Adding documentation to CWE-681 as part of #531 (#633)

* Adding documentation to CWE-681 as part of #531 Signed-off-by: edanhub <[email protected]> * Update main README.md for CWE-681 and CWE-595 Signed-off-by: edanhub <[email protected]> --------- Signed-off-by: edanhub <[email protected]>
ossf · Oct 2, 2024 · 84fff9a · 84fff9a
1 parent 1d2a7a0
commit 84fff9a
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 1 deletion.
diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-681/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-681/README.md
@@ -0,0 +1,61 @@
+# CWE-681: Incorrect Conversion between Numeric Types
+
+String representations of floating-point numbers must not be compared or inspected outside of specialized modules such as `decimal` or `math`.
+
+For example, a `Decimal` object must be created from a `string`, but it is inaccurate to use the string representation of a floating-point number outside of `Decimal`. The `Decimal` module provides a `compare()` method that allows the calculation to stay within its configured precision.
+
+## Non-Compliant Code Example (String)
+
+Since Python 3.5, the division of integers yields a float [[Python docs](https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations)]. The string representation of such a division will contain a decimal point. In `noncompliant01.py`, the decimal point was omitted while comparing strings. `2.0` and `2` are two different strings, thus the `if` condition is not met.
+
+[*noncompliant01.py:*](noncompliant01.py)
+
+```py
+""" Non-compliant Code Example """
+s = str(4 / 2)
+print(f"s: {s}")
+# s is "2.0", a string
+if s == "2":
+    print("s equals 2")
+# <no output>
+
+```
+
+## Compliant Solution (Decimal)
+
+The compliant code uses `Decimal` as it offers alterable precision up to 28 decimal places and is more human-friendly. In the `compliant01.py`  example, the variable `t` is still `2.0`. Unlike `String`, `Decimal` realizes that `2.0` equals `2`.
+
+[*compliant01.py:*](compliant01.py)
+
+```py
+""" Compliant Code Example """
+from decimal import Decimal
+
+t = Decimal(str(4 / 2))
+print(f"t: {t}")
+# t still prints "2.0", but now it's a Decimal
+if Decimal("2").compare(t) == 0:
+    print("t equals 2")
+# prints "t equals 2"
+
+```
+
+## Automated Detection
+
+|Tool|Version|Checker|Description|
+|:---|:---|:---|:---|
+|Bandit|1.7.4|none|none|
+
+## Related Guidelines
+
+|||
+|:---|:---|
+|[MITRE CWE](http://cwe.mitre.org/)|Pillar<br>[CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Base:<br>[CWE-681, Incorrect Conversion between Numeric Types](https://cwe.mitre.org/data/definitions/681.html)|
+|[SEI CERT Oracle Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[NUM11-J. Do not compare or inspect the string representation of floating-point values](https://wiki.sei.cmu.edu/confluence/display/java/NUM11-J.+Do+not+compare+or+inspect+the+string+representation+of+floating-point+values)|
+
+## Related Guidelines
+
+|||
+|:---|:---|
+|[[Python docs](https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations)]|Python Software Foundation. (2024). Expressions, Binary arithmetic operations [online].<br>Available from: [https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations](https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations)<br>[accessed 11 April 2024].|
diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md
@@ -50,7 +50,7 @@ It is **not production code** and requires code-style or python best practices t
 |[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)||
 |[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)||
 |[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)||
-|[CWE-681: Improper Control of a Resource Through its Lifetime](CWE-664/CWE-681/.)||
+|[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)||
 |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)||
 |[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)||
 |[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)||
@@ -67,6 +67,10 @@ It is **not production code** and requires code-style or python best practices t
 |[CWE-330: Use of Insufficiently Random Values](CWE-693/CWE-330/.)||
 |[CWE-798: Use of hardcoded credentials](CWE-693/CWE-798/.)||
 
+|[CWE-697: Incorrect Comparison](https://cwe.mitre.org/data/definitions/703.html)|Prominent CVE|
+|:----------------------------------------------------------------|:----|
+|[CWE-595: Comparison of Object References Instead of Object Contents](CWE-697/CWE-595/README.md)||
+
 |[CWE-703: Improper Check or Handling of Exceptional Conditions](https://cwe.mitre.org/data/definitions/703.html)|Prominent CVE|
 |:----------------------------------------------------------------|:----|
 |[CWE-230: Improper Handling of Missing Values](CWE-703/CWE-230/.)||