/diff_draft_8_9.html , you will see that
we changed the names of over 200 entries in Draft 9 alone, and we added
275 relationships while removing 75.  We also changed nearly 200

The main goals were:

 - make the CWE name and description more clear about the weakness
   being covered, and try to keep the perspective on the weakness
   itself, instead of the attack or consequence - but preserve such
   terminology if it's commonplace.

 - when the CWE is identifying a weakness, try to classify it under
   the Natural Hierarchy view (CWE-1000), i.e. it should have a parent
   that is a Weakness (Variant, Base, or Class).  If a new node is
   necessary, create it (or flag the issue for review after Draft 9's

We tried to change the names so that a CWE consumer would not have to
depend so much on looking up the item's description and context notes,
just to figure out what the item was talking about.  We tried to
remove perspective problems where feasible, such as when a name was
too focused on the associated attack.

The litmus test for a name change was simple: if a CWE analyst didn't
know what the issue was about upon reading the name, then most CWE
users probably wouldn't know either.  As a result, we removed a lot of
non-specific terms such as "insecure," "improper," and "erroneous," or
tried to develop some consistency when we needed to use more general
terms, such as "sanitization" as an over-arching term that could cover
failure to filter, decode, quote, validate, etc.

We didn't identify all the names that needed fixing, but 37% of CWE
entries were modified, so this was a solid start.

We definitely didn't identify the natural parents for every entry,
although this effort did produce many of the new entries that were
added to Draft 9.  We expect this to be an ongoing process.  See the
CWE-1000 definition for additional explanation of the natural

Below are a few examples of the name changes, along with relationships
that we added, to give people a sense of what we did and why.


582: Mobile Code: Unsafe Array Declaration

     - what's unsafe about it - is this permissions?  buffer overflow?
       something else?

    New name: Array Declared Public, Final, and Static


568: Erroneous Finalize Method

    - what's the error?  does the software define the finalize method
      incorrectly?  is this permissions?  Does the method do too much?
      too little?  operates on the wrong object?  has a memory leak?
      sends private data?

    New name: finalize() Method Without super.finalize()

    Old parent: 399: Resource Management Errors

    New parents:

          573 - Failure to Follow Specification
          404 - Improper Resource Shutdown or Release


73: Path Manipulation

  - name is attack-focused

  - how is it being manipulated - symbolic link?  long pathname?  path
    traversal?  appending "%20" to retrive source code?

  - first code example is path traversal (CWE-22)

  - second code example may or may not be path traversal

  - RENAMED: "External Control of File Name or Path"

  - ADDED ChildOf 99 Insufficient Control of Resource Identifiers (aka
    'Resource Injection')


4: J2EE Environment Issues

This is a general category node whose name is self-explanatory.  In
draft 8, however, its children rarely had any natural parents.

  child: 5 J2EE Misconfiguration: Insecure Transport

       RENAMED: J2EE Misconfiguration: Data Transmission Without Encryption

       ADDED: ChildOf 311 Failure to Encrypt Sensitive Data

  child: 555 J2EE Misconfiguration: Password in Configuration File

       RENAMED: J2EE Misconfiguration: Plaintext Password in
                Configuration File

       ADDED: ChildOf 522 Insufficiently Protected Credentials

       DESCRIPTION: modified

  child: 6 J2EE Misconfiguration: Insufficient Session-ID Length

       ADDED: ChildOf 334 Small Space of Random Values

  child: 7 J2EE Misconfiguration: Missing Error Handling


  child: 8 J2EE Misconfiguration: Entity Bean Declared Remote

     ADDED: ChildOf 668 Exposure of Resource to Wrong Sphere

  child: 9 J2EE Misconfiguration: Weak Access Permissions

     RENAMED: J2EE Misconfiguration: Weak Access Permissions for EJB Methods

     ADDED: ChildOf 275 Permission Issues


597 Erroneous String Compare

  - what's the error - only a portion of the string is compared?  It
    compares a string in a case-insensitive manner?  It doesn't handle
    when one string is shorter than the other?

  RENAMED: Use of Wrong Operator in String Comparison


591 Memory Locking

  - is this about not locking memory?  Locking it incorrectly?  is
    this a category of all different types of weaknesses that can
    occur during memory locking?

  RENAMED: Sensitive Data Storage in Improperly Locked Memory


590 Improperly Freeing Heap Memory

  - does this mean double free?  running free() on an object that was
    allocated using new() ?

  RENAMED: Free of Invalid Pointer Not on the Heap


560 Often Misused: umask()

  - is this about setting an insecure umask?  Not specifying a umask
    and using one that you've inherited from the caller of your

  RENAMED: Use of umask() with chmod-style Argument

  FORMER PARENT: 559 "Often Misused: Arguments and Parameters"

  New parent: 687 Function Call With Incorrectly Specified Argument Value


474 Inconsistent Implementations

  - is this about things like how web browsers can behave differently?

  RENAMED: Use of Function with Inconsistent Implementations


401 Memory Leak

  RENAMED: Failure to Release Memory Before Removing Last Reference
  (aka 'Memory Leak')

  Natural parents: none in draft 8

  ADDED: ChildOf 404 Improper Resource Shutdown or Release
Reply | Threaded
Open this post in threaded view

Re: Examples of Name and Relationship Changes in CWE Draft 9

Wheeler, David A
Steven M. Christey wrote:
> we changed the names of over 200 entries in Draft 9 alone
 > 401 Memory Leak
 >   RENAMED: Failure to Release Memory Before Removing Last Reference
 >   (aka 'Memory Leak')

I like the _idea_ of more-specific-names, but this one isn't quite right
on two counts:

1. Many memory leaks are due to circular structures, e.g., A references
B, and B references A, yet NOTHING refers to either.  This _IS_ a memory
leak, but not by this name.

2. Memory leaks only happen if the run-time doesn't support the
necessary kind of garbage collection.  Some systems build in
reference-counting collectors, which means you don't need to worry about
releasing memory UNLESS there's a circularity.

I think what you mean is something like
"Failure to Release Memory After It Becomes Unreferenceable"

--- David A. Wheeler