Insufficient Comparison (CWE-697)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Insufficient Comparison (CWE-697)


I often see myself assigning "Insufficient Comparison (CWE-697)" for
cases listed in the first item of its extended definition (i.e. the
comparison checks one factor incorrectly) more than the second (i.e.
the comparison should consider multiple factors, but it does not check
some of those factors at all).

Wouldn't this weakness class be better named "Incorrect Comparison"
rather than "Insufficient Comparison", since the "Incorrect" wording
may also encompass "Incomplete" within its meaning? This also would
keep consistency with its child "Partial Comparison (CWE-187)"--which,
despite being a weakness base, may overlap and cause confusion.

Ramon de C Valle / Red Hat Product Security Team