can you provide complete sample code for each security issues?

[larrycai]

there are small segment for each secure rule, is it possible to add more complete code sample?

will be good if we have one folder

• <rule1>_problem.erl
• <rule1>_correct.erl

[maennchen]

Am I correct to assume based on this issue and #42 that you're planning to consume the guides in an automated way?

Can you please describe what you exactly had in mind so that we can come up with a good solution?

[larrycai]

Sure, it is inspired by bandit, which is used to find common security issues (CWE), I am thinking whether it is possible to develop similar tools (even small one)

Like test report

Test results:
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   Location: linuxcmd.py:38:17
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
37
38                              os.system("mkdir "+fold_name)

Then for the reporting purpose in #42, it is much easier to use number in the report, CWE is the common one, but I am also ok if we have plan for ERL-SWG-001 (sample)

In order to make it is easy for testing (or none-erlang expert), it will be good to have some sample codes in folder some where to verify, erl-secure --scan *.erl. Surely good sample codes are always great for guideline to understand the rules.