Skip to content

JS/Java: use the correct cwe tags#6694

Merged
erik-krogh merged 1 commit intogithub:mainfrom
erik-krogh:owasp-fixes
Sep 15, 2021
Merged

JS/Java: use the correct cwe tags#6694
erik-krogh merged 1 commit intogithub:mainfrom
erik-krogh:owasp-fixes

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Sep 14, 2021

The vast majority of queries use external/cwe/cwe-XX tags for documenting their CWE coverage.
But a few used external/cwe-XX.

For consistency I've changed all the external/cwe-XX tags to the external/cwe/cwe-XX form.

This also fixes some scripting that detects CWE coverage.

@erik-krogh erik-krogh requested review from a team as code owners September 14, 2021 12:46
@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Sep 14, 2021
bmuskalla
bmuskalla approved these changes Sep 14, 2021
View reviewed changes
Copy link
Contributor

@bmuskalla bmuskalla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checked that our docs recommend the same tags as well: Security queries should also be tagged with corresponding CWE numbers, for example external/cwe/cwe-119 (prefer the most specific CWE that encompasses the target of the query).

@bmuskalla
Copy link
Contributor

bmuskalla commented Sep 14, 2021

@erik-krogh do you think it makes sense to make this part of some validation?

@erik-krogh
Copy link
Contributor Author

erik-krogh commented Sep 14, 2021

@erik-krogh do you think it makes sense to make this part of some validation?

I don't think so.
You can have arbitrary tags in a query, it's just that some tags are recognized by other tooling.
If we had a QL-for-QL CI check, then we could have it as a warning query.

@erik-krogh erik-krogh merged commit 3f736d3 into github:main Sep 15, 2021
@bmuskalla
Copy link
Contributor

bmuskalla commented Sep 15, 2021

@Moose0621 Not sure if the run experimental queries against the OWASP benchmark but this may improve those results a bit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bmuskalla bmuskalla bmuskalla approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Java JS no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erik-krogh @bmuskalla