pySCG: Doc2GitHub, moving code from an internal confluence to this GitHub space.

[myteron]

There are around 40 rules on an internal confluence that have approval by Opensource group to be published. Some of the text and code requires refactoring and this work can only be done by Ericsson employees.

Once all docs are made available in GitHub we have:

• Documentation for each code example.
• GitHub as the main source for these documents
• Stop using internal Confluence for the Python secure coding individual rules

Plain text : Nothing on GitHub [Link Only]() : Code on GitHub [Link Only]() : Code and Docs on GitHub

Full List: CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection") CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-116: Prevent XML Injection CWE-117: Improper Output Neutralization for Logs CWE-134: Use of Externally-Controlled Format String CWE-175: Improper Handling of Mixed Encoding CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-184: Incomplete List of Disallowed Input CWE-191: Integer Underflow (Wrap or Wraparound) CWE-197: Control rounding when converting to less precise numbers CWE-197: Numeric Truncation Error CWE-209: Generation of Error Message Containing Sensitive Information CWE-230: Improper Handling of Missing Values CWE-252: Unchecked Return Value CWE-330: Use of Insufficiently Random Values CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition") CWE-366, Race Condition within a Thread CWE-369, Divide by Zero CWE-390, Detection of Error Condition without Action CWE-392: Missing Report of Error Condition CWE-397, Declaration of Throws for Generic Exception CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE-410: Insufficient Resource Pool CWE-426: Untrusted Search Path CWE-460: Improper Cleanup on Thrown Exception CWE-472: External Control of Assumed-Immutable Web Parameter CWE-476, NULL Pointer Dereference CWE-489: Do not deliver an Application with Design tooling into Production. CWE-501: Trust Boundary Violation) CWE-502: Deserialization of Untrusted Data) CWE-532: Insertion of Sensitive Information into Log File CWE-584: Return Inside Finally Block CWE-595: Comparison of Object References Instead of Object Contents CWE-617: Reachable Assertion CWE-665: Improper Initialization CWE-681: Avoid an uncontrolled loss of precision when passing floating-point literals to a Decimal constructor CWE-681: Incorrect Conversion between Numeric Types CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-755: Improper Handling of Exceptional Conditions CWE-778: Insufficient Logging CWE-798: Use of hardcoded credentials CWE-833: Deadlock CWE-838: Inappropriate Encoding for Output Context CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-1095: Loop Condition Value Update within the Loop CWE-1109: Use of Same Variable for Multiple Purposes CWE-1335: Incorrect Bitwise Shift of Integer CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations CWE-1339: Insufficient Precision or Accuracy of a Real Number XXX-001: Avoid confusion over the evaluation order by using simple expressions XXX-005: Consider hash-based integrity verification of byte code files against their source code files

[myteron]

@SecurityCRob I wonder what the best handling is. I could start striking through the CWE's we have processed but it overall appears to me that an "issue" is to small for what we are trying to do here. It seems that a project is the next level up to an issues but never used that. Not sure how well a milestone would work for this.