Question about CWE-397 for the Discussion List

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about CWE-397 for the Discussion List

Fulvio Baccaglini
Hi,

I have signed up to the CWE Discussion List, but I don't seem to have a
way to access it yet (e.g. username, password).

In the meantime, could you please post the question below?

Many thanks
Fulvio Baccaglini

~~~~~~~~
Should CWE-397 be removed from the CWE-659 list?
~~~~~~~~

CWE-659: "CWE VIEW: Weaknesses in Software Written in C++"
https://cwe.mitre.org/data/definitions/659.html

Currently contains weakness:
CWE-397: "Declaration of Throws for Generic Exception"
https://cwe.mitre.org/data/definitions/397.html

CWE-397 is listed as applicable to the C++, Java and C# languages.

The demonstrative Java example shows a case where specific exceptions
'IOException', 'InvocationTargetException' and 'SQLException' should be
thrown instead of the generic 'Exception'.

What would be the equivalent approach for C++ - dynamic exception
specification - has been removed as of the current version of the C++
language, C++17:
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html

Note that the approach was deprecated in C++11:
N3051 - "Deprecating Exception Specifications"
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2010/n3051.html

Should therefore CWE-397 be considered not applicable to the C++
language, and removed from the CWE-659 list, or otherwise what would be
the case for leaving it in?

Fulvio

Reply | Threaded
Open this post in threaded view
|

RE: Question about CWE-397 for the Discussion List

Andrew Buttner
Administrator
Fulvio,

No username or password is required for this discussion list. Once signed up
you can send messages.  Note that all messages are moderated and held for
approval before being released to the list.

Thank you for pointing out this issue.  To step back before dynamic exception
specification in C++ was deprecated, I think the C++ example for CWE-397 would
have been:

int myfunction(int param) throw(std::exception);

Do I have that correct? Is this even valid syntax? In this case I think the
code declares that myfunction() can throw an exception of type
"std::exception", but the actual code may throw a bad_alloc, bad_cast,
logic_error, etc. which are derived from the std::exception class.

As you point out, the notion of declaring what type of exception a function
will throw has been deprecated as of C++11.

Question for others in the CWE community ... Is this a weakness for C++98 and
C++03? If it is something we consider a weakness, then I propose that we add a
note to the CWE entry regarding the applicability in different versions of
C++, and that we also add a C++ example that clearly states the applicability
limited to early versions of C++.

Or should we consider dropping C++ from the list of applicable platforms for
CWE-397?

Thanks
Drew



-----Original Message-----
From: Fulvio Baccaglini <[hidden email]>
Sent: Wednesday, August 15, 2018 6:37 AM
To: CWE Research Discussion <[hidden email]>
Subject: Question about CWE-397 for the Discussion List

Hi,

I have signed up to the CWE Discussion List, but I don't seem to have a way to
access it yet (e.g. username, password).

In the meantime, could you please post the question below?

Many thanks
Fulvio Baccaglini

~~~~~~~~
Should CWE-397 be removed from the CWE-659 list?
~~~~~~~~

CWE-659: "CWE VIEW: Weaknesses in Software Written in C++"
https://cwe.mitre.org/data/definitions/659.html

Currently contains weakness:
CWE-397: "Declaration of Throws for Generic Exception"
https://cwe.mitre.org/data/definitions/397.html

CWE-397 is listed as applicable to the C++, Java and C# languages.

The demonstrative Java example shows a case where specific exceptions
'IOException', 'InvocationTargetException' and 'SQLException' should be thrown
instead of the generic 'Exception'.

What would be the equivalent approach for C++ - dynamic exception
specification - has been removed as of the current version of the C++
language, C++17:
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html

Note that the approach was deprecated in C++11:
N3051 - "Deprecating Exception Specifications"
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2010/n3051.html

Should therefore CWE-397 be considered not applicable to the C++ language, and
removed from the CWE-659 list, or otherwise what would be the case for leaving
it in?

Fulvio


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question about CWE-397 for the Discussion List

Arthur Hicken
In reply to this post by Fulvio Baccaglini
Given that many people are on older versions of C++ and will be there for many years, I’d say a note about it would be more appropriate than removing it.

> On Aug 15, 2018, at 3:37 AM, Fulvio Baccaglini <[hidden email]> wrote:
>
> Hi,
>
> I have signed up to the CWE Discussion List, but I don't seem to have a
> way to access it yet (e.g. username, password).
>
> In the meantime, could you please post the question below?
>
> Many thanks
> Fulvio Baccaglini
>
> ~~~~~~~~
> Should CWE-397 be removed from the CWE-659 list?
> ~~~~~~~~
>
> CWE-659: "CWE VIEW: Weaknesses in Software Written in C++"
> https://cwe.mitre.org/data/definitions/659.html
>
> Currently contains weakness:
> CWE-397: "Declaration of Throws for Generic Exception"
> https://cwe.mitre.org/data/definitions/397.html
>
> CWE-397 is listed as applicable to the C++, Java and C# languages.
>
> The demonstrative Java example shows a case where specific exceptions
> 'IOException', 'InvocationTargetException' and 'SQLException' should be
> thrown instead of the generic 'Exception'.
>
> What would be the equivalent approach for C++ - dynamic exception
> specification - has been removed as of the current version of the C++
> language, C++17:
> http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html
>
> Note that the approach was deprecated in C++11:
> N3051 - "Deprecating Exception Specifications"
> http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2010/n3051.html
>
> Should therefore CWE-397 be considered not applicable to the C++
> language, and removed from the CWE-659 list, or otherwise what would be
> the case for leaving it in?
>
> Fulvio
>