Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pySCG: Modifying the description of CWE-197 so that it captures the CWE better #635

Open
openrefactorymunawar opened this issue Sep 30, 2024 · 2 comments
Open

pySCG: Modifying the description of CWE-197 so that it captures the CWE better #635

openrefactorymunawar opened this issue Sep 30, 2024 · 2 comments
Assignees
@myteron
Labels
Product: Python Hardening Guide

Comments

@openrefactorymunawar
Copy link

CWE-197 is about numeric truncation error (https://cwe.mitre.org/data/definitions/197.html).

The description of CWE-197 in the python secure coding guide section talks about predictable outcomes in loops by using int instead of float.

That is fine, we may want to narrow the scope of the CWE when we are creating a guideline. However, the examples that follow are not necessarily about loops.

Consider this example.

""" Non-compliant Code Example """
counter = 0.0
while counter <= 1.0:
    if counter == 0.8:
        print("we reached 0.8")  
        break  # never going to reach this
    counter += 0.1

Here the problem is in the if statement, not the loop.

In fact, the float issue may be in any equality case, even if it is not in a loop.

We need to update this description to either align more with numeric truncation (generalize the content) or keep the scope and make it more appropriate.
@myteron
Copy link
Contributor

myteron commented Oct 8, 2024
edited
Loading

Hi @openrefactorymunawar, well spotted. The original name of the title was "Do not use float in counters". We had to restructure and rename all rules and made a mistake here, now its kind of a hybrid partially talking about two things.
It is apparently very hard or just odd to use a float as an actual counter in Python. Using range() forces int. I was neither able to come up with an example that uses a lambda that can successful break something.

There are more rules in the pipe that are related to truncation error's, rounding and precision.

Only one of them is on GitHub atm. Some of the content might be redundant. We have 2x197 and 2x681. Might be worth while to merge some of the stuff and break out the content that does not match.

@openrefactorymunawar
Copy link
Author

For the floating point comparison, do you suggest that CWE-1339 is a more appropriate way to capture that? In that case, maybe a rule is created for CWE-1339 and another for CWE-681.

@myteron myteron changed the title Modifying the description of CWE-197 so that it captures the CWE better pySCG: Modifying the description of CWE-197 so that it captures the CWE better Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@myteron myteron

Labels
Product: Python Hardening Guide
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@myteron @openrefactorymunawar