[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Linux Kernel Defence Map
From:       Alexander Popov <alex.popov () linux ! com>
Date:       2018-04-30 22:17:36
Message-ID: d7e924ef-f121-92b2-dcbd-3c03c88d9831 () linux ! com
[Download RAW message or body]

On 05.04.2018 02:55, Kurt Seifried wrote:
> Please use a CWE identifier if one exists (https://cwe.mitre.org/), if one
> doesn't exist perhaps we should have one (email me and I'm happy to help get
> that ball rolling). Having a CWE not only helps categorize things correctly but
> gives us something to point developers at for resources around flaws and how
> they can be avoided/dealt with/etc.  

Hello Kurt,

I've just added the corresponding CWE IDs to the vulnerability classes showed on
the map: https://github.com/a13xp0p0v/linux-kernel-defence-map

It think there is only one vuln class that misses a CWE ID -- Stack Depth
Overflow. We currently have CWE-674 (Uncontrolled Recursion), but it doesn't
cover the Stack Clash case, which also refers to Stack Depth Overflow.

Best regards,
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]