Merge pull request #1076 from AdaCore/add_cwe_to_coding_standards

Add CWE to each standard
AdaCore · Jul 20, 2024 · 512a859 · 512a859
2 parents b04eaca + 8ffabaa
commit 512a859
Show file tree

Hide file tree

Showing 44 changed files with 290 additions and 2 deletions.
diff --git a/...e_Ada_SPARK/chapters/guidelines/concurrency/con01_use_the_ravenscar_profile.rst b/...e_Ada_SPARK/chapters/guidelines/concurrency/con01_use_the_ravenscar_profile.rst
@@ -85,6 +85,14 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.62 Concurrency - Premature termination [CGS]
 * 6.63 Lock protocol errors [CGM]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization <362>`
+* :cwe:`CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition <367>`
+* :cwe:`CWE-366 - Race Condition within a Thread <366>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...cure_Ada_SPARK/chapters/guidelines/concurrency/con02_use_the_jorvik_profile.rst b/...cure_Ada_SPARK/chapters/guidelines/concurrency/con02_use_the_jorvik_profile.rst
@@ -95,6 +95,14 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.62 Concurrency - Premature termination [CGS]
 * 6.63 Lock protocol errors [CGM]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization <362>`
+* :cwe:`CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition <367>`
+* :cwe:`CWE-366 - Race Condition within a Thread <366>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/concurrency/con03_avoid_shared_variables_for_inter-task_communication.rst b/...lines/concurrency/con03_avoid_shared_variables_for_inter-task_communication.rst
@@ -42,6 +42,13 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.56 Undefined behaviour [EWF]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-567 - Unsynchronized Access to Shared Data in a Multithreaded Context <567>`
+* :cwe:`CWE-667 - Improper Locking <667>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...delines/dynamic_storage_management/dyn01_common_high_integrity_restrictions.rst b/...delines/dynamic_storage_management/dyn01_common_high_integrity_restrictions.rst
@@ -50,6 +50,14 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 4.10 Storage Pool
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-401 - Missing Release of Memory after Effective Lifetime <401>`
+* :cwe:`CWE-415 - Double Free <415>`
+* :cwe:`CWE-416 - Use After Free <416>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/dynamic_storage_management/dyn02_traditional_static_allocation_policy.rst b/...lines/dynamic_storage_management/dyn02_traditional_static_allocation_policy.rst
@@ -59,6 +59,15 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 4.10 Storage Pool
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-401 - Missing Release of Memory after Effective Lifetime <401>`
+* :cwe:`CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior <758>`
+* :cwe:`CWE-771 - Missing Reference to Active Allocated Resource <771>`
+* :cwe:`CWE-1325 - Improperly Controlled Sequential Memory Allocation <1325>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...nes/dynamic_storage_management/dyn03_access_types_without_allocators_policy.rst b/...nes/dynamic_storage_management/dyn03_access_types_without_allocators_policy.rst
@@ -68,6 +68,16 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.14 Dangling reference to heap [XYK]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-401 - Missing Release of Memory after Effective Lifetime <401>`
+* :cwe:`CWE-415 - Double Free <415>`
+* :cwe:`CWE-416 - Use After Free <416>`
+* :cwe:`CWE-771 - Missing Reference to Active Allocated Resource <771>`
+* :cwe:`CWE-1325 - Improperly Controlled Sequential Memory Allocation <1325>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...idelines/dynamic_storage_management/dyn04_minimal_dynamic_allocation_policy.rst b/...idelines/dynamic_storage_management/dyn04_minimal_dynamic_allocation_policy.rst
@@ -56,6 +56,16 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 4.10 Storage Pool
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-401 - Missing Release of Memory after Effective Lifetime <401>`
+* :cwe:`CWE-415 - Double Free <415>`
+* :cwe:`CWE-416 - Use After Free <416>`
+* :cwe:`CWE-771 - Missing Reference to Active Allocated Resource <771>`
+* :cwe:`CWE-1325 - Improperly Controlled Sequential Memory Allocation <1325>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...idelines/dynamic_storage_management/dyn05_user-defined_storage_pools_policy.rst b/...idelines/dynamic_storage_management/dyn05_user-defined_storage_pools_policy.rst
@@ -69,6 +69,14 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 4.10 Storage Pool
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-401 - Missing Release of Memory after Effective Lifetime <401>`
+* :cwe:`CWE-415 - Double Free <415>`
+* :cwe:`CWE-416 - Use After Free <416>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...ic_storage_management/dyn06_statically_determine_maximum_stack_requirements.rst b/...ic_storage_management/dyn06_statically_determine_maximum_stack_requirements.rst
@@ -48,6 +48,13 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 4.10 Storage Pool
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-770 - Allocation of Resources Without Limits or Throttling <770>`
+* :cwe:`CWE-789 - Uncontrolled Memory Allocation <789>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...ers/guidelines/exception_usage/exu01_dont_raise_language-defined_exceptions.rst b/...ers/guidelines/exception_usage/exu01_dont_raise_language-defined_exceptions.rst
@@ -50,6 +50,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 N/A
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-397 - Declaration of Throws for Generic Exception <397>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...uidelines/exception_usage/exu02_no_unhandled_application-defined_exceptions.rst b/...uidelines/exception_usage/exu02_no_unhandled_application-defined_exceptions.rst
@@ -85,6 +85,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.36 Ignored error status and unhandled exceptions [OYB]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-248 - Uncaught Exception <248>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/exception_usage/exu03_no_exception_propagation_beyond_name_visibility.rst b/...lines/exception_usage/exu03_no_exception_propagation_beyond_name_visibility.rst
