From a2d7ec1d7c8957fa2def5e57c1d97c22f67807ad Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Mon, 17 Nov 2025 14:04:45 +0000 Subject: [PATCH] pyscg restructuring to adress #894 Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 236 ++++++++++++------ 1 file changed, 159 insertions(+), 77 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 3b18f4c6..56d1e4cf 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -9,7 +9,6 @@ An initiative by the OpenSSF to provide new Python programmers a resource to stu Documentation is written in academic style to support security researchers while using plain English to cater for an international audience. Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are specifically not covered by this document. -The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. Please join us, see [contributing](CONTRIBUTING.md) @@ -24,7 +23,7 @@ Code examples are NOT to be used to cause harm of any kind to anyone or anything Every person writing code shall study the following: * _OWASP Developer Guide_ [[OWASP dev 2024](https://owasp.org/www-project-developer-guide/release/)] -* _OWASP Top 10 Report_ [[OWASP 2021](https://owasp.org/www-project-top-ten/)] +* _OWASP Top 10 Report_ [[OWASP 2021](https://owasp.org/Top10/A00_2021_Introduction/)] * _CWE Top 25_ [[MITRE 2024](https://cwe.mitre.org/top25/index.html)] ## Secure Coding Standard for Python @@ -46,81 +45,164 @@ It is __not production code__ and requires code-style or python best practices t * Proper logging instead of printing to `stdout` * Secure coding compliance outside of described issue -|[CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html)|Prominent CVE| -|:-----------------------------------------------------------------------------------------------------------------------------------------------|:----| -|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/README.md)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),
CVSSv3.1: __9.8__,
EPSS: __00.37__ (01.12.2023)| -|[CWE-197: Numeric Truncation Error](CWE-664/CWE-197/README.md)|| -|[CWE-197: Control rounding when converting to less precise numbers](CWE-664/CWE-197/01/README.md)|| -|[CWE-209: Generation of Error Message Containing Sensitive Information](CWE-664/CWE-209/README.md)|[CVE-2013-0773](https://www.cvedetails.com/cve/CVE-2013-0773/),
CVSSv3.1:__3.3__,
EPSS: __00.95__ (23.11.2023)| -|[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)|| -|[CWE-404: Improper Resource Shutdown or Release](CWE-664/CWE-404/README.md)|| -|[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/README.md)|| -|[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)|| -|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: __8.8__,
EPSS: __00.20__ (23.11.2023)| -|[CWE-459: Incomplete Cleanup](CWE-664/CWE-459/README.md)|| -|[CWE-460: Improper Cleanup on Thrown Exception](CWE-664/CWE-460/README.md)|[CVE-2008-0002](https://www.cvedetails.com/cve/CVE-2008-0002),
CVSSv3.1: __5.8__,
EPSS: __04.10__ (04.09.2025)| -|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),
CVSSv3.0: __7.5__,
EPSS: __00.11__ (05.11.2024)| -|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),
CVSSv3.0: __9.8__,
EPSS: __93.54__ (05.11.2024)| -|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: __9.8__,
EPSS: __0.04__ (01.11.2024)| -|[CWE-584: Return Inside Finally Block](CWE-664/CWE-584/README.md)|| -|[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)|| -|[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)|| -|[CWE-681: Avoid an uncontrolled loss of precision when passing floating-point literals to a Decimal constructor.](CWE-664/CWE-681/01/README.md)|| -|[CWE-833: Deadlock](CWE-664/CWE-833/README.md)|| -|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/README.md)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),
CVSSv3.1: __7.8__,
EPSS: __00.02__ (13.05.2025)| - -|[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE| -|:---------------------------------------------------------------------------------------------------------------|:----| -|[CWE-191: Integer Underflow (Wrap or Wraparound)](CWE-682/CWE-191/README.md)|| -|[CWE-1335: Incorrect Bitwise Shift of Integer](CWE-682/CWE-1335/README.md)|| -|[CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations](CWE-682/CWE-1335/01/README.md)|| -|[CWE-1339: Insufficient Precision or Accuracy of a Real Number](CWE-682/CWE-1339/.) || - -|[CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html)|Prominent CVE| -|:---------------------------------------------------------------------------------------------------------------|:----| -|[CWE-366: