From c3209fcaac0b14cc2dcb057dcebb60fa35e274e2 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Mon, 27 May 2024 14:08:19 +0100 Subject: [PATCH] Map the G115 rule to an CWE ID Signed-off-by: Cosmin Cojocar --- cwe/data.go | 60 +++++++++++++++++++++++++------------------------- issue/issue.go | 1 + 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/cwe/data.go b/cwe/data.go index 79a6b9d..c8d92bd 100644 --- a/cwe/data.go +++ b/cwe/data.go @@ -18,6 +18,31 @@ const ( ) var idWeaknesses = map[string]*Weakness{ + "22": { + ID: "22", + Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", + Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + "78": { + ID: "78", + Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.", + Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + "79": { + ID: "79", + Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", + Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + "88": { + ID: "88", + Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.", + Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + "89": { + ID: "89", + Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.", + Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, "118": { ID: "118", Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.", @@ -33,11 +58,6 @@ var idWeaknesses = map[string]*Weakness{ Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", Name: "Exposure of Sensitive Information to an Unauthorized Actor", }, - "22": { - ID: "22", - Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", - Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - }, "242": { ID: "242", Description: "The program calls a function that can never be guaranteed to work safely.", @@ -93,41 +113,21 @@ var idWeaknesses = map[string]*Weakness{ Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.", Name: "Improper Handling of Highly Compressed Data (Data Amplification)", }, + "676": { + ID: "676", + Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.", + Name: "Use of Potentially Dangerous Function", + }, "703": { ID: "703", Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.", Name: "Improper Check or Handling of Exceptional Conditions", }, - "78": { - ID: "78", - Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.", - Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - }, - "79": { - ID: "79", - Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", - Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - }, "798": { ID: "798", Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.", Name: "Use of Hard-coded Credentials", }, - "88": { - ID: "88", - Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.", - Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", - }, - "89": { - ID: "89", - Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.", - Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - }, - "676": { - ID: "676", - Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.", - Name: "Use of Potentially Dangerous Function", - }, } // Get Retrieves a CWE weakness by it's id diff --git a/issue/issue.go b/issue/issue.go index 1000b20..41779a6 100644 --- a/issue/issue.go +++ b/issue/issue.go @@ -67,6 +67,7 @@ var ruleToCWE = map[string]string{ "G112": "400", "G113": "190", "G114": "676", + "G115": "190", "G201": "89", "G202": "89", "G203": "79",