Fixes issue #839 (#848)

co-author: myteron and hubert.
Signed-off-by: emcdtho <[email protected]>

Author: tommcd

docs/Secure-Coding-Guide-for-Python/CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributor Guide
 
-This guide provides an overview of how you can help, the standards we adhere to, and the steps to get your contributions reviewed for the subpages in [wg-best-practices-os-developers/docs/Secure-Coding-Guide-for-Python/](https://github.com/ossf/wg-best-practices-os-developers/docs/Secure-Coding-Guide-for-Python/)
+This guide provides an overview of how you can help, the standards we adhere to, and the steps to get your contributions reviewed for the subpages in [wg-best-practices-os-developers/docs/Secure-Coding-Guide-for-Python/](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/).
 
 ## Code of Conduct
 
@@ -82,15 +82,15 @@ Join us to explore how this resource can become an indispensable part of your se
 
 ## Documentation Style
 
-* Bottom Line Up Front (BLUF), conclusion is in the first sentence of a rule  
+* Bottom Line Up Front (BLUF), conclusion is in the first sentence of a rule
 * Keep It Small and Simple (KISS)
 * Working code examples
 * Academic in wording whilst aiming for low word count.
 * No fluff, "in software security it is important to be aware of ...."
 * Use imperative "do x and y to ensure z" instead of vague wording "might want to, could be a good idea..."
 * bibliography, follow the Harvard reference guide
 
-A template for a rule is available here: [README_TEMPLATE.md](README_TEMPLATE.md) with inline documentation on each section.
+A template for a rule is available here: [README_TEMPLATE.md](templates/README_TEMPLATE.md) with inline documentation on each section.
 
 Each rule should have:
 
@@ -112,7 +112,7 @@ The guide is structed in two levels. The top level readme is to list all rules w
 The sublevel has an a individual rule with a single CWE where possible.
 
 > [!NOTE]
-> We are aware that CWEs are not designed as 'read throughs'. Their numbering is not designed to become a step by step guide. The [Introduction to Multithreading and Multiprocessing](../Intro_to_multiprocessing_and_multithreading/readme.md) in Python is an example where we had to provide an alternative layout with three levels. Eventually we will have to shuffle the individual rules into a more suitable sequence.
+> We are aware that CWEs are not designed as 'read throughs'. Their numbering is not designed to become a step by step guide. The [Introduction to Multithreading and Multiprocessing](Intro_to_multiprocessing_and_multithreading/readme.md) in Python is an example where we had to provide an alternative layout with three levels. Eventually we will have to shuffle the individual rules into a more suitable sequence.
 > Same CWE number with different titles will also have to be fixed at some stage.
 
 ### From a author perspective
@@ -130,32 +130,32 @@ Example structure with mocked up data:
 ./README.md
 ./licenses/MIT.txt
 ./licenses/CC-BY-4.0.txt
-  
+
 ./Concepts/Multithreading_Multiprocessing.md
-  
+
 # Top level using Pillar CWE-707:
 ./CWE-707/README.md
-  
+
 # Second level representing a Rule is either a CWE of type Base, Variant or Class:
 ./CWE-664/CWE-197/README.md
 ./CWE-664/CWE-197/compliant01.py
 ./CWE-664/CWE-197/example01.py
 ./CWE-664/CWE-197/noncompliant01.py
-  
+
 # Multiple rules matching one CWE of type Base, Variant or Class:
 ./CWE-664/CWE-197/01/README.md
 ./CWE-664/CWE-197/01/compliant01.py
 ./CWE-664/CWE-197/01/noncompliant01.py
-  
+
 # Rule matching no CWE of type Base, Variant, or Class:
 ./CWE-707/XXX-000/README.md
 ./CWE-707/XXX-000/noncompliant01.py
 ./CWE-707/XXX-000/compliant01.py
-  
+
 ./CWE-707/XXX-001/README.md
 ./CWE-707/XXX-001/noncompliant01.py
 ./CWE-707/XXX-001/compliant01.py
-  
+
 # Rule matching multiple CWEs of type Base, Variant or Class:
 ./CWE-707/CWE-117/README.md
 ./CWE-707/CWE-117/compliant01.py

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-134/README.md

@@ -131,9 +131,9 @@ if __name__ == "__main__":
 |||
 |:---|:---|
 |[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[FIO30-C Exclude user input from format strings](https://wiki.sei.cmu.edu/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings)|
-|[SEI CERT Perl Coding Standard](https://www.securecoding.cert.org/confluence/display/perl/CERT+Perl+Secure+Coding+Standard)|[IDS30-PL. Exclude user input from format strings](https://www.securecoding.cert.org/confluence/display/perl/IDS30-PL.+Exclude+user+input+from+format+strings)|
+|[SEI CERT Perl Coding Standard](https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard)|[IDS30-PL. Exclude user input from format strings](https://www.securecoding.cert.org/confluence/display/perl/IDS30-PL.+Exclude+user+input+from+format+strings)|
 |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings)|
-|[ISO/IEC TR 24772:2013](https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-ISO/IECTR24772-2013)|Injection [RST]|
+|[ISO/IEC TR 24772:2013](https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-ISO/IECTR24772-2013)|Injection RST|
 |[MITRE CWE Pillar](http://cwe.mitre.org/)|[CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)|
 |[MITRE CWE Base](http://cwe.mitre.org/)|[CWE-134, Uncontrolled Format String](http://cwe.mitre.org/data/definitions/134.html)|
 