Race Condition within a Thread](CWE-691/CWE-366/README.md)|| -|[CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")](CWE-691/CWE-362/README.md)|| -|[CWE-617: Reachable Assertion](CWE-691/CWE-617/README.md)|| -|[CWE-783: Operator Precedence Logic Error](CWE-691/CWE-783/README.md)|| - -|[CWE-693: Protection Mechanism Failure](https://cwe.mitre.org/data/definitions/693.html)|Prominent CVE| -|:---------------------------------------------------------------------------------------------------------------|:----| -|[CWE-182: Collapse of Data into Unsafe Value](CWE-693/CWE-182/README.md)|| -|[CWE-184: Incomplete List of Disallowed Input](CWE-693/CWE-184/README.md)|| -|[CWE-330: Use of Insufficiently Random Values](CWE-693/CWE-330/README.md)|[CVE-2020-7548](https://www.cvedetails.com/cve/CVE-2020-7548),
CVSSv3.1: __9.8__,
EPSS: __0.22__ (12.12.2024)| -|[CWE-472: External Control of Assumed-Immutable Web Parameter](CWE-693/CWE-472/README.md)|| -|[CWE-778: Insufficient Logging](CWE-693/CWE-778/README.md)|| -|[CWE-798: Use of hardcoded credentials](CWE-693/CWE-798/README.md)|| - -|[CWE-697: Incorrect Comparison](https://cwe.mitre.org/data/definitions/697.html)|Prominent CVE| -|:----------------------------------------------------------------|:----| -|[CWE-595: Comparison of Object References Instead of Object Contents](CWE-697/CWE-595/README.md)|| - -|[CWE-703: Improper Check or Handling of Exceptional Conditions](https://cwe.mitre.org/data/definitions/703.html)|Prominent CVE| -|:----------------------------------------------------------------|:----| -|[CWE-230: Improper Handling of Missing Values](CWE-703/CWE-230/.)|| -|[CWE-252: Unchecked Return Value](CWE-703/CWE-252/README.md)|| -|[CWE-390: Detection of Error Condition without Action](CWE-703/CWE-390/README.md)|| -|[CWE-392: Missing Report of Error Condition](CWE-703/CWE-392/README.md)|| -|[CWE-397: Declaration of Throws for Generic Exception](CWE-703/CWE-397/README.md)|| -|[CWE-476: NULL Pointer Dereference](CWE-703/CWE-476/README.md)|| -|[CWE-754: Improper Check for Unusual or Exceptional Conditions - float](CWE-703/CWE-754/README.md)|| -|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),
CVSSv3.1: __6.5__,
EPSS: __0.04__ (01.11.2024)| - -|[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE| -|:----------------------------------------------------------------|:----| -|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|[CVE-2024-43804](https://www.cvedetails.com/cve/CVE-2024-43804/),
CVSSv3.1: __8.8__,
EPSS: __00.06__ (08.11.2024)| -|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/README.md)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: __9.8__,
EPSS: __01.43__ (18.02.2024)| -|[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/README.md)|| -|[CWE-175: Improper Handling of Mixed Encoding](CWE-707/CWE-175/README.md)|| -|[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/README.md)|[CVE-2022-26136](https://www.cvedetails.com/cve/CVE-2022-26136/),
CVSSv3.1: __9.8__,
EPSS: __00.18__ (24.04.2025)| -|[CWE-838: Inappropriate Encoding for Output Context](CWE-707/CWE-838/README.md)|| - -|[CWE-710: Improper Adherence to Coding Standards](https://cwe.mitre.org/data/definitions/710.html)|Prominent CVE| -|:----------------------------------------------------------------|:----| -|[CWE-1095: Loop Condition Value Update within the Loop](CWE-710/CWE-1095/README.md)|| -|[CWE-1109: Use of Same Variable for Multiple Purposes](CWE-710/CWE-1109/README.md)|| -|[CWE-489: Active Debug Code](CWE-710/CWE-489/README.md)|[CVE-2018-14649](https://www.cvedetails.com/cve/CVE-2018-14649),
CVSSv3.1: __9.8__,
EPSS: __69.64__ (12.12.2023)| + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
MITRE01 IntroductionProminent CVEs
CWE-501pyscg-0040: Trust Boundary ViolationCVE-2023-28597, CVSSv3.0: 7.5,
EPSS: 00.11 (05.11.2024)
CWE-798pyscg-0041: Use of hardcoded credentials
CWE-783pyscg-0042: Operator Precedence Logic Error
MITRE02 Encoding and StringsProminent CVEs
CWE-175pyscg-0043: Improper Handling of Mixed Encoding
CWE-180pyscg-0044: Incorrect behavior order: Validate before CanonicalizeCVE-2022-26136,
CVSSv3.1: 9.8,
EPSS: 00.28 (31.12.20255)
CWE-182pyscg-0045: Enforce control over encoding such as UTF-8
CWE-838pyscg-0046: Inappropriate Encoding for Output Context
MITRE03 NumbersProminent CVEs
CWE-1339pyscg-0001: Avoid floating-point and use integers or the decimal module to ensure precision in applications that require high accuracy, such as in financial or banking computations
CWE-191pyscg-0002: Ensure that integer overflow is properly handled in order to avoid unexpected behavior.