@@ -43,6 +43,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 N/A
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-248 - Uncaught Exception <248>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...pters/guidelines/exception_usage/exu04_prove_absence_of_run-time_exceptions.rst b/...pters/guidelines/exception_usage/exu04_prove_absence_of_run-time_exceptions.rst
@@ -56,6 +56,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 N/A
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-248 - Uncaught Exception <248>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...uidelines/object_oriented_programming/oop01_no_class-wide_constructs_policy.rst b/...uidelines/object_oriented_programming/oop01_no_class-wide_constructs_policy.rst
@@ -49,6 +49,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.43 Redispatching [PPH]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...guidelines/object_oriented_programming/oop02_static_dispatching_only_policy.rst b/...guidelines/object_oriented_programming/oop02_static_dispatching_only_policy.rst
@@ -49,6 +49,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.43 Redispatching [PPH]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...delines/object_oriented_programming/oop03_limit_inheritance_hierarchy_depth.rst b/...delines/object_oriented_programming/oop03_limit_inheritance_hierarchy_depth.rst
@@ -61,6 +61,13 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.41 Inheritance [RIP]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-1074 - Class with Excessively Deep Inheritance <1074>`
+* :cwe:`CWE-1086 - Class with Excessive Number of Child Classes <1086>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...programming/oop04_limit_statically-dispatched_calls_to_primitive_operations.rst b/...programming/oop04_limit_statically-dispatched_calls_to_primitive_operations.rst
@@ -82,6 +82,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.43 Redispatching [PPH]
 * 6.44 Polymorphic variables [BKK]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/object_oriented_programming/oop05_use_explicit_overriding_annotations.rst b/...lines/object_oriented_programming/oop05_use_explicit_overriding_annotations.rst
@@ -99,6 +99,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.34 Subprogram signature mismatch [OTR]
 * 6.41 Inheritance [RIP]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-685 - Function Call With Incorrect Number of Arguments <685>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...delines/object_oriented_programming/oop06_use_class-wide_pre-post_contracts.rst b/...delines/object_oriented_programming/oop06_use_class-wide_pre-post_contracts.rst
@@ -54,6 +54,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.42 Violations of the Liskov substitution principle or the contract model
   [BLP]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/.../guidelines/object_oriented_programming/oop07_ensure_local_type_consistency.rst b/.../guidelines/object_oriented_programming/oop07_ensure_local_type_consistency.rst
@@ -135,6 +135,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.43 Redispatching [PPH]
 * 6.44 Polymorphic variables [BKK]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/robust_programming_practice/rpp01_no_use_of_others_in_case_constructs.rst b/...lines/robust_programming_practice/rpp01_no_use_of_others_in_case_constructs.rst
@@ -54,6 +54,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.27 Switch statements and static analysis [CLL]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-478 - Missing Default Case in Multiple Condition Expression <478>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/.../robust_programming_practice/rpp02_no_enumeration_ranges_in_case_constructs.rst b/.../robust_programming_practice/rpp02_no_enumeration_ranges_in_case_constructs.rst
@@ -48,6 +48,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.5 Enumerator issues [CCB]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...lines/robust_programming_practice/rpp03_limited_use_of_others_in_aggregates.rst b/...lines/robust_programming_practice/rpp03_limited_use_of_others_in_aggregates.rst
@@ -50,6 +50,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.5 Enumerator issues [CCB]
 * 6.27 Switch statements and static analysis [CLL]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-478 - Missing Default Case in Multiple Condition Expression <478>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...bust_programming_practice/rpp04_no_unassigned_mode-out_procedure_parameters.rst b/...bust_programming_practice/rpp04_no_unassigned_mode-out_procedure_parameters.rst
@@ -48,6 +48,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.32 Passing parameters and return values [CSJ]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-457 - Use of Uninitialized Variable <457>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...es/robust_programming_practice/rpp05_no_use_of_others_in_exception_handlers.rst b/...es/robust_programming_practice/rpp05_no_use_of_others_in_exception_handlers.rst
@@ -46,6 +46,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 N/A
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-396 - Declaration of Catch for Generic Exception <396>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...rs/guidelines/robust_programming_practice/rpp06_avoid_function_side-effects.rst b/...rs/guidelines/robust_programming_practice/rpp06_avoid_function_side-effects.rst
@@ -54,6 +54,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.24 Side-effects and order of evaluation [SAM]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...rs/guidelines/robust_programming_practice/rpp07_functions_only_have_mode_in.rst b/...rs/guidelines/robust_programming_practice/rpp07_functions_only_have_mode_in.rst
@@ -45,6 +45,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.24 Side-effects and order of evaluation [SAM]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...pters/guidelines/robust_programming_practice/rpp08_limit_parameter_aliasing.rst b/...pters/guidelines/robust_programming_practice/rpp08_limit_parameter_aliasing.rst
@@ -85,6 +85,12 @@ Applicable Vulnerability within ISO TR 24772-2
 
