chore: Update 12.3.3 CWE mapping from CWE-98 to CWE-73 #1776
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Seems good to me, @elarlang any objections? |
|
I agree to make the change as it does not change anything meaninful (as we most likely going to drop CWE mapping - #1481). I also don't think this requirement survives the same way to v5.0. We have related issues opened for the topic (#1470, #1427). Usual process: we open issues for having discussion and agreement for the proposed change and if we have agreement, then we go for PR. Ok, here the change is so small that issue-process may feel like overhead. On the other hand, this is the way we would like to keep overview and reasoning for the future. |
tghosth
approved these changes
Nov 2, 2023
|
I think this is small enough and self-explanatory enough to make an exception but I agree we would usually prefer an issue first. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update the mapping of the ASVS requirement 12.3.3. The current mapping is to CWE-98, which is specific to PHP's "Include/Require" statements. The proposed change is to map it to CWE-73, which is a more generalized weakness that accurately describes the problem of allowing user-submitted input to control or influence file paths or names in filesystem operations. This more inclusive mapping covers a broader range of technologies and scenarios, making it a more suitable choice.