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-681/01/README.md

@@ -49,5 +49,5 @@ print(Decimal("0.45"))
 
 |||
 |:---|:---|
-|[Wikipedia 2025](en.wikipedia.org)|IEEE 754 [online]. Available from: [https://en.wikipedia.org/wiki/IEEE_754](https://en.wikipedia.org/wiki/IEEE_754)|
+|[Wikipedia 2025](https://en.wikipedia.org)|IEEE 754 [online]. Available from: [https://en.wikipedia.org/wiki/IEEE_754](https://en.wikipedia.org/wiki/IEEE_754)|
 |[Python docs](https://docs.python.org/3/)|decimal — Decimal fixed-point and floating-point arithmetic [online]. Available from: [https://docs.python.org/3/library/decimal.html](https://docs.python.org/3/library/decimal.html) [accessed 2 February 2025]|

docs/Secure-Coding-Guide-for-Python/CWE-682/CWE-1335/01/README.md

@@ -31,7 +31,7 @@ Output from above example01.py:
 ```bash
 foo = 50 = 00110010
 foo = 42 = 00101010
- 
+
 foo << 2 = 11001000
 foo >> 2 = 00001100
 ~foo     = -0110011
@@ -92,7 +92,7 @@ The statement in `compliant01.py` clarifies the programmer's intention.
 print(8 * 4 + 10)
 ```
 
-It is recommended by *[CWE-191, Integer Underflow (Wrap or Wraparound)](../CWE-191/README.md)* to also check for under or overflow.
+It is recommended by *[CWE-191, Integer Underflow (Wrap or Wraparound)](../../CWE-191/README.md)* to also check for under or overflow.
 
 ## Non-compliant Code Example (Right Shift)
 

docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/README.md

@@ -195,8 +195,8 @@ The `compliant01.py` does not use data that origins from a lesser trusted source
 
 |||
 |:---|:---|
-|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-707: Improper Neutralization](hhttps://cwe.mitre.org/data/definitions/707.html)|
-|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](https://cwe.mitre.org/data/definitions/000.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](https://cwe.mitre.org/data/definitions/78.html)|
 |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method)|
 |[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[ENV03-C. Sanitize the environment when invoking external programs](https://wiki.sei.cmu.edu/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs)|
 |[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[ENV33-C. Do not call system()](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177)|

docs/Secure-Coding-Guide-for-Python/readme.md

@@ -13,7 +13,7 @@ Please join us, see [contributing](CONTRIBUTING.md)
 
 ## Disclaimer
 
-Content comes __WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED__, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt).
+Content comes __WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED__, as stated in the license text [CC-BY-4.0](../../LICENSES/CC-BY-4.0.txt) for documentation and [MIT](../../LICENSES/MIT.txt).
 Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full.
 Code examples are NOT to be used to cause harm of any kind to anyone or anything.
 
@@ -61,7 +61,6 @@ It is __not production code__ and requires code-style or python best practices t
 |[CWE-681: Avoid an uncontrolled loss of precision when passing floating-point literals to a Decimal constructor.](CWE-664/CWE-681/01/README.md)||
 |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)||
 |[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),<br/>CVSSv3.1: __7.8__,<br/>EPSS: __00.05__ (05.11.2024)|
-|[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)||
 
 |[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE|
 |:---------------------------------------------------------------------------------------------------------------|:----|
@@ -118,5 +117,5 @@ It is __not production code__ and requires code-style or python best practices t
 
 ## License
 
-* [CC-BY 4.0](LICENSE/CC-BY-4.0.txt) for documentation
-* [MIT](LICENSE/MIT.txt) for code snippets
+* [CC-BY 4.0](../../LICENSES/CC-BY-4.0.txt) for documentation
+* [MIT](../../LICENSES/MIT.txt) for code snippets

docs/Secure-Coding-Guide-for-Python/templates/README_TEMPLATE.md

@@ -7,7 +7,7 @@ Introduction paragraph, expanding on the introduction sentence...
 [*example01.py:*](example01.py)
 
 ```py
-""" Code Example """
+"""Code Example"""
 
 # Code goes here
 ```
@@ -25,7 +25,7 @@ Introduction to the code example...
 *[noncompliant01.py](noncompliant01.py):*
 
 ```python
-""" Non-compliant Code Example """
+"""Non-compliant Code Example"""
 
 # Code goes here
 
@@ -45,7 +45,7 @@ Introduction to the code example...
 *[compliant01.py](compliant01.py):*
 
 ```python
-""" Compliant Code Example """
+"""Compliant Code Example"""
 
 # Code goes here
 

docs/Secure-Coding-Guide-for-Python/templates/compliant01.py

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+"""Compliant Code Example"""
+
+# Code goes here
+
+#####################
+# Trying to exploit above code example
+#####################
+
+# Code goes here

docs/Secure-Coding-Guide-for-Python/templates/example01.py

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+"""Code Example"""
+
+# Code goes here

docs/Secure-Coding-Guide-for-Python/templates/noncompliant01.py

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+"""Non-compliant Code Example"""
+
+# Code goes here
+
+#####################
+# Trying to exploit above code example
+#####################
+
+# Code goes here