 * 6.32 Passing parameters and return values [CSJ]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+N/A
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++

diff --git a/...ust_programming_practice/rpp09_use_precondition_and_postcondition_contracts.rst b/...ust_programming_practice/rpp09_use_precondition_and_postcondition_contracts.rst
@@ -66,6 +66,12 @@ Applicable Vulnerability within ISO TR 24772-2
 * 6.42 Violations of the Liskov substitution principle or the contract model
   [BLP]
 
+++++++++++++++++++++++++++++++++++++++++
+Applicable Common Weakness Enumeration
+++++++++++++++++++++++++++++++++++++++++
+
+* :cwe:`CWE-754 - Improper Check for Unusual or Exceptional Conditions <754>`
+
 +++++++++++++++++++++++++++
 Noncompliant Code Example
 +++++++++++++++++++++++++++
-Original file line number
+Diff line change
@@ Expand Up / @@ -50,6 +50,12 @@ Applicable Vulnerability within ISO TR 24772-2 @@
     N/A
+    ++++++++++++++++++++++++++++++++++++++++
+    Applicable Common Weakness Enumeration
+    ++++++++++++++++++++++++++++++++++++++++
+    * :cwe:`CWE-397 - Declaration of Throws for Generic Exception <397>`
     +++++++++++++++++++++++++++
     Noncompliant Code Example
     +++++++++++++++++++++++++++
@@ Expand Down @@