CWE-1335pyscg-0003: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations
CWE-197pyscg-0004:Ensure to have predictable outcomes in loops by using int instead of float variables as a counter
CWE-197pyscg-0005: Make conscious design decisions on how conversions are rounded
CWE-681pyscg-0006: String representations of floating-point numbers must not be compared or inspected outside of specialized modules such as decimal or math
CWE-681pyscg-0007: Avoid using floating-point literals.
MITRE04 NeutralizationProminent CVEs
CWE-184pyscg-0184: Use 'allow lists' to avoid continuesly updates to 'deny lists'.
CWE-134pyscg-0008: Use of Externally-Controlled Format StringCVE-2022-27177,
CVSSv3.1: >9.8,
EPSS: 00.37 (01.12.2023)
CWE-78pyscg-0009: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")CVE-2024-43804,
CVSSv3.1: 8.8,
EPSS: 00.06 (08.11.2024)
CWE-89pyscg-0010: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CVE-2019-8600, CVSSv3.1: 9.8,
EPSS: 01.43 (18.02.2024)
CWE-843pyscg-0011: Access of Resource Using Incompatible Type ('Type Confusion')CVE-2021-29513, CVSSv3.1: 7.8,
EPSS: 00.02 (13.05.2025) +
CWE-409pyscg-0012: Improper Handling of Highly Compressed Data (Data Amplification)CVE-2019-9674, CVSSv3.1: 7.5, EPSS 1.2%(10.09.2025)
CWE-426pyscg-0013: Untrusted Search PathCVE-2015-1326,
CVSSv3.0: 8.8,
EPSS: 00.20 (23.11.2023)
MITRE05 Exception handlingProminent CVEs
CWE-397pyscg-0014: Declaration of Throws for Generic Exception
CWE-755pyscg-0015: Improper Handling of Exceptional ConditionsCVE-2024-39560,CVSSv3.1: 6.5,
EPSS: 0.04 (01.11.2024)
CWE-390pyscg-0016: Detection of Error Condition without Action
CWE-230pyscg-0017: Improper Handling of Missing Values
CWE-754pyscg-0018: Improper Check for Unusual or Exceptional Conditions - float
MITRE06 LoggingProminent CVEs
CWE-532pyscg-0019: Insertion of Sensitive Information into Log FileCVE-2023-45585,
CVSSv3.1: 9.8,
EPSS: 0.04 (01.11.2024)
CWE-778pyscg-0020: Insufficient Logging
CWE-489pyscg-0021: Active Debug CodeCVE-2018-14649, CVSSv3.1: 9.8, EPSS: 69.64 (12.12.2023)
CWE-117pyscg-0022: Improper Output Neutralization for Logs
MITRE07 Serialization DeserializationProminent CVEs
CWE-532pyscg-0023: Deserialization of Untrusted DataCVE-2018-8021, CVSSv3.0: 9.8,
EPSS: 93.54 (05.11.2024)
08 ConcurrencyProminent CVE
CWE-400pyscg-0024: Uncontrolled Resource Consumption
CWE-410pyscg-0025: Insufficient Resource Pool
CWE-833pyscg-0026: Deadlock
CWE-362pyscg-0027: Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
CWE-584pyscg-0028: Return Inside Finally Block
CWE-665pyscg-0029: Improper Initialization
CWE-392pyscg-0030: Missing Report of Error Condition in a Threadpool
MITRE09 Coding StandardsProminent CVE
CWE-1095pyscg-0031: Loop Condition Value Update within the Loop
CWE-1109pyscg-0032: Use of Same Variable for Multiple Purposes
CWE-595pyscg-0033: Comparison of Object References Instead of Object Contents
CWE-476pyscg-0034: NULL Pointer Dereference
CWE-459pyscg-0035: Incomplete Cleanup
CWE-252pyscg-0036: Unchecked Return Value
CWE-617pyscg-0037: Reachable Assertion
MITRE10 CryptographyProminent CVE
CWE-330pyscg-0038: Use of Insufficiently Random ValuesCVE-2020-7548, CVSSv3.1: 9.8
EPSS: 0.22 (12.12.2024)
## Biblography