I am a security researcher, who is looking for security smells in Puppet scripts. I found instances
of suspicious comments i.e. comments with content that are indicative of bad practices. If there are keywords such as TODO, HACK, FIXME and bug/issue information is exposed through comments, then such comments should be avoided. According to the Common Weakness Enumeration (CWE) organization Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues. Reff: https://cwe.mitre.org/data/definitions/546.html
I followed the recommendations from CWE and removed such comments. Any feedback is appreciated.
davidl-zend
commented
6 years ago
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I found instances of suspicious comments i.e. comments with content that are indicative of bad practices. If there are keywords such as TODO, HACK, FIXME and bug/issue information is exposed through comments, then such comments should be avoided. According to the Common Weakness Enumeration (CWE) organization
Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues.Reff: https://cwe.mitre.org/data/definitions/546.htmlI followed the recommendations from CWE and removed such comments. Any feedback is appreciated.